Merge branch 'main' into dependabot/uv/types-regex-2026.1.15.20260116

pyproject.toml

@@ -12,7 +12,7 @@ dev = [
     "mypy==1.19.1",
     "pre-commit==4.5.1",
     "bandit==1.9.2",
-    "pytest==8.4.2",
+    "pytest==9.0.3",
     "pytest-asyncio==1.3.0",
     "pytest-subprocess==1.5.3",
     "vcrpy==7.0.0", # pinned, less versions break pytest-recording
@@ -20,7 +20,7 @@ dev = [
     "pytest-randomly==4.0.1",
     "pytest-timeout==2.4.0",
     "pytest-xdist==3.8.0",
-    "pytest-split==0.10.0",
+    "pytest-split==0.11.0",
     "types-requests~=2.31.0.6",
     "types-pyyaml==6.0.*",
     "types-regex==2026.2.28.*",
@@ -29,6 +29,8 @@ dev = [
     "types-psycopg2==2.9.21.20251012",
     "types-pymysql==1.1.0.20250916",
     "types-aiofiles~=25.1.0",
+    "commitizen>=4.13.9",
+    "pip-audit==2.9.0",
 ]
 
 
@@ -106,6 +108,7 @@ ignore-decorators = ["typing.overload"]
 "lib/crewai/tests/**/*.py" = ["S101", "RET504", "S105", "S106"]  # Allow assert statements, unnecessary assignments, and hardcoded passwords in tests
 "lib/crewai-tools/tests/**/*.py" = ["S101", "RET504", "S105", "S106", "RUF012", "N818", "E402", "RUF043", "S110", "B017"]  # Allow various test-specific patterns
 "lib/crewai-files/tests/**/*.py" = ["S101", "RET504", "S105", "S106", "B017", "F841"]  # Allow assert statements and blind exception assertions in tests
+"lib/devtools/tests/**/*.py" = ["S101"]
 
 
 [tool.mypy]
@@ -142,18 +145,57 @@ python_files = "test_*.py"
 python_classes = "Test*"
 python_functions = "test_*"
 
+[tool.commitizen]
+name = "cz_customize"
+version_provider = "scm"
+tag_format = "$version"
+allowed_prefixes = ["Merge", "Revert"]
+changelog_incremental = true
+update_changelog_on_bump = false
+
+[tool.commitizen.customize]
+schema = "<type>(<scope>): <description>"
+schema_pattern = "^(feat|fix|refactor|perf|test|docs|chore|ci|style|revert)(\\(.+\\))?!?: .{1,72}"
+bump_pattern = "^(feat|fix|perf|refactor|revert)"
+bump_map = { feat = "MINOR", fix = "PATCH", perf = "PATCH", refactor = "PATCH", revert = "PATCH" }
+info = "Commits must follow Conventional Commits 1.0.0."
+
+
 [tool.uv]
+# Pinned to include the security patch releases (authlib 1.6.11,
+# langchain-text-splitters 1.1.2) uploaded on 2026-04-16, and the
+# litellm 1.83.7+ SSTI fix (GHSA-xqmj-j6mv-4862) uploaded on 2026-04-13.
+exclude-newer = "2026-04-27"
 
 # composio-core pins rich<14 but textual requires rich>=14.
 # onnxruntime 1.24+ dropped Python 3.10 wheels; cap it so qdrant[fastembed] resolves on 3.10.
 # fastembed 0.7.x and docling 2.63 cap pillow<12; the removed APIs don't affect them.
-# langchain-core 0.3.76 has a template-injection vuln (GHSA); force >=0.3.80.
+# langchain-core <1.2.31 has GHSA-926x-3r5x-gfhw and is required by langchain-text-splitters 1.1.2+.
+# langchain-text-splitters <1.1.2 has GHSA-fv5p-p927-qmxr (SSRF bypass in split_text_from_url).
+# transformers 4.57.6 has CVE-2026-1839; force 5.4+ (docling 2.84 allows huggingface-hub>=1).
+# cryptography 46.0.6 has CVE-2026-39892; force 46.0.7+.
+# pypdf <6.10.2 has GHSA-4pxv-j86v-mhcw, GHSA-7gw9-cf7v-778f, GHSA-x284-j5p8-9c5p; force 6.10.2+.
+# uv <0.11.6 has GHSA-pjjw-68hj-v9mw; force 0.11.6+.
+# python-multipart <0.0.26 has GHSA-mj87-hwqh-73pj; force 0.0.26+.
+# langsmith <0.7.31 has GHSA-rr7j-v2q5-chgv (streaming token redaction bypass); force 0.7.31+.
+# authlib <1.6.11 has GHSA-jj8c-mmj3-mmgv (CSRF bypass in cache-based state storage).
+# litellm 1.83.8+ hard-pins openai==2.24.0, missing openai.types.responses used by crewai;
+# override to >=2.30.0 (the version litellm 1.83.7 used) until upstream relaxes the pin.
 override-dependencies = [
+    "openai>=2.30.0,<3",
     "rich>=13.7.1",
     "onnxruntime<1.24; python_version < '3.11'",
     "pillow>=12.1.1",
-    "langchain-core>=0.3.80,<1",
+    "langchain-core>=1.2.31,<2",
+    "langchain-text-splitters>=1.1.2,<2",
     "urllib3>=2.6.3",
+    "transformers>=5.4.0; python_version >= '3.10'",
+    "cryptography>=46.0.7",
+    "pypdf>=6.10.2,<7",
+    "uv>=0.11.6,<1",
+    "python-multipart>=0.0.26,<1",
+    "langsmith>=0.7.31,<0.8",
+    "authlib>=1.6.11",
 ]
 
 [tool.uv.workspace]