From b3b5e44cc32359c28c35b485b671a191e90fd759 Mon Sep 17 00:00:00 2001 From: Alessandro <155005371+3clyp50@users.noreply.github.com> Date: Thu, 11 Jun 2026 03:47:58 +0200 Subject: [PATCH] Patch LiteLLM security pins Upgrade LiteLLM to 1.88.1 so Agent Zero is above the CVE-2026-42271 patched floor, and move the OpenAI SDK pin to 2.41.1 to satisfy LiteLLM's new dependency range. Pin Starlette to the patched 1.0.1 release for the Host-header request.url.path advisory. Fold requirements2.txt back into requirements.txt now that browser-use is no longer part of the repo dependency set, and update installer and setup docs to use a single requirements file. --- AGENTS.md | 2 -- docker/run/fs/ins/install_A0.sh | 2 -- knowledge/main/about/setup-and-deployment.md | 1 - requirements.txt | 4 ++++ requirements2.txt | 5 ----- 5 files changed, 4 insertions(+), 10 deletions(-) delete mode 100644 requirements2.txt diff --git a/AGENTS.md b/AGENTS.md index e3bcd1d70..47736dbb4 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -41,7 +41,6 @@ Primary Language(s): Python, JavaScript (ES Modules) Do not combine these commands; run them individually: ```bash pip install -r requirements.txt -pip install -r requirements2.txt ``` - Start WebUI: python run_ui.py @@ -241,7 +240,6 @@ If pip install fails, try running in a clean virtual environment: python -m venv .venv source .venv/bin/activate pip install -r requirements.txt -pip install -r requirements2.txt ``` ### WebSocket Connection Failures diff --git a/docker/run/fs/ins/install_A0.sh b/docker/run/fs/ins/install_A0.sh index 0aeaf13ff..7b5d0d807 100644 --- a/docker/run/fs/ins/install_A0.sh +++ b/docker/run/fs/ins/install_A0.sh @@ -36,8 +36,6 @@ fi # Install remaining A0 python packages uv pip install -r /git/agent-zero/requirements.txt -# override for packages that have unnecessarily strict dependencies -uv pip install -r /git/agent-zero/requirements2.txt # install playwright bash /ins/install_playwright.sh "$@" diff --git a/knowledge/main/about/setup-and-deployment.md b/knowledge/main/about/setup-and-deployment.md index 90fd33f86..6ed3456b7 100644 --- a/knowledge/main/about/setup-and-deployment.md +++ b/knowledge/main/about/setup-and-deployment.md @@ -21,7 +21,6 @@ For local development: python -m venv .venv source .venv/bin/activate pip install -r requirements.txt -pip install -r requirements2.txt python run_ui.py ``` diff --git a/requirements.txt b/requirements.txt index bbb94b2b8..5c4381828 100644 --- a/requirements.txt +++ b/requirements.txt @@ -18,6 +18,8 @@ langchain-core==0.3.49 langchain-community==0.3.19 langchain-unstructured==0.1.6 liteparse==2.0.3 +litellm==1.88.1 # CVE-2026-42271 fix: patched floor is 1.83.7 +openai==2.41.1 openai-whisper==20250625 lxml_html_clean>=0.4.0 # CVE-2024-52595 fix: XSS CWE-79 CVSS 8.4 markdown==3.7 @@ -48,6 +50,7 @@ imapclient>=3.0.1 html2text>=2024.2.26 beautifulsoup4>=4.12.3 boto3>=1.35.0 +chardet<6 # unstructured may pull chardet; requests warns when chardet>=6 is present exchangelib>=5.4.3 pywinpty==3.0.2; sys_platform == "win32" python-socketio>=5.14.2 @@ -62,3 +65,4 @@ h11>=0.16.0 # security floor: HTTP request smuggling CWE-444 urllib3>=2.6.0 # security floor: resource exhaustion CWE-770, data amplification CWE-409 cryptography>=46.0.0 # security floor: insufficient data authenticity CWE-345 werkzeug>=3.0.3 # security floor: RCE CWE-94 +starlette==1.0.1 # security fix: Host header validation bypass GHSA-86qp-5c8j-p5mr diff --git a/requirements2.txt b/requirements2.txt deleted file mode 100644 index 859237a09..000000000 --- a/requirements2.txt +++ /dev/null @@ -1,5 +0,0 @@ -litellm==1.79.3 -openai==1.99.5 -# `unstructured` pulls `chardet` without an upper bound, but `requests` -# warns on import when chardet>=6 is present in the same environment. -chardet<6