lc_secrets is missing from ChatMistralAI, potentially leaking API keys

[jeanpaul]

Checked other resources

• I added a very descriptive title to this issue.
• I searched the LangChain.js documentation with the integrated search.
• I used the GitHub search to find a similar question and didn't find it.
• I am sure that this is a bug in LangChain.js rather than my code.
• The bug is not resolved by updating to the latest stable version of LangChain (or the specific integration package).

Example Code

const llm = new ChatMistralAI({apiKey: "foobar"});
console.log(llm);

Error Message and Stack Trace (if applicable)

No response

Description

When printing an instance of ChatMistralAI, the API key is included in plaintext in the output. Other LLMs seem to hide the credentials using lc_secrets, and it appears this is missing.

• The API key is included in the output
• Expected, similar to other model implementations, to see something like MISTRAL_API_KEY

Output from the example code:

ChatMistralAI {
...
  apiKey: 'foobar',
...
}

System Info

$ pnpm info langchain

langchain@0.2.17 | MIT | deps: 14 | versions: 289
Typescript bindings for langchain
https://github.com/langchain-ai/langchainjs/tree/main/langchain/

keywords: llm, ai, gpt3, chain, prompt, prompt engineering, chatgpt, machine learning, ml, openai, embeddings, vectorstores

dist
.tarball: https://registry.npmjs.org/langchain/-/langchain-0.2.17.tgz
.shasum: c408d5f70e817f335511f79ad53db2addfadb278
.integrity: sha512-wFn7wo+XGzqYrv3KJLmMZ1M6BHx12C3YUSASOa03rcDsBzRL5onxhKAC/g4xAIqlAHrJYgU6Jb/T/S6uJ6UdkQ==
.unpackedSize: 5.4 MB

dependencies:
@langchain/core: >=0.2.21 <0.3.0  @langchain/textsplitters: ~0.0.0  js-tiktoken: ^1.0.12              jsonpointer: ^5.0.1               openapi-types: ^12.1.3            uuid: ^10.0.0                     zod-to-json-schema: ^3.22.3
@langchain/openai: >=0.1.0 <0.3.0 binary-extensions: ^2.2.0         js-yaml: ^4.1.0                   langsmith: ~0.1.40                p-retry: 4                        yaml: ^2.2.1                      zod: ^3.22.4

maintainers:
- nfcampos <nuno@boringbits.io>
- jacoblee93 <jacoblee93@gmail.com>
- andrewnguonly <andrewnguonly@gmail.com>
- davidduong <david@duong.cz>
- hwchase17 <hw.chase.17@gmail.com>
- basproul <braceasproul@gmail.com>

dist-tags:
latest: 0.2.17    next: 0.2.3-rc.0

published 3 days ago by basproul <braceasproul@gmail.com>

$ node --version
v22.6.0

$ pnpm --version
9.6.0

Platform: mac

[dosubot]

@jeanpaul Hello there! I'm a bot that can help you solve bugs, answer questions, and become a contributor. I'm here to assist you while waiting for a human maintainer.

The issue arises because the ChatMistralAI class does not override the toString or inspect methods to hide sensitive information like the API key. To address this, you can override these methods and use lc_secrets to manage the API key securely.

Here's how you can modify the ChatMistralAI class:

1. Override the toString and inspect methods to exclude the apiKey from the output.
2. Implement the lc_secrets method to map environment variables to the API key.

Here is an example implementation:

class ChatMistralAI extends BaseChatModel {
  // ... existing code ...

  get lc_secrets(): { [key: string]: string } | undefined {
    return {
      apiKey: "MISTRAL_AI_API_KEY",
    };
  }

  get lc_aliases(): { [key: string]: string } | undefined {
    return {
      apiKey: "mistral_ai_api_key",
    };
  }

  toString() {
    return `ChatMistralAI { model: ${this.model}, temperature: ${this.temperature}, ... }`;
  }

  inspect() {
    return this.toString();
  }
}

This approach ensures that the apiKey is securely managed and not exposed in plaintext when the instance is printed ^[1][2].

To continue talking to Dosu, mention @dosu.

[bracesproul]

Pushed a fix here. Thanks for flagging this!

[bracesproul]

@jeanpaul fix released here

[jeanpaul]

Thank you for your quick fix!

Full disclosure, this was raised here: https://community.n8n.io/t/mistral-api-keys-being-leaked-with-langchain-code-node/44609