fix: fix security issue

[Vasilije1990]

Description

Fix security issue reported by the user #1950

Acceptance Criteria

Type of Change

• Bug fix (non-breaking change that fixes an issue)
• New feature (non-breaking change that adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update
• Code refactoring
• Performance improvement
• Other (please specify):

Screenshots/Videos (if applicable)

Pre-submission Checklist

• I have tested my changes thoroughly before submitting this PR
• This PR contains minimal changes necessary to address the issue/feature
• My code follows the project's coding standards and style guidelines
• I have added tests that prove my fix is effective or that my feature works
• I have added necessary documentation (if applicable)
• All new and existing tests pass
• I have searched existing PRs to ensure this change hasn't been submitted already
• I have linked any relevant issues in the description
• My commits have clear and descriptive messages

DCO Affirmation

I affirm that all code in every commit of this pull request conforms to the terms of the Topoteretes Developer Certificate of Origin.

---

Note

• Dependencies: Adds cbor2>=5.8.0 to pyproject.toml; updates uv.lock (including version bump and wheels) to reflect new dependency.
• CI/Docs: Refines .github/pull_request_template.md (simplified change types; renamed Screenshots section to request proof of local tests passing).
• Code cleanup: Minor formatting changes in LiteLLMEmbeddingEngine.py and get_api_auth_backend.py with no functional impact.

^{Written by Cursor Bugbot for commit aa4ab1e. This will update automatically on new commits. Configure here.}

Summary by CodeRabbit

• Chores
  • Added a new project dependency
  • Updated pull request template guidelines

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[pull-checklist]

Please make sure all the checkboxes are checked:

• I have tested these changes locally.
• I have reviewed the code changes.
• I have added end-to-end and unit tests (if applicable).
• I have updated the documentation and README.md file (if necessary).
• I have removed unnecessary code and debug statements.
• PR title is clear and follows the convention.
• I have tagged reviewers or team members for feedback.

[coderabbitai]

Caution

Review failed

The pull request is closed.

Walkthrough

This pull request adds the CBOR2 library (version 5.8.0+) as a project dependency and simplifies the GitHub pull request template by removing certain change type options and acceptance criteria while refocusing the screenshot documentation section.

Changes

Cohort / File(s)	Summary
Dependencies pyproject.toml	Added cbor2>=5.8.0 to the project dependencies list.
Pull Request Template .github/pull_request_template.md	Removed "Breaking change" and "Documentation update" options from Type of Change section; removed two acceptance criteria items regarding verification instructions and testing proof; simplified "Screenshots/Videos (if applicable)" to "Screenshots" with updated guidance to include local test results.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• chore: update pr template #1462: Modifies the pull request template with overlapping section changes.
• fix: fix security issue #1967: Modifies both pyproject.toml with the same cbor2 dependency addition and the pull request template with identical edits.

Suggested labels

core-team

Suggested reviewers

• siillee

🚥 Pre-merge checks | ❌ 3

❌ Failed checks (1 warning, 2 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 33.33% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.
Title check	❓ Inconclusive	The PR title 'fix: security issue' is extremely vague and does not clearly describe what security issue was fixed or which files/systems were affected by the changes.	Replace with a more specific title that identifies the security issue, e.g., 'fix: add cbor2 dependency to address security vulnerability' or provide clearer context about the actual security concern being addressed.
Description check	❓ Inconclusive	The PR description references a security issue but lacks critical details on the actual security concern, how the changes address it, testing verification, or acceptance criteria fulfillment.	Provide detailed explanation of the security vulnerability, how each change mitigates it, concrete testing/verification steps, and fill the Acceptance Criteria section with key requirements and proof of testing.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between aa4ab1e and ada0a2b.

📒 Files selected for processing (1)

• .github/pull_request_template.md

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

pyproject.toml (1)

63-63: Version constraint lacks upper bound; inconsistent with codebase patterns.

The version constraint cbor2>=5.8.0 has no upper bound, which deviates from the pattern used for most other dependencies in this file (e.g., openai>=1.80.1, pydantic>=2.10.5,<2.12.0). An unbounded upper constraint risks compatibility issues from future major releases and makes builds non-deterministic.

