Skip to content

Bump crewai to >=1.14.4 for parity + security backports (ar-r82f.11)#94

Merged
atc964 merged 1 commit into
mainfrom
fix/bump-crewai-buyer
May 28, 2026
Merged

Bump crewai to >=1.14.4 for parity + security backports (ar-r82f.11)#94
atc964 merged 1 commit into
mainfrom
fix/bump-crewai-buyer

Conversation

@atc964
Copy link
Copy Markdown
Collaborator

@atc964 atc964 commented May 28, 2026

Summary

Bump the crewai pin from ==1.10.1 to >=1.14.4,<2.0.0 to absorb four upstream CVE backports and align with the seller-agent bump landing in parallel (sibling bead ar-r82f.12).

CVE backports absorbed

  • Path traversal in tool sandbox file resolution
  • SSRF in URL-fetching tools
  • SSTI in litellm template handling
  • transformers CVE (pinned transitively)

Crewai 1.14 fallout

Crewai 1.14 turned Flow into a Pydantic model and removed the legacy state setter. DealBookingFlow.__init__ previously did super().__init__(**state_kwargs), which 1.14 silently drops because those kwargs aren't Flow fields. The fix wraps state kwargs in a typed BookingState(**kwargs) and passes it through Flow's new initial_state= field — preserving the existing DealBookingFlow(client, campaign_brief=...) call sites in the API and CLI. The pre-existing TestCrewAI110FlowStateRegression suite covers this contract.

Pre-bump greps (clean)

grep -rn "CodeInterpreterTool"  src/ tests/   # 0 hits
grep -rn "CrewAgentExecutor"    src/ tests/   # 0 hits
grep -rn "EXASearchTool\b"      src/ tests/   # 0 hits (rename to ExaSearchTool is not relevant)

Local test results

  • uv lock: resolved 185 packages, crewai resolves to 1.14.6
  • uv sync --extra dev: ok
  • uv run pytest tests/ -q: 3225 passed, 58 skipped, 0 failed in 225s
  • Delta vs main baseline (post-Skip cross-repo integration test when sibling repos absent (ar-r82f.6) #92, 3222 passed / 60 skipped): +3 new passes (the three previously failing TestCrewAI110FlowStateRegression regression tests now exercise the bumped Flow), 2 fewer skips (entry collection deltas), 0 new failures.
  • Ruff lint failures (~479) are pre-existing on main — unchanged by this PR.

Test plan

🤖 Generated with Claude Code

@atc964 @claude
Bump crewai to >=1.14.4,<2.0.0 for parity + security backports
b3cdd49 
Absorbs four upstream CVE backports landing in crewai 1.11-1.14:
  - Path traversal in tool sandbox file resolution
  - SSRF in URL-fetching tools
  - SSTI in litellm template handling
  - transformers CVE (pinned transitively)

Aligns the buyer-agent crewai pin with the seller-agent bump landing in
parallel (ar-r82f.12) so both repos run the same crewai major/minor.

Crewai 1.14 made Flow a Pydantic model and removed the legacy `state`
setter that DealBookingFlow.__init__ relied on. Initial state now ships
through Flow's `initial_state=` field as a typed BookingState instance,
preserving the existing `DealBookingFlow(client, campaign_brief=...)`
call sites in the CLI and API. The pre-existing
TestCrewAI110FlowStateRegression suite covers this contract.

Pre-bump greps (clean): CodeInterpreterTool, CrewAgentExecutor,
EXASearchTool (no usages in src/ or tests/).

Full local suite: 3225 passed, 58 skipped, 0 failed.

bead: ar-r82f.11

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@atc964 atc964 force-pushed the fix/bump-crewai-buyer branch from 894ab67 to b3cdd49 Compare May 28, 2026 18:32
@atc964 atc964 merged commit 840fcd0 into main May 28, 2026
2 of 3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@atc964