UNPKG

@langchain/core

Version:

Core LangChain.js abstractions and schemas

github.com/langchain-ai/langchainjs/tree/main/langchain-core/

langchain-ai/langchainjs

122 lines (120 loc) 4.56 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
import { OptionalImportMap, SecretMap } from "./import_type.js"; //#region src/load/index.d.ts /** * Options for loading serialized LangChain objects. * * @remarks * **Security considerations:** * * Deserialization can instantiate arbitrary classes from the allowed namespaces. * When loading untrusted data, be aware that: * * 1. **`secretsFromEnv`**: Defaults to `false`. Setting to `true` allows the * deserializer to read environment variables, which could leak secrets if * the serialized data contains malicious secret references. * * 2. **`importMap` / `optionalImportsMap`**: These allow extending which classes * can be instantiated. Never populate these from user input. Only include * modules you explicitly trust. * * 3. **Class instantiation**: Allowed classes will have their constructors called * with the deserialized kwargs. If a class performs side effects in its * constructor (network calls, file I/O, etc.), those will execute. */ interface LoadOptions { /** * A map of secrets to load. Keys are secret identifiers, values are the secret values. * * If a secret is not found in this map and `secretsFromEnv` is `false`, an error is * thrown. If `secretsFromEnv` is `true`, the secret will be loaded from environment * variables (if not found there either, an error is thrown). */ secretsMap?: SecretMap; /** * Whether to load secrets from environment variables when not found in `secretsMap`. * * @default false * * @remarks * **Security warning:** Setting this to `true` allows the deserializer to read * environment variables, which could be a security risk if the serialized data * is not trusted. Only set this to `true` when deserializing data from trusted * sources (e.g., your own database, not user input). */ secretsFromEnv?: boolean; /** * A map of optional imports. Keys are namespace paths (e.g., "langchain_community/llms"), * values are the imported modules. * * @remarks * **Security warning:** This extends which classes can be instantiated during * deserialization. Never populate this map with values derived from user input. * Only include modules that you explicitly trust and have reviewed. * * Classes in these modules can be instantiated with attacker-controlled kwargs * if the serialized data is untrusted. */ optionalImportsMap?: OptionalImportMap; /** * Additional optional import entrypoints to allow beyond the defaults. * * @remarks * **Security warning:** This extends which namespace paths are considered valid * for deserialization. Never populate this array with values derived from user * input. Each entrypoint you add expands the attack surface for deserialization. */ optionalImportEntrypoints?: string[]; /** * Additional import map for the "langchain" namespace. * * @remarks * **Security warning:** This extends which classes can be instantiated during * deserialization. Never populate this map with values derived from user input. * Only include modules that you explicitly trust and have reviewed. * * Any class exposed through this map can be instantiated with attacker-controlled * kwargs if the serialized data is untrusted. */ importMap?: Record<string, unknown>; /** * Maximum recursion depth allowed during deserialization. * * @default 50 * * @remarks * This limit protects against denial-of-service attacks using deeply nested * JSON structures that could cause stack overflow. If your legitimate data * requires deeper nesting, you can increase this limit. */ maxDepth?: number; } /** * Load a LangChain object from a JSON string. * * @param text - The JSON string to parse and load. * @param options - Options for loading. * @returns The loaded LangChain object. * * @example * ```typescript * import { load } from "@langchain/core/load"; * import { AIMessage } from "@langchain/core/messages"; * * // Basic usage - secrets must be provided explicitly * const msg = await load<AIMessage>(jsonString); * * // With secrets from a map * const msg = await load<AIMessage>(jsonString, { * secretsMap: { OPENAI_API_KEY: "sk-..." } * }); * * // Allow loading secrets from environment (use with caution) * const msg = await load<AIMessage>(jsonString, { * secretsFromEnv: true * }); * ``` */ declare function load<T>(text: string, options?: LoadOptions): Promise<T>; //#endregion export { LoadOptions, load }; //# sourceMappingURL=index.d.ts.map