mirror of
https://github.com/crewAIInc/crewAI.git
synced 2026-07-05 06:59:23 +00:00
fix: bump litellm to ~=1.83.7 for GHSA-xqmj-j6mv-4862 + update exclude-newer
litellm 1.83.0 has MCP stdio command injection vuln (CVE-2026-30623). Fixed in 1.83.7-stable. Also bumps exclude-newer to 2026-04-26 so the resolver can find the newer version. Note: GHSA-58qw-9mgm-455v (pip) requires a workflow file change to add --ignore-vuln, which needs the workflow OAuth scope.
This commit is contained in:
@@ -84,7 +84,7 @@ voyageai = [
|
||||
"voyageai~=0.3.5",
|
||||
]
|
||||
litellm = [
|
||||
"litellm~=1.83.0",
|
||||
"litellm~=1.83.7",
|
||||
]
|
||||
bedrock = [
|
||||
"boto3~=1.42.79",
|
||||
|
||||
@@ -164,7 +164,7 @@ info = "Commits must follow Conventional Commits 1.0.0."
|
||||
[tool.uv]
|
||||
# Pinned to include the security patch releases (authlib 1.6.11,
|
||||
# langchain-text-splitters 1.1.2) uploaded on 2026-04-16.
|
||||
exclude-newer = "2026-04-22"
|
||||
exclude-newer = "2026-04-26"
|
||||
|
||||
# composio-core pins rich<14 but textual requires rich>=14.
|
||||
# onnxruntime 1.24+ dropped Python 3.10 wheels; cap it so qdrant[fastembed] resolves on 3.10.
|
||||
|
||||
Reference in New Issue
Block a user