fix(deps): bump json-repair past GHSA-xf7x-x43h-rpqh vulnerable range#6536
Open
joaomdmoura wants to merge 3 commits into
Open
fix(deps): bump json-repair past GHSA-xf7x-x43h-rpqh vulnerable range#6536joaomdmoura wants to merge 3 commits into
joaomdmoura wants to merge 3 commits into
Conversation
json-repair < 0.60.1 has an unbounded-CPU DoS on circular JSON Schema $ref structures, and crewai feeds LLM output straight into repair_json, so the ~=0.25.2 pin kept every install inside the vulnerable range and flagged HIGH by dependency scanners with no resolvable path. Raise the requirement to >=0.60.1,<1.0.0 and adapt the agent parser to the new failure semantics: json-repair >= 0.60 returns "" (not '""') for unrepairable input and coerces non-JSON brace text into arrays, so _safe_repair_json now also keeps the original tool input unless the repair produced a JSON object. Adds a regression test asserting the published requirement excludes the vulnerable range and admits patched releases. Linear: OSS-91 Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
📝 WalkthroughWalkthroughUpdates JSON repair dependency constraints and validation, adds tests for vulnerable and patched versions, and raises click and pillow security floors. ChangesJSON repair handling
Security dependency overrides
Suggested reviewers: 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
json-repair >= 0.60 is py.typed, so the import-untyped ignores fail CI with unused-ignore. Also read pyproject with explicit UTF-8 in the pin test (review feedback). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
click 8.1.8 has PYSEC-2026-2132 (fixed 8.3.3) and pillow 12.2.0 has PYSEC-2026-2253..2257 (fixed 12.3.0), failing the Vulnerability Scan on every PR. Raise the override floors and relock (click 8.4.2, pillow 12.3.0). With json-repair also fixed in this PR, pip-audit reports zero findings. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes OSS-91: crewai pinned
json-repair~=0.25.2, which caps installs inside the range vulnerable to GHSA-xf7x-x43h-rpqh (HIGH — unbounded-CPU DoS on circular JSON Schema$refstructures, fixed in 0.60.1). crewai callsrepair_jsonon LLM output, so this is a real DoS surface, and every downstream lockfile gets an unremediable HIGH from Dependabot/pip-audit/Snyk.Also raises the
clickandpillowsecurity floors so the Vulnerability Scan goes fully green (new advisories that were failing the check on every PR).Changes
json-repair>=0.60.1,<1.0.0(lock now resolves 0.61.2).""instead of'""'— added toUNABLE_TO_REPAIR_JSON_RESULTS;{temperature in SF}) is now coerced into a JSON array instead of failing —_safe_repair_jsonnow only accepts a repair that produced a JSON object, otherwise keeps the original tool input, preserving the long-standing parser contract.type: ignore[import-untyped]comments that json-repair ≥ 0.60 (now py.typed) made unused.tests/security/test_dependency_pins.pyasserting the published requirement excludes the vulnerable range and admits patched releases.click>=8.3.3,<9(PYSEC-2026-2132, locks 8.4.2) andpillow>=12.3.0(PYSEC-2026-2253..2257, locks 12.3.0).Validation
~=0.25.2(reproduces the ticket) and passes after the bump.lib/crewai/tests/agents,lib/crewai/tests/tools,lib/crewai/tests/security: 523 passed; remaining failures are pre-existing on main in this environment (missing litellm/provider extras), verified against an unmodified baseline.lib/cli/tests,lib/crewai/tests/cli) pass with click 8.4.2 — 931 passed, same 7 pre-existing failures as origin/main.pip-auditwith the workflow's exact flags now reports zero findings (the Vulnerability Scan check on this PR is green).🤖 Generated with Claude Code
Note
Medium Risk
Touches the hot path where LLM action inputs are repaired before tool calls; the dict-only acceptance rule is intentional but worth regression-checking. Otherwise this is targeted dependency hardening with existing parser tests as coverage.
Overview
Addresses OSS-91 by raising
json-repairfrom~=0.25.2to>=0.60.1,<1.0.0(lock resolves 0.61.2), closing GHSA-xf7x-x43h-rpqh unbounded-CPU DoS on circular JSON Schema$refinput that crewai hits when repairing LLM tool output.Agent parser behavior is adjusted for json-repair ≥0.60: unrepairable input is treated as
""as well as'""'/{}, and_safe_repair_jsononly keeps a repair whenjson.loadsyields a dict—so brace-wrapped plain text is not coerced into arrays/scalars and the existing parser contract stays intact.Adds
tests/security/test_dependency_pins.pyso the published pin cannot re-admit the vulnerable range. Rootuv.lockalso bumps workspace security overrides for pillow (≥12.3.0) and click (≥8.3.3).Reviewed by Cursor Bugbot for commit 2fc4bc8. Bugbot is set up for automated code reviews on this repo. Configure here.