From e3541703f18bf7328340f878d6b491613a7987c0 Mon Sep 17 00:00:00 2001 From: mrveiss Date: Thu, 26 Mar 2026 20:45:56 +0200 Subject: [PATCH] chore(deps): audit and update dependency constraint comments (#2471) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - bcrypt <5.0.0: KEPT — bcrypt 5.0 raises ValueError for >72-byte passwords, breaking unmaintained passlib 1.7.4 - protobuf <6.0.0: KEPT — TF 2.19.1 requires <6.0.0dev. Added roadmap note: TF 2.21+ needs protobuf>=6.31.1 - llama-index: WIDENED <0.14.0 → <0.15.0 — 0.14.x verified compatible with sub-packages at their 0.7.x/0.5.x lower bounds --- autobot-backend/requirements.txt | 8 ++++---- autobot-slm-backend/requirements.txt | 2 +- requirements.txt | 3 ++- 3 files changed, 7 insertions(+), 6 deletions(-) diff --git a/autobot-backend/requirements.txt b/autobot-backend/requirements.txt index 2b1a2c03c..60660c712 100644 --- a/autobot-backend/requirements.txt +++ b/autobot-backend/requirements.txt @@ -30,10 +30,10 @@ vanna>=0.7.0 # Issue #723: Natural language to SQL via Vanna.ai # Issue #858: Additional runtime dependencies for Python 3.13 xxhash>=3.6.0 # Hash functions for LLM caching structlog>=25.5.0 # Structured logging for service auth -llama-index>=0.13.0,<0.14.0 # RAG framework (pinned for API compatibility) -llama-index-llms-ollama>=0.7.0,<1.0.0 # Ollama LLM integration (0.7.0+ for core 0.13.0) -llama-index-embeddings-ollama>=0.7.0,<1.0.0 # Ollama embeddings (0.7.0+ for core 0.13.0) -llama-index-vector-stores-chroma>=0.5.0,<1.0.0 # ChromaDB vector store +llama-index>=0.13.0,<0.15.0 # RAG framework; 0.14.x verified compatible with sub-packages (verified 2026-03-26) +llama-index-llms-ollama>=0.7.0,<1.0.0 # Ollama LLM integration (0.7.0+ for core >=0.13.0) +llama-index-embeddings-ollama>=0.7.0,<1.0.0 # Ollama embeddings (0.7.0+ for core >=0.13.0) +llama-index-vector-stores-chroma>=0.5.0,<1.0.0 # ChromaDB vector store (0.5.0+ for core >=0.13.0) # LangChain 1.x ecosystem — migrated from 0.3.x to fix SSRF CVE (#1572) langchain>=1.2.0,<2.0.0 # Issue #1572: Migrated to 1.x (was 0.3.x) langchain-core>=1.2.11,<2.0.0 # Issue #1572: SSRF CVE fix requires >=1.2.11 diff --git a/autobot-slm-backend/requirements.txt b/autobot-slm-backend/requirements.txt index 8a084be13..a243fa057 100644 --- a/autobot-slm-backend/requirements.txt +++ b/autobot-slm-backend/requirements.txt @@ -26,7 +26,7 @@ typing_extensions>=4.0.0 # For Python 3.8 compatibility # Authentication PyJWT[crypto]>=2.8.0 passlib[bcrypt]>=1.7.4 -bcrypt>=4.0.0,<5.0.0 # bcrypt 5.0.0 incompatible with passlib +bcrypt>=4.0.0,<5.0.0 # bcrypt 5.0.0 raises ValueError for >72-byte passwords, breaking passlib 1.7.4 (unmaintained, verified 2026-03-26) python-multipart>=0.0.22 # SECURITY UPDATE - arbitrary file write fix # Async utilities diff --git a/requirements.txt b/requirements.txt index ecd067f87..1539dcd9c 100644 --- a/requirements.txt +++ b/requirements.txt @@ -6,7 +6,8 @@ tenacity>=8.5.0 # Async SSH for PKI certificate distribution (Issue #166) asyncssh>=2.22.0 -# TensorFlow 2.19.1 supports protobuf <6.0.0dev (verified from PyPI metadata) +# TensorFlow 2.19.1 requires protobuf<6.0.0dev (verified 2026-03-26 from PyPI metadata) +# TF 2.20+ requires protobuf>=5.28.0; TF 2.21+ requires protobuf>=6.31.1 — upgrade TF first before widening # Bumped to 5.29.6+ for JSON recursion depth bypass fix protobuf>=5.29.6,<6.0.0