Fix critical vulnerabilities #260
Conversation
…0.16.20 (fixes XXE injection & info exposure) - Update CrewAI from 0.11.0 to ^0.126.0 (latest stable version) - Update opencv-python from 4.8.1.78 to >=4.11.0.86 (fixes critical heap buffer overflow CVE-2023-4863) - Update prep-for-a-meeting requirements.txt with latest CrewAI - All updates address critical security vulnerabilities and improve compatibility
There was a problem hiding this comment.
Pull Request Overview
This PR upgrades key dependencies across several services to resolve critical security vulnerabilities and improve compatibility.
- Bump
unstructuredfrom 0.10.25 to >=0.16.20 to fix XXE injection and information exposure. - Upgrade
crewaifrom 0.11.0 to 0.126.0 in both Poetry and pip requirements. - Update
opencv-pythonto >=4.11.0.86 to address a heap buffer overflow (CVE-2023-4863).
Reviewed Changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| trip_planner/pyproject.toml | Updated crewai and unstructured versions |
| prep-for-a-meeting/requirements.txt | Updated crewai version |
| instagram_post/pyproject.toml | Updated crewai and opencv-python versions |
| @@ -6,8 +6,8 @@ authors = ["Your Name <you@example.com>"] | |||
|
|
|||
| [tool.poetry.dependencies] | |||
| python = ">=3.10.0,<3.12" | |||
| crewai = "^0.11.0" | |||
| unstructured = '==0.10.25' | |||
| crewai = "^0.126.0" | |||
There was a problem hiding this comment.
[nitpick] Using a caret (^) allows upgrading to versions with potential breaking changes; consider specifying an upper bound (e.g., ">=0.126.0,<0.130.0") to prevent unintended major version bumps.
| crewai = "^0.126.0" | |
| crewai = ">=0.126.0,<0.130.0" |
Copilot uses AI. Check for mistakes.
| crewai = "^0.11.0" | ||
| unstructured = '==0.10.25' | ||
| crewai = "^0.126.0" | ||
| unstructured = '>=0.16.20,<0.18.0' |
There was a problem hiding this comment.
After updating dependencies in pyproject.toml, please run poetry lock and commit the updated poetry.lock file to keep the lock state in sync with declared versions.
Copilot uses AI. Check for mistakes.
| @@ -1,4 +1,4 @@ | |||
| langchain-exa==0.0.1 | |||
| exa_py==1.0.7 | |||
| python-dotenv==1.0.1 | |||
| crewai==0.11.0 | |||
| crewai>=0.126.0,<0.130.0 | |||
There was a problem hiding this comment.
[nitpick] The version specifier style here differs from other dependency files; consider unifying the version range syntax across projects for consistency.
| crewai>=0.126.0,<0.130.0 | |
| crewai==0.129.0 |
Copilot uses AI. Check for mistakes.
Update unstructured from 0.10.25 to >=0.16.20 (fixes XXE injection & info exposure) - Update CrewAI from 0.11.0 to ^0.126.0 (latest stable version) - Update opencv-python from 4.8.1.78 to >=4.11.0.86 (fixes critical heap buffer overflow CVE-2023-4863) - Update prep-for-a-meeting requirements.txt with latest CrewAI - All updates address critical security vulnerabilities and improve compatibility