fix(security): bump vulnerable dependencies to safe minimum versions

[cuaclaw]

Summary

Bumps minimum dependency versions to address security vulnerabilities identified via OSV database audit. Addresses the vulnerabilities_fixed_60_days gap from the FLOSS best practices audit (#1101).

Critical (RCE) — Fix immediately

Package	From	To	Advisory	Issue
crawl4ai	>=0.4.0	>=0.8.0	GHSA-5882-5rx9-xgxp	RCE via Docker API hook injection
crawl4ai	>=0.4.0	>=0.8.0	GHSA-vx9w-5cx4-9796	Local file inclusion via file:// URLs in Docker API

High

Package	From	To	Advisory	Issue
pillow / Pillow	>=10.x / >=11.x	>=12.1.1	GHSA-cfh3-3jmp-rvhc	Out-of-bounds write when loading PSD images
gradio	>=6.0.0 / >=5.23.3	>=6.7.0	GHSA-39mp-8hj3-5c49	Absolute path traversal on Windows
gradio	—	—	GHSA-pfjf-5gxr-995x	Open redirect in OAuth flow
python-multipart	>=0.0.6	>=0.0.22	GHSA-wp53-j4wj-2cfg	Arbitrary file write via non-default config

High/Moderate — Transitive deps (via constraint-dependencies)

These are pulled in transitively (primarily via fastmcp). Added [tool.uv] constraint-dependencies in root pyproject.toml to enforce safe minimums:

Package	Min version	Advisory	Issue
authlib	>=1.6.7	GHSA-7wc2-qxgw-g8gg	JWT alg: none bypass — signature validation skipped (HIGH)
cryptography	>=46.0.5	GHSA-r6ph-v2qm-q3c2	ECDH subgroup attack (HIGH)
urllib3	>=2.6.3	GHSA-38jv-5279-wg99	Decompression bomb bypass on redirects (HIGH)
werkzeug	>=3.1.6	GHSA-29vq-49wr-vm6x	Windows special device names in safe_join() (MODERATE)
aiohttp	>=3.13.3	GHSA-jj3x-wxrx-4x23, GHSA-6jhg-hg63-jvvf	DoS via large/malformed payloads (MODERATE/LOW)

Files changed

• pyproject.toml — crawl4ai bump + constraint-dependencies for transitive vulns
• libs/python/agent/pyproject.toml — Pillow + gradio
• libs/python/computer/pyproject.toml — pillow + gradio
• libs/python/computer-server/pyproject.toml — pillow
• libs/python/som/pyproject.toml — pillow
• libs/python/cua-cli/pyproject.toml — pillow
• libs/python/cua-auto/pyproject.toml — pillow
• libs/cua-bench/pyproject.toml — pillow + python-multipart

Notes

• Lock file (uv.lock) will need to be regenerated after merge via uv lock
• The authlib JWT bypass (GHSA-7wc2-qxgw-g8gg) is particularly relevant as authlib is used in fastmcp for OAuth/token validation in the MCP server

Summary by CodeRabbit

• Chores
  • Updated dependency versions across multiple packages, including Pillow, Gradio, Python-multipart, and Crawl4ai.
  • Added security constraints for critical vulnerabilities in authlib, cryptography, urllib3, werkzeug, and aiohttp.

[vercel]

@cuaclaw is attempting to deploy a commit to the Cua Team on Vercel.

A member of the Team first needs to authorize it.

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request updates Python dependency versions across multiple library configurations and the root project. Changes include Pillow version bumps to >=12.1.1, Gradio updates to >=6.7.0 in UI modules, python-multipart update to >=0.0.22, crawl4ai bump to >=0.8.0, and the addition of security-focused constraint-dependencies in the root configuration.

