mirror of
https://github.com/crewAIInc/crewAI.git
synced 2026-07-04 14:39:23 +00:00
nltk 3.9.4 path-traversal advisory (percent-encoded sequences bypassing the data.load()/find() check; incomplete fix for nltk#3504). 3.9.4 is the latest release and the advisory lists no fixed version, so the pin cannot be bumped to clear it. nltk is transitive via unstructured and crewai never calls nltk.data.load()/find() with untrusted input. Mirrors the existing PYSEC-2026-97 nltk ignore. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>