Skip to content

fix(security): bump vulnerable dependencies to safe minimum versions #1149

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
cuaclaw wants to merge 2 commits into
base: main
Choose a base branch
from
Open

fix(security): bump vulnerable dependencies to safe minimum versions #1149

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
1fba894
fix(security): bump vulnerable dependencies to safe minimum versions
cuaclaw Mar 9, 2026
048334c
chore: regenerate uv.lock with bumped secure dependency versions
cuaclaw Mar 9, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions libs/cua-bench/pyproject.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ dependencies = [
"html5lib>=1.1",
"beautifulsoup4>=4.14.2",
# Core utilities
"pillow>=11.0.0",
"pillow>=12.1.1",
"numpy>=2.0.0",
"python-dotenv>=1.0.0",
"psutil>=5.9.0",
Expand Down Expand Up @@ -86,7 +86,7 @@ cloud = [
server = [
"fastapi>=0.100.0",
"uvicorn>=0.30.0",
"python-multipart>=0.0.6",
"python-multipart>=0.0.22",
"aiosqlite>=0.19.0",
]

Expand Down
8 changes: 4 additions & 4 deletions libs/python/agent/pyproject.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ anthropic = []
qwen = [
"qwen-vl-utils",
"qwen-agent",
"Pillow>=10.0.0",
"Pillow>=12.1.1",
]
omni = [
"cua-som>=0.1.0,<0.2.0",
Expand Down Expand Up @@ -71,7 +71,7 @@ moondream3 = [
"transformers>=4.55.0"
]
ui = [
"gradio>=6.0.0",
"gradio>=6.7.0",
"python-dotenv>=1.0.1",
Comment on lines 73 to 75
Copy link
Contributor

@coderabbitai coderabbitai bot Mar 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Audit Gradio chatbot construction sites in the agent UI for implicit defaults.
rg -n -C3 'gr\.Chatbot\s*\(' libs/python/agent

Repository: trycua/cua

Length of output: 1468

🏁 Script executed:

# Check the pyproject.toml to confirm Gradio version specification
cat -n libs/python/agent/pyproject.toml | sed -n '70,80p'

Repository: trycua/cua

Length of output: 269

🏁 Script executed:

# Find all gr.Chatbot instantiations across the entire codebase
rg -n 'gr\.Chatbot\s*\(' --type python

Repository: trycua/cua

Length of output: 84

🌐 Web query:

Gradio 6 migration guide allow_tags default behavior gr.Chatbot

💡 Result:

In Gradio 6, gr.Chatbot’s allow_tags default changed from FalseTrue, meaning chatbot messages will no longer strip tag-like content by default (to better support LLM outputs that include HTML/custom tags such as <thinking>). If you want the pre–Gradio 6 behavior (remove all tags), set it explicitly:

gr.Chatbot(allow_tags=False)

This change is called out in the Gradio 6 migration guide and tracked in the changelog/PR. [1], [2], [3]

🏁 Script executed:

# Find all gr.Chatbot instantiations (rg doesn't need --type flag)
rg -n 'gr\.Chatbot' libs/python/agent --context 2

Repository: trycua/cua

Length of output: 1398

🏁 Script executed:

# Check if there are any tests or comments about chatbot tag handling
rg -i 'allow_tags|tag.*chat|chat.*tag' libs/python/agent

Repository: trycua/cua

Length of output: 36

🏁 Script executed:

# Check the full context around the two main chatbot instantiations
sed -n '475,485p' libs/python/agent/agent/human_tool/ui.py
sed -n '563,572p' libs/python/agent/agent/ui/gradio/ui_components.py

Repository: trycua/cua

Length of output: 861

Gradio 6 changes gr.Chatbot() defaults; explicit allow_tags handling needed.

Upgrading to gradio>=6.7.0 changes gr.Chatbot()'s default behavior: allow_tags now defaults to True instead of False. This means chatbot messages will preserve tag-like content (e.g., <thinking>, <tool_call>) rather than stripping them.

Two instantiations are affected and do not set allow_tags explicitly:

  • libs/python/agent/agent/ui/gradio/ui_components.py:565 - bare gr.Chatbot()
  • libs/python/agent/agent/human_tool/ui.py:477 - gr.Chatbot(label="Conversation", height=500, buttons=["copy"])

Please either set allow_tags explicitly to the desired behavior, or add regression tests with representative model/tool responses to validate the new behavior is acceptable before merging.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@libs/python/agent/pyproject.toml` around lines 73 - 75, Two gr.Chatbot()
instantiations now rely on Gradio 6.7+ default allow_tags=True; update the two
places that call gr.Chatbot (the bare gr.Chatbot() in ui_components.py and the
gr.Chatbot(label="Conversation", height=500, buttons=["copy"]) in
human_tool/ui.py) to explicitly pass allow_tags=False (or True if you want to
preserve tags) to restore the intended behavior, and add a small regression test
that asserts rendered messages strip or preserve tag-like tokens as expected so
the upgrade is validated before merging.

