mirror of
https://github.com/open-webui/open-webui.git
synced 2026-07-09 16:09:10 +00:00
* chore: bump Python backend dependencies, drop unused peewee Minor/patch + reviewed major bumps across requirements.txt, requirements-min.txt, pyproject.toml and uv.lock; playwright image bumped in docker-compose.playwright.yaml. peewee/peewee-migrate removed (zero imports). Security-relevant: cryptography 46->48, authlib 1.6.10->1.7.2, PyJWT 2.11->2.13, requests 2.33.1->2.34.2, RestrictedPython 8.1->8.2, pillow 12.1.1->12.2.0. Reviewed majors: redis 7->8, pymilvus ->2.6.14, azure-search-documents 11->12, chardet 5->7, unstructured 0.18->0.22, pycrdt 0.12->0.13. Testing: - Resolution: `uv lock` resolves the full bumped set with no conflicts; uv.lock regenerated to match (peewee dropped, every pin including azure-search-documents==12.0.0 resolves). - Per-dependency contract tests (external tests repo, unit/deps/): 105 files, 2205 passed / 6 skipped, ruff-clean. One file per dependency pins the symbols, signatures and behaviour the backend actually uses, so an API removal/rename in a bumped version fails loudly instead of at runtime. Offline/deterministic. - End-to-end embed->retrieve test driving transformers + sentence-transformers + chromadb together through Open WebUI's real RAG path (cached model, in-memory chroma, semantic retrieval asserted). - Install/startup/health resolution gate added to the dep-bump workflow and the integration suite (uv/pip resolve + uvicorn /health + Playwright dev visibility). - Bugs surfaced while testing each got an isolated fix branch + regression test: Mistral OCR aiohttp FilePayload (#25779), chroma has_collection (#25780), aiocache per-user model-cache key (security), otel semconv deprecation, pydub/audioop <3.13 note. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * Bump python-multipart 0.0.22 -> 0.0.27 (CVE-2026-42561, CVE-2026-40347) 0.0.22 is affected by two DoS CVEs in the multipart parser that Starlette/FastAPI run for every multipart/form-data request, so any authenticated user hitting an upload endpoint can trigger them: - CVE-2026-42561: unbounded part-header count/size -> CPU exhaustion (fixed 0.0.27) - CVE-2026-40347: large multipart preamble/epilogue DoS (fixed 0.0.26) Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
159 lines
3.2 KiB
Text
159 lines
3.2 KiB
Text
fastapi==0.136.3
|
|
uvicorn[standard]==0.41.0
|
|
pydantic==2.13.4
|
|
python-multipart==0.0.27
|
|
itsdangerous==2.2.0
|
|
|
|
python-socketio==5.16.2
|
|
python-jose==3.5.0
|
|
cryptography==48.0.0
|
|
bcrypt==5.0.0
|
|
argon2-cffi==25.1.0
|
|
PyJWT[crypto]==2.13.0
|
|
authlib==1.7.2
|
|
|
|
requests==2.34.2
|
|
aiohttp==3.13.5 # do not update to 3.13.3 - broken
|
|
async-timeout==5.0.1
|
|
aiocache==0.12.3
|
|
aiofiles==25.1.0
|
|
starlette-compress==1.7.1
|
|
Brotli==1.2.0
|
|
brotlicffi==1.2.0.1
|
|
httpx[socks,http2,zstd,cli,brotli]==0.28.1
|
|
starsessions[redis]==2.2.1
|
|
python-mimeparse==2.0.0
|
|
|
|
sqlalchemy[asyncio]==2.0.50
|
|
aiosqlite==0.22.1
|
|
psycopg[binary]==3.3.4
|
|
alembic==1.18.4
|
|
|
|
pycrdt==0.13.1
|
|
redis==8.0.0
