hi @yashwantkumar-ai
I think it is better to keep all LangChain packages in the same minor series. For the v0.3 line, use >=0.3,<0.4 across langchain, langchain-community, langchain-core, langchain-openai, and langchain-text-splitters. Your current stack (all 0.3.x) is in-range and thus compatible. See the official v0.3 guidance: LangChain v0.3 | 🦜️🔗 LangChain
langchain-text-splitters==1.0.0a1 is a pre-release in the next major line and is not documented as compatible with the 0.3.x family. Avoid mixing 1.x pre-releases with 0.3.x packages unless you upgrade the whole stack together. These are two separate major versions that are incompatible by design (sem ver)
The langchain-text-splitters package is part of the monorepo. You can inspect its package config and constraints here:
Public advisories reference HTMLSectionSplitter and unsafe XSLT parsing leading to potential XXE behavior when untrusted inputs are processed. Examples:
Pin all packages to a known-good 0.3.x set and document rationale. Example:
langchain==0.3.27
langchain-community==0.3.29
langchain-core==0.3.76
langchain-openai==0.3.11
langchain-text-splitters==0.3.11
Keep the family aligned within >=0.3,<0.4 and monitor releases for a stable fix your scanner recognizes.
Based on this langchain-text-splitters vulnerabilities | Snyk, probably versions =>0.3.9 are free from the vulnerability.
If you don’t use HTMLSectionSplitter (or only process trusted content), add a targeted ignore with justification and review date (Trivy supports ignore policies by advisory ID).
If you must split HTML into sections, avoid user-controlled XSLT or harden transforms (e.g., lxml’s XSLTAccessControl to deny network/file access) in your code paths.
Watch libs/text-splitters and its pyproject.toml for a stable release that your scanner accepts, then upgrade in lockstep with other langchain* packages.