Open
Conversation
Remove ^, ~, >=, and other flexible version ranges from all dependency files (package.json, pyproject.toml, setup.py). Pin to exact versions for supply chain security. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: Zen Agent <zen@composio.dev>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Contributor
|
The Please review and fix the vulnerabilities. You can try running: pnpm audit --fix --prodAudit output |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| }, | ||
| "peerDependencies": { | ||
| "zod": "^3.25 || ^4" | ||
| "zod": "3.25.0 || 4.0.0" |
There was a problem hiding this comment.
Peer dependencies pinned to exact versions break consumers
High Severity
Peer dependencies in published npm packages were changed from semver ranges to exact versions. "zod": "^3.25 || ^4" became "3.25.0 || 4.0.0", which only matches exactly those two versions — not 3.25.1, 4.1.0, etc. The workspace's own catalog resolves zod to 4.1.0 and ai to 6.0.27, which already fail to satisfy these new peer constraints. Every external consumer using any version other than the exact pinned one will see peer dependency errors. The same issue affects "ai" in @composio/vercel, "zod" in @composio/mastra, and all other pinned peer deps across the provider packages.
Additional Locations (2)
| "typing-extensions>=4.0.0", | ||
| "openai", | ||
| "json-schema-to-pydantic>=0.4.8", | ||
| "typing-extensions==4.0.0", |
There was a problem hiding this comment.
typing-extensions pinned to version incompatible with pydantic
High Severity
typing-extensions is pinned to ==4.0.0 but pydantic==2.6.4 requires typing-extensions>=4.6.1. This creates an unresolvable dependency conflict that prevents installation entirely. The uv.lock file has typing-extensions==4.14.0 — the PR incorrectly used the lower bound from the old >=4.0.0 specifier instead of the actual locked version.
Additional Locations (1)
| ], | ||
| python_requires=">=3.9,<4", | ||
| install_requires=["google-cloud-aiplatform>=1.38.0", "vertexai", "composio"], | ||
| install_requires=["google-cloud-aiplatform==1.38.0", "vertexai==1.38.0", "composio"], |
There was a problem hiding this comment.
vertexai pinned to non-existent PyPI version
High Severity
vertexai==1.38.0 does not exist on PyPI. The version was likely chosen to match google-cloud-aiplatform==1.38.0, but vertexai is a separate package with independent versioning (earliest versions start around 1.43.0+). This will cause pip install to fail with a "no matching distribution" error for the composio-google provider.
Update pinned versions to match actual lockfile resolutions instead of lower bounds. This ensures pnpm install --frozen-lockfile works correctly. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: Zen Agent <zen@composio.dev>
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 3 potential issues.
There are 6 total unresolved issues (including 3 from previous reviews).
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
| "peerDependencies": { | ||
| "@composio/core": "0.6.7", | ||
| "ai": "^5.0.0 || ^6.0.0" | ||
| "ai": "5.0.0 || 6.0.0" |
There was a problem hiding this comment.
Peer dep ai range broken to exact-version-only
High Severity
The ai peer dependency changed from "^5.0.0 || ^6.0.0" to "5.0.0 || 6.0.0". This now matches only exactly version 5.0.0 or 6.0.0. The workspace catalog resolves ai to 6.0.90, which doesn't satisfy this peer dep. All consumers of @composio/vercel using any ai version other than these two exact versions will get peer dependency conflicts.
| "@composio/core": "0.6.7", | ||
| "@mastra/core": "^1.0.4", | ||
| "zod": "^3.25 || ^4" | ||
| "@mastra/core": "1.0.4", |
There was a problem hiding this comment.
Peer dep @mastra/core conflicts with catalog version
Medium Severity
The @mastra/core peer dependency was changed from "^1.0.4" to "1.0.4" (exact), but the catalog was simultaneously bumped from ^1.0.4 to 1.4.0. The dev dependency resolves to 1.4.0 via catalog:, which doesn't satisfy the peer dep of exactly 1.0.4. This creates an internal mismatch and breaks consumers using any @mastra/core version other than 1.0.4.
| "peerDependencies": { | ||
| "@composio/core": "0.6.7", | ||
| "@langchain/core": "^1.1.4" | ||
| "@langchain/core": "1.1.4" |
There was a problem hiding this comment.
Peer dep and dev dep versions internally inconsistent
High Severity
The @langchain/core peer dependency was pinned to exactly 1.1.4 (stripping ^) while its own devDependency was bumped to 1.1.25. Since 1.1.25 ≠ 1.1.4, the package's development install doesn't satisfy its own peer dependency. The same issue occurs in @composio/openai-agents where the @openai/agents peer dep is 0.1.3 but the devDep is 0.1.11. Before this PR, both used ^X.Y.Z so they were always compatible.
Additional Locations (1)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Pin all dependencies across the composio SDK repo to exact versions for supply chain security. This removes ^, ~, >=, and other flexible version ranges from package.json, pyproject.toml, setup.py, and pnpm-workspace.yaml catalog entries.
Changes across 76 files:
^and~prefixes from all version strings>=X.Y.Zto==X.Y.Z, resolved unversioned deps from uv.lockPrevents automatic pulling of potentially compromised package versions (ref: axios supply chain attack).
How did I test this PR
requires-pythonconstraints intentionally left unpinned (Python runtime compatibility, not package versions)catalog:andworkspace:*references in package.json left as-is (resolved by pnpm workspace, not registries)