andre/crewAI
1
0
Fork 0
mirror of https://github.com/crewAIInc/crewAI.git synced 2026-05-04 08:42:38 +00:00
Code Issues Actions 5 Packages Projects Releases Wiki Activity

fix: bump pypdf, tinytag, and langchain-core for security fixes (#4989)

Browse Source 
- pypdf ~=6.7.5 → ~=6.9.1 (CVE-2026-33123, CVE-2026-31826)
- tinytag ~=1.10.0 → ~=2.2.1 (CVE-2026-32889)
- langchain-core >=0.3.80,<1 → >=1.2.11,<2 (CVE-2026-26013)

Co-authored-by: Greyson LaLonde <greyson.r.lalonde@gmail.com>
Co-authored-by: Lorenze Jay <63378463+lorenzejay@users.noreply.github.com>
This commit is contained in:
Matt Aitchison
2026-03-23 17:24:26 -05:00
committed by GitHub
parent 85199e9ffc
commit e88a8f2785
3 changed files with 16 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
pyproject.toml
View File

@@ -147,12 +147,12 @@ python_functions = "test_*"
# composio-core pins rich<14 but textual requires rich>=14.
# onnxruntime 1.24+ dropped Python 3.10 wheels; cap it so qdrant[fastembed] resolves on 3.10.
# fastembed 0.7.x and docling 2.63 cap pillow<12; the removed APIs don't affect them.
# langchain-core 0.3.76 has a template-injection vuln (GHSA); force >=0.3.80.
# langchain-core <1.2.11 has SSRF via image_url token counting (CVE-2026-26013).
override-dependencies = [
"rich>=13.7.1",
"onnxruntime<1.24; python_version < '3.11'",
"pillow>=12.1.1",
"langchain-core>=0.3.80,<1",
"langchain-core>=1.2.11,<2",
"urllib3>=2.6.3",
]