Consider specifying an upper bound (e.g., cbor2>=5.8.0,<6.0.0) to maintain consistency and ensure reproducibility.

🔎 Proposed versioning fix

-    "cbor2>=5.8.0"
+    "cbor2>=5.8.0,<6.0.0"

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 34c6652 and 295f623.

⛔ Files ignored due to path filters (1)

• uv.lock is excluded by !**/*.lock

📒 Files selected for processing (1)

• pyproject.toml

🧰 Additional context used

📓 Path-based instructions (1)

pyproject.toml

📄 CodeRabbit inference engine (AGENTS.md)

Python version requirement: >= 3.10 and < 3.14

Files:

• pyproject.toml

🧠 Learnings (1)

📚 Learning: 2025-11-24T16:45:09.996Z

Learnt from: CR
Repo: topoteretes/cognee PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-11-24T16:45:09.996Z
Learning: Applies to pyproject.toml : Python version requirement: >= 3.10 and < 3.14

Applied to files:

• pyproject.toml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (23)

• GitHub Check: End-to-End Tests / Run Telemetry Pipeline Test
• GitHub Check: End-to-End Tests / Test dataset database deletion in Cognee
• GitHub Check: End-to-End Tests / Test Cognify - Edge Centered Payload
• GitHub Check: End-to-End Tests / Test graph edge ingestion
• GitHub Check: End-to-End Tests / Test adding of label for data in Cognee
• GitHub Check: End-to-End Tests / Conversation sessions test (FS)
• GitHub Check: End-to-End Tests / Conversation sessions test (Redis)
• GitHub Check: End-to-End Tests / Test Feedback Enrichment
• GitHub Check: End-to-End Tests / Test dataset database handlers in Cognee
• GitHub Check: End-to-End Tests / Test Entity Extraction
• GitHub Check: End-to-End Tests / Test permissions with different situations in Cognee
• GitHub Check: End-to-End Tests / Test multi tenancy with different situations in Cognee
• GitHub Check: End-to-End Tests / Concurrent Subprocess access test
• GitHub Check: End-to-End Tests / S3 Bucket Test
• GitHub Check: Basic Tests / Run Simple Examples BAML
• GitHub Check: Basic Tests / Run Unit Tests
• GitHub Check: End-to-End Tests / Server Start Test
• GitHub Check: End-to-End Tests / Deduplication Test
• GitHub Check: Basic Tests / Run Simple Examples
• GitHub Check: Basic Tests / Run Integration Tests
• GitHub Check: Cursor Bugbot
• GitHub Check: CLI Tests / CLI Functionality Tests
• GitHub Check: CLI Tests / CLI Integration Tests

🔇 Additional comments (2)

pyproject.toml (2)

63-63: cbor2>=5.8.0 is compatible with the project's Python requirements.

cbor2 5.8.0 and later support Python 3.9–3.14, which fully covers the project's required Python range (3.10–3.13). No action needed.

---

63-63: The cbor2>=5.8.0 dependency addition addresses CVE-2025-68131, a data-leak vulnerability affecting cbor2 versions 3.0.0–5.7.x where reusing a CBORDecoder could leak values marked with the shareable tag to subsequent decodes. Version 5.8.0 fixed this issue and is compatible with the project's Python requirement (>=3.10,<3.14).

Likely an incorrect or invalid review comment.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI Agents

In @.github/pull_request_template.md:
- Around line 22-23: The PR template currently forces a mandatory screenshot by
the "## Screenshots" section and the "ADD SCREENSHOT OF LOCAL TESTS PASSING"
placeholder; update the template to make screenshots/videos optional or
conditional by changing the heading text to something like "Screenshots/Videos
(if applicable)" and replace the hard requirement text with guidance that
screenshots are optional and only required for visual/UI changes or when test
output is meaningful, or add a short note listing contribution types that do not
need screenshots (documentation, backend/config changes, refactors).

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 295f623 and 555eef6.

📒 Files selected for processing (1)

• .github/pull_request_template.md

🧰 Additional context used

📓 Path-based instructions (1)

.github/**

⚙️ CodeRabbit configuration file

.github/**: * When the project is hosted on GitHub: All GitHub-specific configurations, templates, and tools should be found in the '.github' directory tree.

