mirror of https://github.com/crewAIInc/crewAI.git synced 2026-04-08 20:18:16 +00:00

Files

Lorenze Jay fdb9b6f090 fix: bump litellm to >=1.83.0 to address CVE-2026-35030

* fix: bump litellm to >=1.83.0 to address CVE-2026-35030

Bump litellm from <=1.82.6 to >=1.83.0 to fix JWT auth bypass via
OIDC cache key collision (CVE-2026-35030). Also widen devtools openai
pin from ~=1.83.0 to >=1.83.0,<3 to resolve the version conflict
(litellm 1.83.0 requires openai>=2.8.0).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: resolve mypy errors from litellm bump

- Remove unused type: ignore[import-untyped] on instructor import
- Remove all unused type: ignore[union-attr] comments (litellm types fixed)
- Add hasattr guard for tool_call.function — new litellm adds
  ChatCompletionMessageCustomToolCall to the union which lacks .function

* fix: tighten litellm pin to ~=1.83.0 (patch-only bumps)

>=1.83.0,<2 is too wide — litellm has had breaking changes between
minors. ~=1.83.0 means >=1.83.0,<1.84.0 — gets CVE patches but won't
pull in breaking minor releases.

* ci: bump uv from 0.8.4 to 0.11.3

* fix: resolve mypy errors in openai completion from 2.x type changes

Use isinstance checks with concrete openai response types instead of
string comparisons for proper type narrowing. Update code interpreter
handling for outputs/OutputImage API changes in openai 2.x.

* fix: pre-cache tiktoken encoding before VCR intercepts requests

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Alex <alex@crewai.com>
Co-authored-by: Greyson LaLonde <greyson@crewai.com>

2026-04-07 00:41:20 +08:00

src/crewai_devtools

feat: bump versions to 1.14.0a3 (#5295 )

2026-04-06 05:17:10 -03:00

pyproject.toml

fix: bump litellm to >=1.83.0 to address CVE-2026-35030

2026-04-07 00:41:20 +08:00

README.md

feat: add enterprise release phase to devtools release

2026-03-26 12:22:37 +08:00

README.md

crewai-devtools

CLI for versioning and releasing crewAI packages.

Setup

Installed automatically via the workspace (uv sync). Requires:

GitHub CLI (gh) — authenticated
OPENAI_API_KEY env var — for release note generation and translation
ENTERPRISE_REPO env var — GitHub repo for enterprise releases
ENTERPRISE_VERSION_DIRS env var — comma-separated directories to bump in the enterprise repo
ENTERPRISE_CREWAI_DEP_PATH env var — path to the pyproject.toml with the crewai[tools] pin in the enterprise repo

Commands

`devtools release <version>`

Full end-to-end release. Bumps versions, creates PRs, tags, publishes a GitHub release, and releases the enterprise repo.

devtools release 1.10.3
devtools release 1.10.3a1                # pre-release
devtools release 1.10.3 --no-edit        # skip editing release notes
devtools release 1.10.3 --dry-run        # preview without changes
devtools release 1.10.3 --skip-enterprise  # skip enterprise release phase

Flow:

Bumps __version__ and dependency pins across all lib/ packages
Runs uv sync
Creates version bump PR against main, polls until merged
Generates release notes (OpenAI) from commits since last release
Updates changelogs (en, pt-BR, ko) and docs version switcher
Creates docs PR against main, polls until merged
Tags main and creates GitHub release
Triggers PyPI publish workflow
Clones enterprise repo, bumps versions and crewai[tools] dep, runs uv sync
Creates enterprise bump PR, polls until merged
Tags and creates GitHub release on enterprise repo

`devtools bump <version>`

Bump versions only (phase 1 of release).

devtools bump 1.10.3
devtools bump 1.10.3 --no-push      # don't push or create PR
devtools bump 1.10.3 --no-commit    # only update files
devtools bump 1.10.3 --dry-run

`devtools tag`

Tag and release only (phase 2 of release). Run after the bump PR is merged.

devtools tag
devtools tag --no-edit
devtools tag --dry-run