open-webui-openwebui/backend/requirements.txt
Classic298 b295a20b9d
chore: bump Python backend dependencies, drop unused peewee (#25786)
* chore: bump Python backend dependencies, drop unused peewee

Minor/patch + reviewed major bumps across requirements.txt,
requirements-min.txt, pyproject.toml and uv.lock; playwright image bumped in
docker-compose.playwright.yaml. peewee/peewee-migrate removed (zero imports).

Security-relevant: cryptography 46->48, authlib 1.6.10->1.7.2, PyJWT 2.11->2.13,
requests 2.33.1->2.34.2, RestrictedPython 8.1->8.2, pillow 12.1.1->12.2.0.
Reviewed majors: redis 7->8, pymilvus ->2.6.14, azure-search-documents 11->12,
chardet 5->7, unstructured 0.18->0.22, pycrdt 0.12->0.13.

Testing:
- Resolution: `uv lock` resolves the full bumped set with no conflicts; uv.lock
  regenerated to match (peewee dropped, every pin including
  azure-search-documents==12.0.0 resolves).
- Per-dependency contract tests (external tests repo, unit/deps/): 105 files,
  2205 passed / 6 skipped, ruff-clean. One file per dependency pins the symbols,
  signatures and behaviour the backend actually uses, so an API removal/rename in
  a bumped version fails loudly instead of at runtime. Offline/deterministic.
- End-to-end embed->retrieve test driving transformers + sentence-transformers +
  chromadb together through Open WebUI's real RAG path (cached model, in-memory
  chroma, semantic retrieval asserted).
- Install/startup/health resolution gate added to the dep-bump workflow and the
  integration suite (uv/pip resolve + uvicorn /health + Playwright dev visibility).
- Bugs surfaced while testing each got an isolated fix branch + regression test:
  Mistral OCR aiohttp FilePayload (#25779), chroma has_collection (#25780),
  aiocache per-user model-cache key (security), otel semconv deprecation,
  pydub/audioop <3.13 note.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* Bump python-multipart 0.0.22 -> 0.0.27 (CVE-2026-42561, CVE-2026-40347)

0.0.22 is affected by two DoS CVEs in the multipart parser that
Starlette/FastAPI run for every multipart/form-data request, so any
authenticated user hitting an upload endpoint can trigger them:
- CVE-2026-42561: unbounded part-header count/size -> CPU exhaustion (fixed 0.0.27)
- CVE-2026-40347: large multipart preamble/epilogue DoS (fixed 0.0.26)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-29 02:02:18 -05:00

159 lines
3.2 KiB
Text

fastapi==0.136.3
uvicorn[standard]==0.41.0
pydantic==2.13.4
python-multipart==0.0.27
itsdangerous==2.2.0
python-socketio==5.16.2
python-jose==3.5.0
cryptography==48.0.0
bcrypt==5.0.0
argon2-cffi==25.1.0
PyJWT[crypto]==2.13.0
authlib==1.7.2
requests==2.34.2
aiohttp==3.13.5 # do not update to 3.13.3 - broken
async-timeout==5.0.1
aiocache==0.12.3
aiofiles==25.1.0
starlette-compress==1.7.1
Brotli==1.2.0
brotlicffi==1.2.0.1
httpx[socks,http2,zstd,cli,brotli]==0.28.1
starsessions[redis]==2.2.1
python-mimeparse==2.0.0
sqlalchemy[asyncio]==2.0.50
aiosqlite==0.22.1
psycopg[binary]==3.3.4
alembic==1.18.4
pycrdt==0.13.1
redis==8.0.0
APScheduler==3.11.2
RestrictedPython==8.2
pytz==2026.2
loguru==0.7.3
asgiref==3.11.1
# AI libraries
tiktoken==0.13.0
mcp==1.27.2
openai==2.29.0
anthropic==0.86.0
google-genai==1.66.0
langchain==1.2.10
langchain-community==0.4.2
langchain-classic==1.0.7
langchain-text-splitters==1.1.2
fake-useragent==2.2.0
chromadb==1.5.9
weaviate-client==4.20.3
opensearch-py==3.2.0
transformers==5.5.4
sentence-transformers==5.5.1
accelerate==1.13.0
pyarrow==20.0.0 # fix: pin pyarrow version to 20 for rpi compatibility #15897
einops==0.8.2
ftfy==6.3.1
chardet==7.4.3
pypdf==6.7.5
fpdf2==2.8.7
pymdown-extensions==10.21.3
docx2txt==0.9
python-pptx==1.0.2
msoffcrypto-tool==6.0.0
unstructured==0.22.31
nltk==3.9.4
Markdown==3.10.2
beautifulsoup4==4.14.3
pypandoc==1.17
pandas==3.0.3
openpyxl==3.1.5
pyxlsb==1.0.10
xlrd==2.0.2
validators==0.35.0
psutil==7.2.2
sentencepiece==0.2.1
soundfile==0.13.1
pillow==12.2.0
opencv-python-headless==4.13.0.92
rapidocr-onnxruntime==1.4.4
rank-bm25==0.2.2
onnxruntime==1.26.0
faster-whisper==1.2.1
black==26.5.1
youtube-transcript-api==1.2.4
pytube==15.0.0
pydub==0.25.1
ddgs==9.14.4
azure-ai-documentintelligence==1.0.2
azure-identity==1.25.3
azure-storage-blob==12.29.0
azure-search-documents==12.0.0
## Google Drive
google-api-python-client==2.197.0
google-auth-httplib2==0.4.0
google-auth-oauthlib==1.4.0
googleapis-common-protos==1.75.0
google-cloud-storage==3.9.0
## Databases
pymongo==4.17.0
psycopg2-binary==2.9.12
pgvector==0.4.2
PyMySQL==1.2.0
boto3==1.42.62
# mariadb==1.1.14 should be added if you want to support MariaDB
# valkey-glide-sync==2.3.1 # optional: install manually if VECTOR_DB=valkey
pymilvus==2.6.14
qdrant-client==1.18.0
playwright==1.60.0 # Caution: version must match docker-compose.playwright.yaml - Update the docker-compose.yaml if necessary
elasticsearch==9.4.1
pinecone==6.0.2
oracledb==3.4.2
av==14.0.1 # Caution: Set due to FATAL FIPS SELFTEST FAILURE, see discussion https://github.com/open-webui/open-webui/discussions/15720
colbert-ai==0.2.22
## Tests
docker~=7.1.0
pytest~=8.4.1
pytest-docker~=3.2.5
## LDAP
ldap3==2.9.1
## Trace
opentelemetry-api==1.42.1
opentelemetry-sdk==1.42.1
opentelemetry-exporter-otlp==1.42.1
opentelemetry-instrumentation==0.63b1
opentelemetry-instrumentation-fastapi==0.63b1
opentelemetry-instrumentation-sqlalchemy==0.63b1
opentelemetry-instrumentation-redis==0.63b1
opentelemetry-instrumentation-requests==0.63b1
opentelemetry-instrumentation-logging==0.63b1
opentelemetry-instrumentation-httpx==0.63b1
opentelemetry-instrumentation-aiohttp-client==0.63b1
opentelemetry-instrumentation-system-metrics==0.63b1