Changes

Cohort / File(s)	Summary
Pillow Version Updates libs/cua-bench/pyproject.toml, libs/python/agent/pyproject.toml, libs/python/computer-server/pyproject.toml, libs/python/computer/pyproject.toml, libs/python/cua-auto/pyproject.toml, libs/python/cua-cli/pyproject.toml, libs/python/som/pyproject.toml	Pillow dependency bumped from >=10.0.0/>=10.2.0 to >=12.1.1 across all libraries, standardizing to a newer minor version.
UI Framework Updates libs/python/agent/pyproject.toml, libs/python/computer/pyproject.toml	Gradio version updated from >=5.23.3 to >=6.7.0 in both the ui and all optional-dependency groups, aligning with newer framework capabilities.
Request Handler Dependency libs/cua-bench/pyproject.toml	python-multipart version bumped from >=0.0.6 to >=0.0.22 in the server dependency block.
Root Configuration & Security pyproject.toml	crawl4ai dependency updated from >=0.4.0 to >=0.8.0; new constraint-dependencies added under [tool.uv] with pinned versions for authlib, cryptography, urllib3, werkzeug, and aiohttp addressing high/moderate severity vulnerabilities.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 Dependencies dancing in the spring,
Pillow brightens to twelve-point-one,
Gradio flows through ui's wing,
Security patches, every one!
Onward we hop, refreshed and strong.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the primary change: bumping vulnerable dependencies to safe minimum versions to address security vulnerabilities identified via OSV audit.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sentry]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@libs/python/agent/pyproject.toml`:
- Around line 73-75: Two gr.Chatbot() instantiations now rely on Gradio 6.7+
default allow_tags=True; update the two places that call gr.Chatbot (the bare
gr.Chatbot() in ui_components.py and the gr.Chatbot(label="Conversation",
height=500, buttons=["copy"]) in human_tool/ui.py) to explicitly pass
allow_tags=False (or True if you want to preserve tags) to restore the intended
behavior, and add a small regression test that asserts rendered messages strip
or preserve tag-like tokens as expected so the upgrade is validated before
merging.

In `@pyproject.toml`:
- Around line 67-74: The root-only constraint-dependencies under tool.uv
(tool.uv.constraint-dependencies) does not propagate to published packages;
update each affected package's [project].dependencies and
[project.optional-dependencies] entries (e.g., in the cua-cli and
computer-server package manifests) to include the same security minimums for
authlib, cryptography, urllib3, werkzeug and aiohttp (use the versions from
tool.uv.constraint-dependencies: authlib>=1.6.7, cryptography>=46.0.5,
urllib3>=2.6.3, werkzeug>=3.1.6, aiohttp>=3.13.3) so these floors are baked into
published metadata rather than only the root lockfile.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 01c0608f-cc2c-4852-b691-947452ec4ce2

📥 Commits

Reviewing files that changed from the base of the PR and between 65f9701 and 048334c.

⛔ Files ignored due to path filters (1)

• uv.lock is excluded by !**/*.lock

📒 Files selected for processing (8)

• libs/cua-bench/pyproject.toml
• libs/python/agent/pyproject.toml
• libs/python/computer-server/pyproject.toml
• libs/python/computer/pyproject.toml
• libs/python/cua-auto/pyproject.toml
• libs/python/cua-cli/pyproject.toml
• libs/python/som/pyproject.toml
• pyproject.toml

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Audit Gradio chatbot construction sites in the agent UI for implicit defaults.
rg -n -C3 'gr\.Chatbot\s*\(' libs/python/agent

Repository: trycua/cua

Length of output: 1468

---

🏁 Script executed:

# Check the pyproject.toml to confirm Gradio version specification
cat -n libs/python/agent/pyproject.toml | sed -n '70,80p'

Repository: trycua/cua

Length of output: 269

---

🏁 Script executed:

# Find all gr.Chatbot instantiations across the entire codebase
rg -n 'gr\.Chatbot\s*\(' --type python

Repository: trycua/cua

Length of output: 84

---

🌐 Web query:

Gradio 6 migration guide allow_tags default behavior gr.Chatbot

💡 Result:

In Gradio 6, gr.Chatbot’s allow_tags default changed from False → True, meaning chatbot messages will no longer strip tag-like content by default (to better support LLM outputs that include HTML/custom tags such as <thinking>). If you want the pre–Gradio 6 behavior (remove all tags), set it explicitly:

gr.Chatbot(allow_tags=False)

