Inconsistent package naming in your security advisories

[joshbressers]

Checked other resources

• This is a bug, not a usage question.
• I added a clear and descriptive title that summarizes this issue.
• I used the GitHub search to find a similar question and didn't find it.
• I am sure that this is a bug in LangChain rather than my code.
• The bug is not resolved by updating to the latest stable version of LangChain (or the specific integration package).
• This is not related to the langchain-community package.
• I posted a self-contained, minimal, reproducible example. A maintainer can copy it and run it AS IS.

Package (Required)

• langchain
• langchain-openai
• langchain-anthropic
• langchain-classic
• langchain-core
• langchain-model-profiles
• langchain-tests
• langchain-text-splitters
• langchain-chroma
• langchain-deepseek
• langchain-exa
• langchain-fireworks
• langchain-groq
• langchain-huggingface
• langchain-mistralai
• langchain-nomic
• langchain-ollama
• langchain-openrouter
• langchain-perplexity
• langchain-qdrant
• langchain-xai
• Other / not sure / general

Related Issues / PRs

No response

Reproduction Steps / Example Code (Python)

N/A

Error Message and Stack Trace (if applicable)

Description

Your security page lists 3 advisories

https://github.com/langchain-ai/langchain/security

Two of them have package details errors

GHSA-2g6r-c272-w58r

GHSA-2g6r-c272-w58r

That advisory doesn't list a package name, but included the package name in the version information
langchain-core==0.3.81

GHSA-6qv9-48xg-fc7f

GHSA-6qv9-48xg-fc7f

The package name listed is langchain_core instead of langchain-core

Thanks in advance

System Info

N/A

[mdrxy]

does this create downstream problems? genuinely asking -- on PyPI we use langchain-core, in code imports you use langchain_core

[joshbressers]

The various downstream things (I work with Grype for example) expect the GHSA to reference the package name, not the import

[mdrxy]

I see, thanks Josh Bressers (@joshbressers)

should be fixed now