LangChain audit: Opus 4.8, Fable 5, Sonnet 5, Sonnet 4.6, and Haiku 4.5 — which model to use, and how to combine them?
Same code, different calibration. The honest grade isn't the highest.
The reports are complementary. Sonnet 5 improves on 4.6 but doesn't repeat all of its findings.
graph_mermaid.py:461 — unprotected requests.getexcept Exception blocks that swallow without loggingDoesn't repeat: lockfile CI, default load(), README gpt-5.4 → see Sonnet 4.6
LANGCHAIN_ENV bypass, broader than the docstring_transport.py⚠ Missed: default load(), lockfile CI, broken README
base.py 6,574load() — top risk (like S4.6)BLE/ERA rules · C90 offmustache.py 704 LOC · usage.py swallows AttributeErrorMissed: TOCTOU, default shell, SSRF 2 sites, lockfile CI → see Opus + S5 + S4.6
load() with allowed_objects='core'gpt-5.4 · no SECURITY.mdexcept Exception in hot pathsSame B+ grade — different focus. Use them in a pipeline, don't pick just one.
base.py 6,574 linesblock_translators/ (~900 lines)⚠ Factual error: claims lockfile is validated in CI (incorrect)
| Finding | Op | Fb | S5 | S4.6 | Hk |
|---|---|---|---|---|---|
| TOCTOU / DNS rebinding | ✓ | — | — | — | — |
| Default shell host | ✓ | — | — | — | — |
| SSRF transport only 2 sites | — | — | ✓ | — | — |
| graph_mermaid without SSRF | — | — | ✓ | — | — |
| Unsafe default load() | — | ✓ | — | ✓ | — |
| Actionable M0–M3 plan | — | ✓ | — | — | — |
| mustache.py vendored / C90 off | — | ✓ | — | — | — |
| Commented-out lockfile CI | — | — | — | ✓ | ✗ |
| Callback/tracer cycles | — | — | — | — | ✓ |
| Audit reports at repo root | — | ✓ | ✓ | — | — |
LOC and architecture map.
Primary audit + SSRF adoption.
Ops pass: lockfile, README.
Threat model and default shell.
Strategy, M0–M3 milestones, quick wins.
Merge into a single backlog.
Opus → threat review (A−)
Fable → strategy and M0–M3 plan (A−)
Sonnet 5 → primary auditor (B+)
Sonnet 4.6 → complementary ops pass
Haiku → exploration (always verify)
The honest takeaway for product: choose the model for the task, not for the most expensive tier's marketing.