andre/crewAI
1
0
Fork 0
mirror of https://github.com/crewAIInc/crewAI.git synced 2026-05-04 16:52:37 +00:00
Code Issues Actions 7 Packages Projects Releases Wiki Activity

fix(deps): bump litellm for SSTI fix; ignore unfixable pip CVE

Browse Source
This commit is contained in:
Greyson LaLonde
2026-04-28 04:34:17 +08:00
committed by GitHub
parent cb46a1c4ba
commit de0b2a4fe0
8 changed files with 223 additions and 212 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
.github/workflows/vulnerability-scan.yml vendored
View File

@@ -46,17 +46,9 @@ jobs:
- name: Run pip-audit
run: |
uv run pip-audit --desc --aliases --skip-editable --format json --output pip-audit-report.json \
--ignore-vuln CVE-2025-69872 \
--ignore-vuln CVE-2026-25645 \
--ignore-vuln CVE-2026-27448 \
--ignore-vuln CVE-2026-27459 \
--ignore-vuln PYSEC-2023-235
--ignore-vuln CVE-2026-3219
# Ignored CVEs:
# CVE-2025-69872 - diskcache 5.6.3: no fix available (latest version)
# CVE-2026-25645 - requests 2.32.5: fix requires 2.33.0, blocked by crewai-tools ~=2.32.5 pin
# CVE-2026-27448 - pyopenssl 25.3.0: fix requires 26.0.0, blocked by snowflake-connector-python <26.0.0 pin
# CVE-2026-27459 - pyopenssl 25.3.0: same as above
# PYSEC-2023-235 - couchbase: fixed in 4.6.0 (already upgraded), advisory not yet updated
# CVE-2026-3219 - pip 26.0.1 (GHSA-58qw-9mgm-455v): no fix available, archive handling issue
continue-on-error: true
- name: Display results