mirror of
https://github.com/open-webui/open-webui.git
synced 2026-07-09 16:09:10 +00:00
* chore: bump Python backend dependencies, drop unused peewee Minor/patch + reviewed major bumps across requirements.txt, requirements-min.txt, pyproject.toml and uv.lock; playwright image bumped in docker-compose.playwright.yaml. peewee/peewee-migrate removed (zero imports). Security-relevant: cryptography 46->48, authlib 1.6.10->1.7.2, PyJWT 2.11->2.13, requests 2.33.1->2.34.2, RestrictedPython 8.1->8.2, pillow 12.1.1->12.2.0. Reviewed majors: redis 7->8, pymilvus ->2.6.14, azure-search-documents 11->12, chardet 5->7, unstructured 0.18->0.22, pycrdt 0.12->0.13. Testing: - Resolution: `uv lock` resolves the full bumped set with no conflicts; uv.lock regenerated to match (peewee dropped, every pin including azure-search-documents==12.0.0 resolves). - Per-dependency contract tests (external tests repo, unit/deps/): 105 files, 2205 passed / 6 skipped, ruff-clean. One file per dependency pins the symbols, signatures and behaviour the backend actually uses, so an API removal/rename in a bumped version fails loudly instead of at runtime. Offline/deterministic. - End-to-end embed->retrieve test driving transformers + sentence-transformers + chromadb together through Open WebUI's real RAG path (cached model, in-memory chroma, semantic retrieval asserted). - Install/startup/health resolution gate added to the dep-bump workflow and the integration suite (uv/pip resolve + uvicorn /health + Playwright dev visibility). - Bugs surfaced while testing each got an isolated fix branch + regression test: Mistral OCR aiohttp FilePayload (#25779), chroma has_collection (#25780), aiocache per-user model-cache key (security), otel semconv deprecation, pydub/audioop <3.13 note. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * Bump python-multipart 0.0.22 -> 0.0.27 (CVE-2026-42561, CVE-2026-40347) 0.0.22 is affected by two DoS CVEs in the multipart parser that Starlette/FastAPI run for every multipart/form-data request, so any authenticated user hitting an upload endpoint can trigger them: - CVE-2026-42561: unbounded part-header count/size -> CPU exhaustion (fixed 0.0.27) - CVE-2026-40347: large multipart preamble/epilogue DoS (fixed 0.0.26) Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
10 lines
343 B
YAML
10 lines
343 B
YAML
services:
|
|
playwright:
|
|
image: mcr.microsoft.com/playwright:v1.60.0-noble # Version must match requirements.txt
|
|
container_name: playwright
|
|
command: npx -y playwright@1.60.0 run-server --port 3000 --host 0.0.0.0
|
|
|
|
open-webui:
|
|
environment:
|
|
- 'WEB_LOADER_ENGINE=playwright'
|
|
- 'PLAYWRIGHT_WS_URL=ws://playwright:3000'
|