Skip to content

fix(deps): bump json-repair past GHSA-xf7x-x43h-rpqh vulnerable range#6536

Open
joaomdmoura wants to merge 3 commits into
mainfrom
joao/oss-91-security-crewai-pins-json-repair-0252-forcing-a-known
Open

fix(deps): bump json-repair past GHSA-xf7x-x43h-rpqh vulnerable range#6536
joaomdmoura wants to merge 3 commits into
mainfrom
joao/oss-91-security-crewai-pins-json-repair-0252-forcing-a-known

Conversation

@joaomdmoura

@joaomdmoura joaomdmoura commented Jul 14, 2026

Copy link
Copy Markdown
Collaborator

Summary

Fixes OSS-91: crewai pinned json-repair~=0.25.2, which caps installs inside the range vulnerable to GHSA-xf7x-x43h-rpqh (HIGH — unbounded-CPU DoS on circular JSON Schema $ref structures, fixed in 0.60.1). crewai calls repair_json on LLM output, so this is a real DoS surface, and every downstream lockfile gets an unremediable HIGH from Dependabot/pip-audit/Snyk.

Also raises the click and pillow security floors so the Vulnerability Scan goes fully green (new advisories that were failing the check on every PR).

Changes

  • Raise the requirement to json-repair>=0.60.1,<1.0.0 (lock now resolves 0.61.2).
  • Adapt the agent parser to the new failure semantics of json-repair ≥ 0.60:
    • unrepairable input now returns "" instead of '""' — added to UNABLE_TO_REPAIR_JSON_RESULTS;
    • non-JSON brace text (e.g. {temperature in SF}) is now coerced into a JSON array instead of failing — _safe_repair_json now only accepts a repair that produced a JSON object, otherwise keeps the original tool input, preserving the long-standing parser contract.
  • Drop two type: ignore[import-untyped] comments that json-repair ≥ 0.60 (now py.typed) made unused.
  • Add tests/security/test_dependency_pins.py asserting the published requirement excludes the vulnerable range and admits patched releases.
  • Raise workspace override floors: click>=8.3.3,<9 (PYSEC-2026-2132, locks 8.4.2) and pillow>=12.3.0 (PYSEC-2026-2253..2257, locks 12.3.0).

Validation

  • New pin test fails on ~=0.25.2 (reproduces the ticket) and passes after the bump.
  • The bump alone broke 14 existing parser tests (behavior drift in json-repair); the parser adaptation restores all of them — the existing suite doubles as regression coverage for the behavioral contract.
  • lib/crewai/tests/agents, lib/crewai/tests/tools, lib/crewai/tests/security: 523 passed; remaining failures are pre-existing on main in this environment (missing litellm/provider extras), verified against an unmodified baseline.
  • CLI suites (lib/cli/tests, lib/crewai/tests/cli) pass with click 8.4.2 — 931 passed, same 7 pre-existing failures as origin/main.
  • pip-audit with the workflow's exact flags now reports zero findings (the Vulnerability Scan check on this PR is green).
  • Ticket reports crewai 1.15.2 + json-repair 0.61.4 running clean in a live deployment via uv override, consistent with these results.

🤖 Generated with Claude Code


Note

Medium Risk
Touches the hot path where LLM action inputs are repaired before tool calls; the dict-only acceptance rule is intentional but worth regression-checking. Otherwise this is targeted dependency hardening with existing parser tests as coverage.

Overview
Addresses OSS-91 by raising json-repair from ~=0.25.2 to >=0.60.1,<1.0.0 (lock resolves 0.61.2), closing GHSA-xf7x-x43h-rpqh unbounded-CPU DoS on circular JSON Schema $ref input that crewai hits when repairing LLM tool output.

Agent parser behavior is adjusted for json-repair ≥0.60: unrepairable input is treated as "" as well as '""'/{}, and _safe_repair_json only keeps a repair when json.loads yields a dict—so brace-wrapped plain text is not coerced into arrays/scalars and the existing parser contract stays intact.

Adds tests/security/test_dependency_pins.py so the published pin cannot re-admit the vulnerable range. Root uv.lock also bumps workspace security overrides for pillow (≥12.3.0) and click (≥8.3.3).

Reviewed by Cursor Bugbot for commit 2fc4bc8. Bugbot is set up for automated code reviews on this repo. Configure here.

json-repair < 0.60.1 has an unbounded-CPU DoS on circular JSON Schema
$ref structures, and crewai feeds LLM output straight into repair_json,
so the ~=0.25.2 pin kept every install inside the vulnerable range and
flagged HIGH by dependency scanners with no resolvable path.

Raise the requirement to >=0.60.1,<1.0.0 and adapt the agent parser to
the new failure semantics: json-repair >= 0.60 returns "" (not '""')
for unrepairable input and coerces non-JSON brace text into arrays, so
_safe_repair_json now also keeps the original tool input unless the
repair produced a JSON object.

Adds a regression test asserting the published requirement excludes the
vulnerable range and admits patched releases.

Linear: OSS-91

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@linear

linear Bot commented Jul 14, 2026

Copy link
Copy Markdown

OSS-91

@coderabbitai

coderabbitai Bot commented Jul 14, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

Updates JSON repair dependency constraints and validation, adds tests for vulnerable and patched versions, and raises click and pillow security floors.

Changes

JSON repair handling

Layer / File(s) Summary
Dependency constraint and security coverage
lib/crewai/pyproject.toml, lib/crewai/tests/security/test_dependency_pins.py
Pins json-repair to >=0.60.1,<1.0.0 and tests vulnerable-version exclusions plus patched releases.
Repaired JSON object validation
lib/crewai/src/crewai/agents/parser.py, lib/crewai/src/crewai/agents/constants.py, lib/crewai/src/crewai/tools/tool_usage.py
_safe_repair_json retains the original input unless repaired output parses to a dictionary, and the unrepaired-result sentinel list gains an empty-string variant. JSON repair imports no longer suppress untyped-import checks.

Security dependency overrides

Layer / File(s) Summary
Click and pillow security floors
pyproject.toml
Raises the pillow override to >=12.3.0 and adds a click override of >=8.3.3,<9 with security advisory comments.

Suggested reviewers: lorenzejay, greysonlalonde, vinibrsl

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Title check ✅ Passed The title accurately summarizes the main change: bumping json-repair to avoid the vulnerable range.
Description check ✅ Passed The description is directly related to the dependency bump, parser adaptation, and security test additions.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch joao/oss-91-security-crewai-pins-json-repair-0252-forcing-a-known

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

joaomdmoura and others added 2 commits July 13, 2026 21:06
json-repair >= 0.60 is py.typed, so the import-untyped ignores fail CI
with unused-ignore. Also read pyproject with explicit UTF-8 in the pin
test (review feedback).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
click 8.1.8 has PYSEC-2026-2132 (fixed 8.3.3) and pillow 12.2.0 has
PYSEC-2026-2253..2257 (fixed 12.3.0), failing the Vulnerability Scan on
every PR. Raise the override floors and relock (click 8.4.2,
pillow 12.3.0). With json-repair also fixed in this PR, pip-audit
reports zero findings.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant