langchain.js
    Preparing search index...

    Interface LoadOptions

    Options for loading serialized LangChain objects.

    Security considerations:

    Deserialization can instantiate arbitrary classes from the allowed namespaces. When loading untrusted data, be aware that:

    1. secretsFromEnv: Defaults to false. Setting to true allows the deserializer to read environment variables, which could leak secrets if the serialized data contains malicious secret references.

    2. importMap / optionalImportsMap: These allow extending which classes can be instantiated. Never populate these from user input. Only include modules you explicitly trust.

    3. Class instantiation: Allowed classes will have their constructors called with the deserialized kwargs. If a class performs side effects in its constructor (network calls, file I/O, etc.), those will execute.

    interface LoadOptions {
        importMap?: Record<string, unknown>;
        maxDepth?: number;
        optionalImportEntrypoints?: string[];
        optionalImportsMap?: OptionalImportMap;
        secretsFromEnv?: boolean;
        secretsMap?: SecretMap;
    }
    Index

    Properties

    importMap? maxDepth? optionalImportEntrypoints? optionalImportsMap? secretsFromEnv? secretsMap?

    Properties

    importMap?: Record<string, unknown>

    Additional import map for the "langchain" namespace.

    Security warning: This extends which classes can be instantiated during deserialization. Never populate this map with values derived from user input. Only include modules that you explicitly trust and have reviewed.

    Any class exposed through this map can be instantiated with attacker-controlled kwargs if the serialized data is untrusted.

    maxDepth?: number

    Maximum recursion depth allowed during deserialization.

    50

    This limit protects against denial-of-service attacks using deeply nested JSON structures that could cause stack overflow. If your legitimate data requires deeper nesting, you can increase this limit.

    optionalImportEntrypoints?: string[]

    Additional optional import entrypoints to allow beyond the defaults.

    Security warning: This extends which namespace paths are considered valid for deserialization. Never populate this array with values derived from user input. Each entrypoint you add expands the attack surface for deserialization.

    optionalImportsMap?: OptionalImportMap

    A map of optional imports. Keys are namespace paths (e.g., "langchain_community/llms"), values are the imported modules.

    Security warning: This extends which classes can be instantiated during deserialization. Never populate this map with values derived from user input. Only include modules that you explicitly trust and have reviewed.

    Classes in these modules can be instantiated with attacker-controlled kwargs if the serialized data is untrusted.

    secretsFromEnv?: boolean

    Whether to load secrets from environment variables when not found in secretsMap.

    false

    Security warning: Setting this to true allows the deserializer to read environment variables, which could be a security risk if the serialized data is not trusted. Only set this to true when deserializing data from trusted sources (e.g., your own database, not user input).

    secretsMap?: SecretMap

    A map of secrets to load. Keys are secret identifiers, values are the secret values.

    If a secret is not found in this map and secretsFromEnv is false, an error is thrown. If secretsFromEnv is true, the secret will be loaded from environment variables (if not found there either, an error is thrown).

    Settings

    Member Visibility

    On This Page

    Properties