fix(core): fix validation for input variables in f-string templates, restrict functionality supported by jinja2, mustache templates (GHSA-6qv9-48xg-fc7f)

[Eugene Yurtsev (eyurtsev)]

• Fix validation for input variables in f-string templates
• Restrict functionality of features supported by jinja2 and mustache templates

Fix for advisory: GHSA-6qv9-48xg-fc7f for langchain 1.x

[codspeed-hq]

CodSpeed Performance Report

Merging #34035 will improve performances by 33.7%

_{Comparing eugene/fix_template_injection (300ea02) with master (b7d1831)}

⚠️ Unknown Walltime execution environment detected

Using the Walltime instrument on standard Hosted Runners will lead to inconsistent data.

For the most accurate results, we recommend using CodSpeed Macro Runners: bare-metal machines fine-tuned for performance measurement consistency.

Summary

⚡ 13 improvements
⏩ 21 skipped¹

Benchmarks breakdown

	Mode	Benchmark	BASE	HEAD	Change
⚡	WallTime	test_async_callbacks_in_sync	24.5 ms	18.3 ms	+33.7%
⚡	WallTime	test_import_time[BaseChatModel]	533.8 ms	462.1 ms	+15.53%
⚡	WallTime	test_import_time[CallbackManager]	463 ms	400.1 ms	+15.71%
⚡	WallTime	test_import_time[ChatPromptTemplate]	595 ms	515.1 ms	+15.51%
⚡	WallTime	test_import_time[Document]	188.3 ms	164.3 ms	+14.58%
⚡	WallTime	test_import_time[HumanMessage]	269.7 ms	233.3 ms	+15.6%
⚡	WallTime	test_import_time[InMemoryRateLimiter]	177.1 ms	154.5 ms	+14.6%
⚡	WallTime	test_import_time[InMemoryVectorStore]	621 ms	527.2 ms	+17.78%
⚡	WallTime	test_import_time[LangChainTracer]	442.1 ms	378.7 ms	+16.74%
⚡	WallTime	test_import_time[PydanticOutputParser]	542.3 ms	449.5 ms	+20.64%
⚡	WallTime	test_import_time[RunnableLambda]	496.3 ms	426.1 ms	+16.49%
⚡	WallTime	test_import_time[Runnable]	489.7 ms	442 ms	+10.79%
⚡	WallTime	test_import_time[tool]	524.3 ms	439.6 ms	+19.28%

Footnotes

1. 21 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports. ↩