APEX/BrowserUse_and_ComputerUse_skills
5
0
Fork 0
Code Issues 6 Pull requests 1 Projects 1 Releases Packages Wiki Activity Actions

fix: remove litellm/typer/platformdirs from hermes-agent deps (supply chain compromise) (#2796)

Browse source 
litellm 1.82.7/1.82.8 contained a credential stealer (.pth auto-exec
payload). PyPI quarantined the entire package, blocking all fresh
hermes-agent installs since litellm was listed as a hard dependency.

These three deps (litellm, typer, platformdirs) are only used by the
mini-swe-agent submodule, which has its own pyproject.toml and manages
its own dependencies. They were redundantly duplicated in hermes-agent's
pyproject.toml.

Also fixes install.sh to not print 'mini-swe-agent installed' on
failure, and updates warning messages in both install scripts to clarify
that only Docker/Modal backends are affected — local terminal is
unaffected.

Ref: https://github.com/BerriAI/litellm/issues/24512
This commit is contained in:
Teknium 2026-03-24 07:03:16 -07:00 committed by GitHub
parent b641ee88f4
commit 18cbd18fa9
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 6 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

4
pyproject.toml
View file

@ -32,10 +32,6 @@ dependencies = [
# Text-to-speech (Edge TTS is free, no API key needed)
"edge-tts",
"faster-whisper>=1.0.0",
# mini-swe-agent deps (terminal tool)
"litellm>=1.75.5",
"typer",
"platformdirs",
# Skills Hub (GitHub App JWT auth — optional, only needed for bot identity)
"PyJWT[crypto]",
]