Bump the pip group across 1 directory with 2 updates

[dependabot]

Bumps the pip group with 2 updates in the /backend directory: langchain-core and biopython.

Updates langchain-core from 1.2.11 to 1.2.28

Release notes

Sourced from langchain-core's releases.

langchain-core==1.2.28

Changes since langchain-core==1.2.27

release(core): release 1.2.28 (#36614) fix(core): add more sanitization to templates (#36612)

langchain-core==1.2.27

Changes since langchain-core==1.2.26

release(core): 1.2.27 (#36586) fix(core): handle symlinks in deprecated prompt save path (#36585) chore: add comment explaining pygments>=2.20.0 (#36570)

Credit to Jeff Ponte (@​JDP-Security) for reporting the symlink resolution issue in #36585.

langchain-core==1.2.26

Changes since langchain-core==1.2.25

release(core): 1.2.26 (#36511) fix(core): add init validator and serialization mappings for Bedrock models (#34510) feat(core): add ChatBaseten to serializable mapping (#36510) chore(core): drop gpt-3.5-turbo from docstrings (#36497) fix(core): correct parameter names in filter_messages docstring example (#36462)

langchain-core==1.2.25

Changes since langchain-core==1.2.24

release(core): 1.2.25 (#36473) fix(core): harden check for txt files in deprecated prompt loading functions (#36471) fix(core): fixed typos in the documentation (#36459)

Credit to Jeff Ponte (@​JDP-Security) for reporting the symlink resolution issue resolved in #36471.

langchain-core==1.2.24

Changes since langchain-core==1.2.23

release(core): 1.2.24 (#36434) feat(core): impute placeholder filenames for OpenAI file inputs (#36433) chore: pygments>=2.20.0 across all packages (CVE-2026-4539) (#36385) fix(core): add "computer" to _WellKnownOpenAITools (#36261)

langchain-core==1.2.23

Changes since langchain-core==1.2.22

release(core): 1.2.23 (#36323) revert: Revert "fix(core): trace invocation params in metadata" (#36322) chore: bump requests from 2.32.5 to 2.33.0 in /libs/core (#36243)

langchain-core==1.2.22

Changes since langchain-core==1.2.21

... (truncated)

Commits

• dd7c3eb release(core): release 1.2.28 (#36614)
• af2ed47 fix(core): add more sanitization to templates (#36612)
• 7e5858d release(standard-tests): 1.1.6 (#36610)
• fe99cb2 fix(standard-tests): update standard tests for sandbox backends (#36036)
• 65bbd47 chore(model-profiles): refresh model profile data (#36596)
• 6486404 release(core): 1.2.27 (#36586)
• 7629c74 fix(core): handle symlinks in deprecated prompt save path (#36585)
• ce21bf4 ci: convert working-directory to validated dropdown (#36575)
• b8698ea release(ollama): 1.1.0 (#36574)
• 3beba77 feat(ollama): support response_format (#34612)
• Additional commits viewable in compare view

Updates biopython from 1.86 to 1.87

Changelog

Sourced from biopython's changelog.

30 March 2026: Biopython 1.87

Migrated from setup.py to pyproject.toml for packaging configuration.

Addressed security issue CVE-2025-68463 in Bio.Entrez.Parser if parsing untrusted files.

Additionally, a number of small bugs and typos have been fixed with additions to the test suite and type annotations.

Many thanks to the Biopython developers and community for making this release possible, especially the following contributors:

• Michiel de Hoon
• Peter Cock
• Timothy Dennis (first contribution)
• Ziyan Rao (first contribution)
• Manuel Lera-Ramirez
• Sebastian Pipping

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.