]
cli = [
Expand All @@ -96,7 +96,7 @@ all = [
"tiktoken>=0.11.0",
"blobfile>=3.0.0",
# ui requirements
"gradio>=6.0.0",
"gradio>=6.7.0",
"python-dotenv>=1.0.1",
# cli requirements
"yaspin>=3.1.0",
Expand All @@ -105,7 +105,7 @@ all = [
# qwen requirements
"qwen-vl-utils",
"qwen-agent",
"Pillow>=10.0.0",
"Pillow>=12.1.1",
]

[tool.uv]
Expand Down
2 changes: 1 addition & 1 deletion libs/python/computer-server/pyproject.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ dependencies = [
"uvicorn[standard]>=0.27.0",
"pydantic>=2.0.0",
"pynput>=1.8.1",
"pillow>=10.2.0",
"pillow>=12.1.1",
"aiohttp>=3.9.1",
"pyperclip>=1.9.0",
"websockets>=12.0",
Expand Down
6 changes: 3 additions & 3 deletions libs/python/computer/pyproject.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ authors = [
{ name = "TryCua", email = "gh@trycua.com" }
]
dependencies = [
"pillow>=10.0.0",
"pillow>=12.1.1",
"websocket-client>=1.8.0",
"websockets>=12.0",
"aiohttp>=3.9.0",
Expand All @@ -27,13 +27,13 @@ lume = [
lumier = [
]
ui = [
"gradio>=5.23.3",
"gradio>=6.7.0",
"python-dotenv>=1.0.1",
"datasets>=3.6.0",
]
all = [
# Include all optional dependencies
"gradio>=5.23.3",
"gradio>=6.7.0",
"python-dotenv>=1.0.1",
"datasets>=3.6.0",
]
Expand Down
2 changes: 1 addition & 1 deletion libs/python/cua-auto/pyproject.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ dependencies = [
# Mouse + keyboard control (cross-platform)
"pynput>=1.7.0",
# Screenshot + image processing
"pillow>=10.0.0",
"pillow>=12.1.1",
# Clipboard access (cross-platform)
"pyperclip>=1.9.0",
# Window management (cross-platform)
Expand Down
2 changes: 1 addition & 1 deletion libs/python/cua-cli/pyproject.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ dependencies = [
# CLI output
"rich>=13.0.0",
# Image processing for skills
"pillow>=10.0.0",
"pillow>=12.1.1",
# WebSocket for skills recording
"websockets>=12.0",
]
Expand Down
2 changes: 1 addition & 1 deletion libs/python/som/pyproject.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ dependencies = [
"ultralytics>=8.1.28",
"easyocr>=1.7.1",
"numpy>=1.26.4",
"pillow>=10.2.0",
"pillow>=12.1.1",
"setuptools>=75.8.1",
"opencv-python-headless>=4.11.0.86",
"matplotlib>=3.8.3",
Expand Down
10 changes: 9 additions & 1 deletion pyproject.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ docs = [
"mkdocs>=1.5.0",
]
docs-scripts = [
"crawl4ai>=0.4.0",
"crawl4ai>=0.8.0",
"playwright>=1.40.0",
"lancedb>=0.4.0",
"sentence-transformers>=2.2.0",
Expand All @@ -64,6 +64,14 @@ examples = []

[tool.uv]
package = false
# Security: constrain vulnerable transitive dependencies to safe minimum versions
constraint-dependencies = [
"authlib>=1.6.7", # GHSA-7wc2-qxgw-g8gg: JWT alg:none bypass (HIGH)
"cryptography>=46.0.5", # GHSA-r6ph-v2qm-q3c2: ECDH subgroup attack (HIGH)
"urllib3>=2.6.3", # GHSA-38jv-5279-wg99: decompression bomb bypass (HIGH)
"werkzeug>=3.1.6", # GHSA-29vq-49wr-vm6x: Windows device names (MODERATE)
"aiohttp>=3.13.3", # GHSA-jj3x-wxrx-4x23, GHSA-6jhg-hg63-jvvf: DoS (MODERATE/LOW)
]
Comment on lines +67 to +74
Copy link
Contributor

@coderabbitai coderabbitai bot Mar 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Find published package manifests that depend on fastmcp.
rg -n -C2 '"fastmcp[^"]*"' --glob '**/pyproject.toml'

printf '\n--- security floors published in package metadata ---\n'
rg -n -C1 '"(authlib|cryptography|urllib3|werkzeug|aiohttp)[^"]*"' --glob '**/pyproject.toml'

Repository: trycua/cua

Length of output: 3305

Root-only uv constraints don't secure published package metadata.

tool.uv.constraint-dependencies only affects uv's resolution flow (uv lock / uv sync / uv run) from the workspace root, while published dependency floors come from each package's [project].dependencies and [project.optional-dependencies]. These minimums harden the monorepo lockfile, but won't be carried to users installing packages like cua-cli or computer-server directly. Published subpackages currently declare lower floors (e.g., aiohttp>=3.9.0 vs the root's >=3.13.3) and lack constraints for authlib, cryptography, urllib3, and werkzeug. Mirror the relevant security floors in affected package manifests to ensure vulnerability fixes ship with the packages themselves.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@pyproject.toml` around lines 67 - 74, The root-only constraint-dependencies
under tool.uv (tool.uv.constraint-dependencies) does not propagate to published
packages; update each affected package's [project].dependencies and
[project.optional-dependencies] entries (e.g., in the cua-cli and
computer-server package manifests) to include the same security minimums for
authlib, cryptography, urllib3, werkzeug and aiohttp (use the versions from
tool.uv.constraint-dependencies: authlib>=1.6.7, cryptography>=46.0.5,
urllib3>=2.6.3, werkzeug>=3.1.6, aiohttp>=3.13.3) so these floors are baked into
published metadata rather than only the root lockfile.


[tool.uv.workspace]
members = [
Expand Down
298 changes: 152 additions & 146 deletions uv.lock
View file
Open in desktop

Large diffs are not rendered by default.

Loading