This change is called out in the Gradio 6 migration guide and tracked in the changelog/PR. [1], [2], [3]

---

🏁 Script executed:

# Find all gr.Chatbot instantiations (rg doesn't need --type flag)
rg -n 'gr\.Chatbot' libs/python/agent --context 2

Repository: trycua/cua

Length of output: 1398

---

🏁 Script executed:

# Check if there are any tests or comments about chatbot tag handling
rg -i 'allow_tags|tag.*chat|chat.*tag' libs/python/agent

Repository: trycua/cua

Length of output: 36

---

🏁 Script executed:

# Check the full context around the two main chatbot instantiations
sed -n '475,485p' libs/python/agent/agent/human_tool/ui.py
sed -n '563,572p' libs/python/agent/agent/ui/gradio/ui_components.py

Repository: trycua/cua

Length of output: 861

---

Gradio 6 changes gr.Chatbot() defaults; explicit allow_tags handling needed.

Upgrading to gradio>=6.7.0 changes gr.Chatbot()'s default behavior: allow_tags now defaults to True instead of False. This means chatbot messages will preserve tag-like content (e.g., <thinking>, <tool_call>) rather than stripping them.

Two instantiations are affected and do not set allow_tags explicitly:

• libs/python/agent/agent/ui/gradio/ui_components.py:565 - bare gr.Chatbot()
• libs/python/agent/agent/human_tool/ui.py:477 - gr.Chatbot(label="Conversation", height=500, buttons=["copy"])

Please either set allow_tags explicitly to the desired behavior, or add regression tests with representative model/tool responses to validate the new behavior is acceptable before merging.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@libs/python/agent/pyproject.toml` around lines 73 - 75, Two gr.Chatbot()
instantiations now rely on Gradio 6.7+ default allow_tags=True; update the two
places that call gr.Chatbot (the bare gr.Chatbot() in ui_components.py and the
gr.Chatbot(label="Conversation", height=500, buttons=["copy"]) in
human_tool/ui.py) to explicitly pass allow_tags=False (or True if you want to
preserve tags) to restore the intended behavior, and add a small regression test
that asserts rendered messages strip or preserve tag-like tokens as expected so
the upgrade is validated before merging.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Find published package manifests that depend on fastmcp.
rg -n -C2 '"fastmcp[^"]*"' --glob '**/pyproject.toml'

printf '\n--- security floors published in package metadata ---\n'
rg -n -C1 '"(authlib|cryptography|urllib3|werkzeug|aiohttp)[^"]*"' --glob '**/pyproject.toml'

Repository: trycua/cua

Length of output: 3305

---

Root-only uv constraints don't secure published package metadata.

tool.uv.constraint-dependencies only affects uv's resolution flow (uv lock / uv sync / uv run) from the workspace root, while published dependency floors come from each package's [project].dependencies and [project.optional-dependencies]. These minimums harden the monorepo lockfile, but won't be carried to users installing packages like cua-cli or computer-server directly. Published subpackages currently declare lower floors (e.g., aiohttp>=3.9.0 vs the root's >=3.13.3) and lack constraints for authlib, cryptography, urllib3, and werkzeug. Mirror the relevant security floors in affected package manifests to ensure vulnerability fixes ship with the packages themselves.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pyproject.toml` around lines 67 - 74, The root-only constraint-dependencies
under tool.uv (tool.uv.constraint-dependencies) does not propagate to published
packages; update each affected package's [project].dependencies and
[project.optional-dependencies] entries (e.g., in the cua-cli and
computer-server package manifests) to include the same security minimums for
authlib, cryptography, urllib3, werkzeug and aiohttp (use the versions from
tool.uv.constraint-dependencies: authlib>=1.6.7, cryptography>=46.0.5,
urllib3>=2.6.3, werkzeug>=3.1.6, aiohttp>=3.13.3) so these floors are baked into
published metadata rather than only the root lockfile.