You upgraded LangSmith to 0.3.79
. Now your security scanner screams: 5 vulnerabilities. Highest severity: 9.8.
Your first instinct: panic-upgrade. Your second: ignore it because "it's just the client SDK."
Both are wrong. Here's why.
LangSmith is your LLM observability layer. It sends traces, logs, and evaluation data from your agents to LangSmith's platform. That 0.3.79.tgz
tarball? It pulls in dependencies with known issues.
The 9.8 severity CVE? It's in undici
β the HTTP client LangSmith uses internally. Undici had a request smuggling vulnerability that lets an attacker inject headers into your requests.
Sound familiar? This is the same class of bug that brought down major CDNs last year.
What actually happens:
Your Agent β LangSmith SDK β undici HTTP client β LangSmith API
β
Attacker intercepts request
Injects malicious headers
Your trace data is compromised
But here's the kicker: you probably don't call undici
directly. It's buried three layers deep in LangSmith's dependency tree. Your package-lock.json
has it locked at a vulnerable version, and npm audit
can't fix it without a transitive update.
An attacker can craft a malicious response that poisons subsequent requests. If you're running LangSmith in a shared process space (like a Next.js serverless function), one compromised trace can leak another user's data.
Real-world impact: Your customer support agent sends a user's PII to LangSmith. Attacker intercepts the connection, injects headers, and now they're reading someone else's session data.
Same family. Different angle. Attacker terminates your request early, appends a fake one. Now LangSmith thinks your agent called a tool it never did.
This sucks for debugging: You look at your trace, see a tool call you never made, and spend hours trying to reproduce it. It's not a bug β it's an exploit.
Undici leaks heap memory under specific conditions. Your agent runs fine for hours, then OOMs. You blame the LLM. You blame the context window. You add more memory.
Guess what happens next? It OOMs again. Because the leak is in the tracing layer, not the agent.
You have two options:
npm install undici@6.6.2
Then add an override to your package.json
:
{
"overrides": {
"undici": "6.6.2"
}
}
Run npm install
again. Verify:
npm ls undici
Check LangSmith's changelog. If 0.3.80
or later fixed the dependency, bump:
npm install langsmith@0.3.82
Patch the vulnerable file directly. Find it:
find node_modules/undici -name "*.js" | xargs grep -l "CRLF\|split\|smuggle"
Then manually replace the vulnerable parsing logic. Not fun. Works when you're stuck.
TracePilot doesn't use undici
. We built our ingestion pipeline on raw Node.js http
module with strict header validation. No transitive HTTP client dependencies.
One line change to swap LangSmith for TracePilot:
// Before
import { Client } from 'langsmith';
const ls = new Client({ apiKey: process.env.LANGSMITH_API_KEY });
// After
import { TracePilot } from 'tracepilot-sdk';
const tp = new TracePilot(process.env.TRACEPILOT_API_KEY);
That's it. Same tracing capabilities. Zero CVEs in the HTTP layer.
But here's the real win: TracePilot captures every LLM call, every tool invocation, every token spent β and surfaces them in a live dashboard. When something breaks, you don't grep logs. You open the trace, fork the execution at the failing step, edit the prompt, and replay.
No redeployment. No "works on my machine."
You've got 5 CVEs sitting in your production agent right now. One of them is a 9.8. Your security team is going to ask about it.
You can patch it. You can override it. Or you can swap the tracing layer for one that doesn't have this problem in the first place.
TracePilot gives you the same observability β plus time-travel debugging β without the baggage.
Get a free API key. Fork your first failing trace in under 5 minutes.
Or keep fighting with undici
overrides. Your call.
Debugging AI agents shouldn't feel like reading The Matrix.
Join other engineers who are building reliable autonomous workflows in our community: TracePilot Discord