|
|
|
|
APScheduler==3.11.2
|
|
RestrictedPython==8.2
|
|
pytz==2026.2
|
|
|
|
loguru==0.7.3
|
|
asgiref==3.11.1
|
|
|
|
# AI libraries
|
|
tiktoken==0.13.0
|
|
mcp==1.27.2
|
|
|
|
openai==2.29.0
|
|
anthropic==0.86.0
|
|
google-genai==1.66.0
|
|
|
|
langchain==1.2.10
|
|
langchain-community==0.4.2
|
|
langchain-classic==1.0.7
|
|
langchain-text-splitters==1.1.2
|
|
|
|
fake-useragent==2.2.0
|
|
chromadb==1.5.9
|
|
weaviate-client==4.20.3
|
|
opensearch-py==3.2.0
|
|
|
|
transformers==5.5.4
|
|
sentence-transformers==5.5.1
|
|
accelerate==1.13.0
|
|
pyarrow==20.0.0 # fix: pin pyarrow version to 20 for rpi compatibility #15897
|
|
einops==0.8.2
|
|
|
|
ftfy==6.3.1
|
|
chardet==7.4.3
|
|
pypdf==6.7.5
|
|
fpdf2==2.8.7
|
|
pymdown-extensions==10.21.3
|
|
docx2txt==0.9
|
|
python-pptx==1.0.2
|
|
msoffcrypto-tool==6.0.0
|
|
unstructured==0.22.31
|
|
|
|
nltk==3.9.4
|
|
Markdown==3.10.2
|
|
beautifulsoup4==4.14.3
|
|
pypandoc==1.17
|
|
pandas==3.0.3
|
|
openpyxl==3.1.5
|
|
pyxlsb==1.0.10
|
|
xlrd==2.0.2
|
|
validators==0.35.0
|
|
psutil==7.2.2
|
|
sentencepiece==0.2.1
|
|
soundfile==0.13.1
|
|
|
|
pillow==12.2.0
|
|
opencv-python-headless==4.13.0.92
|
|
rapidocr-onnxruntime==1.4.4
|
|
rank-bm25==0.2.2
|
|
|
|
onnxruntime==1.26.0
|
|
faster-whisper==1.2.1
|
|
|
|
black==26.5.1
|
|
youtube-transcript-api==1.2.4
|
|
pytube==15.0.0
|
|
|
|
pydub==0.25.1
|
|
ddgs==9.14.4
|
|
|
|
azure-ai-documentintelligence==1.0.2
|
|
azure-identity==1.25.3
|
|
azure-storage-blob==12.29.0
|
|
azure-search-documents==12.0.0
|
|
|
|
## Google Drive
|
|
google-api-python-client==2.197.0
|
|
google-auth-httplib2==0.4.0
|
|
google-auth-oauthlib==1.4.0
|
|
|
|
googleapis-common-protos==1.75.0
|
|
google-cloud-storage==3.9.0
|
|
|
|
## Databases
|
|
pymongo==4.17.0
|
|
psycopg2-binary==2.9.12
|
|
pgvector==0.4.2
|
|
|
|
PyMySQL==1.2.0
|
|
boto3==1.42.62
|
|
# mariadb==1.1.14 should be added if you want to support MariaDB
|
|
# valkey-glide-sync==2.3.1 # optional: install manually if VECTOR_DB=valkey
|
|
|
|
pymilvus==2.6.14
|
|
qdrant-client==1.18.0
|
|
playwright==1.60.0 # Caution: version must match docker-compose.playwright.yaml - Update the docker-compose.yaml if necessary
|
|
elasticsearch==9.4.1
|
|
pinecone==6.0.2
|
|
oracledb==3.4.2
|
|
|
|
av==14.0.1 # Caution: Set due to FATAL FIPS SELFTEST FAILURE, see discussion https://github.com/open-webui/open-webui/discussions/15720
|
|
|
|
colbert-ai==0.2.22
|
|
|
|
|
|
## Tests
|
|
docker~=7.1.0
|
|
pytest~=8.4.1
|
|
pytest-docker~=3.2.5
|
|
|
|
## LDAP
|
|
ldap3==2.9.1
|
|
|
|
## Trace
|
|
opentelemetry-api==1.42.1
|
|
opentelemetry-sdk==1.42.1
|
|
opentelemetry-exporter-otlp==1.42.1
|
|
opentelemetry-instrumentation==0.63b1
|
|
opentelemetry-instrumentation-fastapi==0.63b1
|
|
opentelemetry-instrumentation-sqlalchemy==0.63b1
|
|
opentelemetry-instrumentation-redis==0.63b1
|
|
opentelemetry-instrumentation-requests==0.63b1
|
|
opentelemetry-instrumentation-logging==0.63b1
|
|
opentelemetry-instrumentation-httpx==0.63b1
|
|
opentelemetry-instrumentation-aiohttp-client==0.63b1
|
|
opentelemetry-instrumentation-system-metrics==0.63b1
|