mirror of
https://github.com/agent0ai/agent-zero.git
synced 2026-07-09 17:08:29 +00:00
Patch LiteLLM security pins
Upgrade LiteLLM to 1.88.1 so Agent Zero is above the CVE-2026-42271 patched floor, and move the OpenAI SDK pin to 2.41.1 to satisfy LiteLLM's new dependency range. Pin Starlette to the patched 1.0.1 release for the Host-header request.url.path advisory. Fold requirements2.txt back into requirements.txt now that browser-use is no longer part of the repo dependency set, and update installer and setup docs to use a single requirements file.
This commit is contained in:
parent
b04443be1a
commit
b3b5e44cc3
5 changed files with 4 additions and 10 deletions
|
|
@ -41,7 +41,6 @@ Primary Language(s): Python, JavaScript (ES Modules)
|
||||||
Do not combine these commands; run them individually:
|
Do not combine these commands; run them individually:
|
||||||
```bash
|
```bash
|
||||||
pip install -r requirements.txt
|
pip install -r requirements.txt
|
||||||
pip install -r requirements2.txt
|
|
||||||
```
|
```
|
||||||
- Start WebUI: python run_ui.py
|
- Start WebUI: python run_ui.py
|
||||||
|
|
||||||
|
|
@ -241,7 +240,6 @@ If pip install fails, try running in a clean virtual environment:
|
||||||
python -m venv .venv
|
python -m venv .venv
|
||||||
source .venv/bin/activate
|
source .venv/bin/activate
|
||||||
pip install -r requirements.txt
|
pip install -r requirements.txt
|
||||||
pip install -r requirements2.txt
|
|
||||||
```
|
```
|
||||||
|
|
||||||
### WebSocket Connection Failures
|
### WebSocket Connection Failures
|
||||||
|
|
|
||||||
|
|
@ -36,8 +36,6 @@ fi
|
||||||
|
|
||||||
# Install remaining A0 python packages
|
# Install remaining A0 python packages
|
||||||
uv pip install -r /git/agent-zero/requirements.txt
|
uv pip install -r /git/agent-zero/requirements.txt
|
||||||
# override for packages that have unnecessarily strict dependencies
|
|
||||||
uv pip install -r /git/agent-zero/requirements2.txt
|
|
||||||
|
|
||||||
# install playwright
|
# install playwright
|
||||||
bash /ins/install_playwright.sh "$@"
|
bash /ins/install_playwright.sh "$@"
|
||||||
|
|
|
||||||
|
|
@ -21,7 +21,6 @@ For local development:
|
||||||
python -m venv .venv
|
python -m venv .venv
|
||||||
source .venv/bin/activate
|
source .venv/bin/activate
|
||||||
pip install -r requirements.txt
|
pip install -r requirements.txt
|
||||||
pip install -r requirements2.txt
|
|
||||||
python run_ui.py
|
python run_ui.py
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -18,6 +18,8 @@ langchain-core==0.3.49
|
||||||
langchain-community==0.3.19
|
langchain-community==0.3.19
|
||||||
langchain-unstructured==0.1.6
|
langchain-unstructured==0.1.6
|
||||||
liteparse==2.0.3
|
liteparse==2.0.3
|
||||||
|
litellm==1.88.1 # CVE-2026-42271 fix: patched floor is 1.83.7
|
||||||
|
openai==2.41.1
|
||||||
openai-whisper==20250625
|
openai-whisper==20250625
|
||||||
lxml_html_clean>=0.4.0 # CVE-2024-52595 fix: XSS CWE-79 CVSS 8.4
|
lxml_html_clean>=0.4.0 # CVE-2024-52595 fix: XSS CWE-79 CVSS 8.4
|
||||||
markdown==3.7
|
markdown==3.7
|
||||||
|
|
@ -48,6 +50,7 @@ imapclient>=3.0.1
|
||||||
html2text>=2024.2.26
|
html2text>=2024.2.26
|
||||||
beautifulsoup4>=4.12.3
|
beautifulsoup4>=4.12.3
|
||||||
boto3>=1.35.0
|
boto3>=1.35.0
|
||||||
|
chardet<6 # unstructured may pull chardet; requests warns when chardet>=6 is present
|
||||||
exchangelib>=5.4.3
|
exchangelib>=5.4.3
|
||||||
pywinpty==3.0.2; sys_platform == "win32"
|
pywinpty==3.0.2; sys_platform == "win32"
|
||||||
python-socketio>=5.14.2
|
python-socketio>=5.14.2
|
||||||
|
|
@ -62,3 +65,4 @@ h11>=0.16.0 # security floor: HTTP request smuggling CWE-444
|
||||||
urllib3>=2.6.0 # security floor: resource exhaustion CWE-770, data amplification CWE-409
|
urllib3>=2.6.0 # security floor: resource exhaustion CWE-770, data amplification CWE-409
|
||||||
cryptography>=46.0.0 # security floor: insufficient data authenticity CWE-345
|
cryptography>=46.0.0 # security floor: insufficient data authenticity CWE-345
|
||||||
werkzeug>=3.0.3 # security floor: RCE CWE-94
|
werkzeug>=3.0.3 # security floor: RCE CWE-94
|
||||||
|
starlette==1.0.1 # security fix: Host header validation bypass GHSA-86qp-5c8j-p5mr
|
||||||
|
|
|
||||||
|
|
@ -1,5 +0,0 @@
|
||||||
litellm==1.79.3
|
|
||||||
openai==1.99.5
|
|
||||||
# `unstructured` pulls `chardet` without an upper bound, but `requests`
|
|
||||||
# warns on import when chardet>=6 is present in the same environment.
|
|
||||||
chardet<6
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue