Patch LiteLLM security pins

Upgrade LiteLLM to 1.88.1 so Agent Zero is above the CVE-2026-42271 patched floor, and move the OpenAI SDK pin to 2.41.1 to satisfy LiteLLM's new dependency range.

Pin Starlette to the patched 1.0.1 release for the Host-header request.url.path advisory.

Fold requirements2.txt back into requirements.txt now that browser-use is no longer part of the repo dependency set, and update installer and setup docs to use a single requirements file.
This commit is contained in:
Alessandro 2026-06-11 03:47:58 +02:00
parent b04443be1a
commit b3b5e44cc3
5 changed files with 4 additions and 10 deletions

View file

@ -41,7 +41,6 @@ Primary Language(s): Python, JavaScript (ES Modules)
Do not combine these commands; run them individually:
```bash
pip install -r requirements.txt
pip install -r requirements2.txt
```
- Start WebUI: python run_ui.py
@ -241,7 +240,6 @@ If pip install fails, try running in a clean virtual environment:
python -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt
pip install -r requirements2.txt
```
### WebSocket Connection Failures

View file

@ -36,8 +36,6 @@ fi
# Install remaining A0 python packages
uv pip install -r /git/agent-zero/requirements.txt
# override for packages that have unnecessarily strict dependencies
uv pip install -r /git/agent-zero/requirements2.txt
# install playwright
bash /ins/install_playwright.sh "$@"

View file

@ -21,7 +21,6 @@ For local development:
python -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt
pip install -r requirements2.txt
python run_ui.py
```

View file

@ -18,6 +18,8 @@ langchain-core==0.3.49
langchain-community==0.3.19
langchain-unstructured==0.1.6
liteparse==2.0.3
litellm==1.88.1 # CVE-2026-42271 fix: patched floor is 1.83.7
openai==2.41.1
openai-whisper==20250625
lxml_html_clean>=0.4.0 # CVE-2024-52595 fix: XSS CWE-79 CVSS 8.4
markdown==3.7
@ -48,6 +50,7 @@ imapclient>=3.0.1
html2text>=2024.2.26
beautifulsoup4>=4.12.3
boto3>=1.35.0
chardet<6 # unstructured may pull chardet; requests warns when chardet>=6 is present
exchangelib>=5.4.3
pywinpty==3.0.2; sys_platform == "win32"
python-socketio>=5.14.2
@ -62,3 +65,4 @@ h11>=0.16.0 # security floor: HTTP request smuggling CWE-444
urllib3>=2.6.0 # security floor: resource exhaustion CWE-770, data amplification CWE-409
cryptography>=46.0.0 # security floor: insufficient data authenticity CWE-345
werkzeug>=3.0.3 # security floor: RCE CWE-94
starlette==1.0.1 # security fix: Host header validation bypass GHSA-86qp-5c8j-p5mr

View file

@ -1,5 +0,0 @@
litellm==1.79.3
openai==1.99.5
# `unstructured` pulls `chardet` without an upper bound, but `requests`
# warns on import when chardet>=6 is present in the same environment.
chardet<6