mirror of
https://github.com/agent0ai/agent-zero.git
synced 2026-07-09 17:08:29 +00:00
Patch LiteLLM security pins
Upgrade LiteLLM to 1.88.1 so Agent Zero is above the CVE-2026-42271 patched floor, and move the OpenAI SDK pin to 2.41.1 to satisfy LiteLLM's new dependency range. Pin Starlette to the patched 1.0.1 release for the Host-header request.url.path advisory. Fold requirements2.txt back into requirements.txt now that browser-use is no longer part of the repo dependency set, and update installer and setup docs to use a single requirements file.
This commit is contained in:
parent
b04443be1a
commit
b3b5e44cc3
5 changed files with 4 additions and 10 deletions
|
|
@ -41,7 +41,6 @@ Primary Language(s): Python, JavaScript (ES Modules)
|
|||
Do not combine these commands; run them individually:
|
||||
```bash
|
||||
pip install -r requirements.txt
|
||||
pip install -r requirements2.txt
|
||||
```
|
||||
- Start WebUI: python run_ui.py
|
||||
|
||||
|
|
@ -241,7 +240,6 @@ If pip install fails, try running in a clean virtual environment:
|
|||
python -m venv .venv
|
||||
source .venv/bin/activate
|
||||
pip install -r requirements.txt
|
||||
pip install -r requirements2.txt
|
||||
```
|
||||
|
||||
### WebSocket Connection Failures
|
||||
|
|
|
|||
|
|
@ -36,8 +36,6 @@ fi
|
|||
|
||||
# Install remaining A0 python packages
|
||||
uv pip install -r /git/agent-zero/requirements.txt
|
||||
# override for packages that have unnecessarily strict dependencies
|
||||
uv pip install -r /git/agent-zero/requirements2.txt
|
||||
|
||||
# install playwright
|
||||
bash /ins/install_playwright.sh "$@"
|
||||
|
|
|
|||
|
|
@ -21,7 +21,6 @@ For local development:
|
|||
python -m venv .venv
|
||||
source .venv/bin/activate
|
||||
pip install -r requirements.txt
|
||||
pip install -r requirements2.txt
|
||||
python run_ui.py
|
||||
```
|
||||
|
||||
|
|
|
|||
|
|
@ -18,6 +18,8 @@ langchain-core==0.3.49
|
|||
langchain-community==0.3.19
|
||||
langchain-unstructured==0.1.6
|
||||
liteparse==2.0.3
|
||||
litellm==1.88.1 # CVE-2026-42271 fix: patched floor is 1.83.7
|
||||
openai==2.41.1
|
||||
openai-whisper==20250625
|
||||
lxml_html_clean>=0.4.0 # CVE-2024-52595 fix: XSS CWE-79 CVSS 8.4
|
||||
markdown==3.7
|
||||
|
|
@ -48,6 +50,7 @@ imapclient>=3.0.1
|
|||
html2text>=2024.2.26
|
||||
beautifulsoup4>=4.12.3
|
||||
boto3>=1.35.0
|
||||
chardet<6 # unstructured may pull chardet; requests warns when chardet>=6 is present
|
||||
exchangelib>=5.4.3
|
||||
pywinpty==3.0.2; sys_platform == "win32"
|
||||
python-socketio>=5.14.2
|
||||
|
|
@ -62,3 +65,4 @@ h11>=0.16.0 # security floor: HTTP request smuggling CWE-444
|
|||
urllib3>=2.6.0 # security floor: resource exhaustion CWE-770, data amplification CWE-409
|
||||
cryptography>=46.0.0 # security floor: insufficient data authenticity CWE-345
|
||||
werkzeug>=3.0.3 # security floor: RCE CWE-94
|
||||
starlette==1.0.1 # security fix: Host header validation bypass GHSA-86qp-5c8j-p5mr
|
||||
|
|
|
|||
|
|
@ -1,5 +0,0 @@
|
|||
litellm==1.79.3
|
||||
openai==1.99.5
|
||||
# `unstructured` pulls `chardet` without an upper bound, but `requests`
|
||||
# warns on import when chardet>=6 is present in the same environment.
|
||||
chardet<6
|
||||
Loading…
Add table
Add a link
Reference in a new issue