mirror of
https://github.com/crewAIInc/crewAI.git
synced 2026-04-08 12:08:15 +00:00
fdb9b6f090
* fix: bump litellm to >=1.83.0 to address CVE-2026-35030 Bump litellm from <=1.82.6 to >=1.83.0 to fix JWT auth bypass via OIDC cache key collision (CVE-2026-35030). Also widen devtools openai pin from ~=1.83.0 to >=1.83.0,<3 to resolve the version conflict (litellm 1.83.0 requires openai>=2.8.0). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: resolve mypy errors from litellm bump - Remove unused type: ignore[import-untyped] on instructor import - Remove all unused type: ignore[union-attr] comments (litellm types fixed) - Add hasattr guard for tool_call.function — new litellm adds ChatCompletionMessageCustomToolCall to the union which lacks .function * fix: tighten litellm pin to ~=1.83.0 (patch-only bumps) >=1.83.0,<2 is too wide — litellm has had breaking changes between minors. ~=1.83.0 means >=1.83.0,<1.84.0 — gets CVE patches but won't pull in breaking minor releases. * ci: bump uv from 0.8.4 to 0.11.3 * fix: resolve mypy errors in openai completion from 2.x type changes Use isinstance checks with concrete openai response types instead of string comparisons for proper type narrowing. Update code interpreter handling for outputs/OutputImage API changes in openai 2.x. * fix: pre-cache tiktoken encoding before VCR intercepts requests --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: Alex <alex@crewai.com> Co-authored-by: Greyson LaLonde <greyson@crewai.com>