Fix CVE 2025 69872 diskcache

[cym3118288-afk]

Problem

AG2 has a hard dependency on diskcache which is affected by CVE-2025-69872
(CVSS 9.8 Critical) - an unsafe pickle deserialization vulnerability. This
blocks deployments in security-sensitive environments using vulnerability
scanners like Aquasec, Snyk, or Trivy.

Solution

This PR makes diskcache an **optional dependency** and changes the default
cache backend to InMemoryCache.

Changes

• ✅ Removed diskcache from core dependencies in pyproject.toml
• ✅ Added diskcache as optional dependency ag2\[diskcache]
• ✅ Updated DiskCache to raise helpful error when diskcache not installed
• ✅ Changed cache\_factory default fallback to InMemoryCache
• ✅ Updated all error messages and documentation
• ✅ Updated tests to handle optional import
• ✅ Added comprehensive security advisory document

Migration Path

Users have three options:

1. **InMemoryCache** (default) - No persistence, no security risk
2. **RedisCache** - Persistent, secure, production-ready
3. **DiskCache** - Persistent but requires pip install ag2\[diskcache]

Breaking Changes

⚠️ Users who rely on persistent caching without explicit configuration will
now use InMemoryCache (no persistence between runs). To restore previous
behavior: pip install ag2\[diskcache]

Security Impact

✅ Resolves CVE-2025-69872
✅ Security scanners will no longer flag ag2
✅ Safe for deployment in security-sensitive environments

[CLAassistant]

All committers have signed the CLA.

[marklysze]

@cym3118288-afk thanks so much for this, would you be able to run "pre-commit run --all-files" and push the setup_autogen.py file.

It should have diskcache in it:

...
        "ag-ui": ["ag2[ag-ui]==" + __version__],
        "diskcache": ["ag2[diskcache]==" + __version__],
        "openai": ["ag2[openai]==" + __version__],
...

[cym3118288-afk]

sure ,I will give it a try later

[codecov]

Codecov Report

❌ Patch coverage is 45.00000% with 11 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
autogen/cache/cache_factory.py	50.00%	5 Missing and 1 partial ⚠️
autogen/cache/disk_cache.py	42.85%	2 Missing and 2 partials ⚠️
autogen/oai/client.py	0.00%	1 Missing ⚠️

Files with missing lines	Coverage Δ
autogen/oai/client.py	54.47% <0.00%> (-3.61%)	⬇️
autogen/cache/disk_cache.py	83.33% <42.85%> (-16.67%)	⬇️
autogen/cache/cache_factory.py	45.16% <50.00%> (-2.67%)	⬇️

... and 20 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.