• 'actionlint' erroneously generates false positives when dealing with GitHub's ${{ ... }} syntax in conditionals.
• 'actionlint' erroneously generates incorrect solutions when suggesting the removal of valid ${{ ... }} syntax.

Files:

• .github/pull_request_template.md

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (27)

• GitHub Check: End-to-End Tests / Test Cognify - Edge Centered Payload
• GitHub Check: End-to-End Tests / Test dataset database deletion in Cognee
• GitHub Check: End-to-End Tests / Test multi tenancy with different situations in Cognee
• GitHub Check: End-to-End Tests / Test graph edge ingestion
• GitHub Check: End-to-End Tests / Test Pipeline Caching
• GitHub Check: End-to-End Tests / Conversation sessions test (Redis)
• GitHub Check: End-to-End Tests / Conversation sessions test (FS)
• GitHub Check: End-to-End Tests / Concurrent Subprocess access test
• GitHub Check: End-to-End Tests / Test Feedback Enrichment
• GitHub Check: End-to-End Tests / Test Entity Extraction
• GitHub Check: End-to-End Tests / Test adding of label for data in Cognee
• GitHub Check: End-to-End Tests / Test dataset database handlers in Cognee
• GitHub Check: End-to-End Tests / Server Start Test
• GitHub Check: End-to-End Tests / Test permissions with different situations in Cognee
• GitHub Check: Basic Tests / Run Formatting Check
• GitHub Check: End-to-End Tests / Run Telemetry Test
• GitHub Check: End-to-End Tests / Test using different async databases in parallel in Cognee
• GitHub Check: End-to-End Tests / S3 Bucket Test
• GitHub Check: Basic Tests / Run Integration Tests
• GitHub Check: End-to-End Tests / Deduplication Test
• GitHub Check: Basic Tests / Run Unit Tests
• GitHub Check: Basic Tests / Run Simple Examples BAML
• GitHub Check: End-to-End Tests / Run Telemetry Pipeline Test
• GitHub Check: Basic Tests / Run Simple Examples
• GitHub Check: CLI Tests / CLI Functionality Tests
• GitHub Check: CLI Tests / CLI Integration Tests
• GitHub Check: Cursor Bugbot

🔇 Additional comments (1)

.github/pull_request_template.md (1)

1-38: Clarify the connection between the PR title and template changes.

The PR is titled "fix security issue," but the PR template modifications don't appear to address security-related concerns. Please clarify:

• What security issue is being addressed?
• How do the template changes relate to the security fix (and the cbor2 dependency addition)?
• Were these template changes intentional as part of this security fix, or should they be in a separate PR?

This context would help reviewers understand the full scope of changes and verify the appropriateness of the modifications.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

The screenshot requirement may be too strict for certain contribution types.

The change from "Screenshots/Videos (if applicable)" to a mandatory screenshot requirement with "ADD SCREENSHOT OF LOCAL TESTS PASSING" removes flexibility that could be needed for different types of contributions:

• Documentation-only changes may not have automated tests to screenshot
• Infrastructure, configuration, or backend API changes may not have executable test outputs that make sense to visualize
• Some refactoring or dependency updates (like the cbor2 addition in this PR) may not have meaningful test screenshots

Consider either making this section conditional again or clarifying which types of changes require this specific screenshot.

🤖 Prompt for AI Agents

In @.github/pull_request_template.md around lines 22 - 23, The PR template
currently forces a mandatory screenshot by the "## Screenshots" section and the
"ADD SCREENSHOT OF LOCAL TESTS PASSING" placeholder; update the template to make
screenshots/videos optional or conditional by changing the heading text to
something like "Screenshots/Videos (if applicable)" and replace the hard
requirement text with guidance that screenshots are optional and only required
for visual/UI changes or when test output is meaningful, or add a short note
listing contribution types that do not need screenshots (documentation,
backend/config changes, refactors).

[cursor]

You have run out of free Bugbot PR reviews for this billing cycle. This will reset on February 6.

To receive reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.