chore(deps): bump uv to >=0.11.15 and ignore unfixable chromadb CVE

[greysonlalonde]

Bumps uv pin to >=0.11.15 for GHSA-4gg8-gxpx-9rph (lockfile: 0.11.7 -> 0.11.17).

Adds GHSA-f4j7-r4q5-qw2c (chromadb pre-auth RCE in the HTTP server) to the pip-audit ignore list. No patched chromadb release exists (advisory covers 1.0.0..1.5.9) and the vulnerable route is unreachable in crewai's embedded use. Upstream fix tracked at chroma-core/chroma#6717.

---

Note

Low Risk
Dependency pin and lockfile updates plus documented pip-audit suppressions; chromadb ignore is justified by embedded-only client usage, not running the vulnerable HTTP API.

Overview
Raises the workspace uv floor to >=0.11.15 (lock resolves to 0.11.17) to address GHSA-4gg8-gxpx-9rph, with matching comment updates in pyproject.toml.

Aligns pip-audit between CI and pre-push: the pre-commit hook now uses the same long --ignore-vuln list as .github/workflows/vulnerability-scan.yml, including new GHSA-f4j7-r4q5-qw2c (chromadb HTTP-server RCE, no fixed release). CI comments document that crewAI only uses chromadb.PersistentClient, so the advisory route is considered out of scope.

uv.lock refreshes the resolved uv package and bumps exclude-newer; the per-package starlette exclude-newer cap is removed.

^{Reviewed by Cursor Bugbot for commit ec8b4a6. Bugbot is set up for automated code reviews on this repo. Configure here.}

Summary by CodeRabbit

• Chores
  • Updated pre-commit security hook to ignore additional reported advisories via an expanded ignore list.
  • Tightened the minimum constraint for the uv dependency to a newer version for improved security and stability.
  • Expanded CI vulnerability-scan notes to document the ignored advisory and rationale for ignoring it.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 4d0080be-5da3-414f-9cfb-9a2ca486d708

📥 Commits

Reviewing files that changed from the base of the PR and between 3e85318 and ec8b4a6.

📒 Files selected for processing (1)

• .pre-commit-config.yaml

---

📝 Walkthrough

Walkthrough

Adds GHSA-f4j7-r4q5-qw2c to pip-audit ignore lists (pre-commit and CI) and updates tool.uv.override-dependencies to require uv>=0.11.15,<1 with a security advisory comment.

Changes

Security vulnerability mitigations

Layer / File(s)	Summary
pip-audit vulnerability ignore .pre-commit-config.yaml, .github/workflows/vulnerability-scan.yml	Extended pip-audit --ignore-vuln arguments to enumerate multiple PYSEC-* entries and include GHSA-f4j7-r4q5-qw2c, and updated the workflow comment block accordingly.
uv version security pinning pyproject.toml	Added a comment about uv <0.11.15 security advisory and changed tool.uv.override-dependencies from uv>=0.11.6,<1 to uv>=0.11.15,<1.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• crewAIInc/crewAI#5870: Also adds ignored vulnerability IDs to the pip-audit command in the CI workflow.
• crewAIInc/crewAI#5771: Extends --ignore-vuln in vulnerability-scan.yml for additional GHSA entries.
• crewAIInc/crewAI#5872: Modifies the same pip-audit invocation's ignore list in the workflow.

Suggested labels

size/S

Suggested reviewers

• joaomdmoura

Poem

🐰 I hopped through configs late at night,
I told pip-audit which flaws to slight,
uv now pinned to a safer lane,
A tiny patch, a snug refrain,
Carrots and tests — all tucked up tight.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main changes: bumping uv to >=0.11.15 and ignoring the chromadb CVE (GHSA-f4j7-r4q5-qw2c).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch gl/chore/bump-uv-fix-audit

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.pre-commit-config.yaml (1)

29-31: ⚡ Quick win

Document why each vulnerability is ignored.

Add inline comments explaining the rationale for ignoring each vulnerability, especially for security audit purposes. Based on the PR description, GHSA-f4j7-r4q5-qw2c affects chromadb's HTTP server (not reachable in embedded usage) and has no patched version available.

📝 Proposed documentation addition

  - repo: local
    hooks:
      - id: pip-audit
        name: pip-audit
+       # CVE-2026-3219: [add rationale]
+       # GHSA-f4j7-r4q5-qw2c: chromadb pre-auth RCE in HTTP server; not reachable in embedded usage; no patch available (tracked at chroma-core/chroma#6717)
        entry: bash -c 'source .venv/bin/activate && uv run pip-audit --skip-editable --ignore-vuln CVE-2026-3219 --ignore-vuln GHSA-f4j7-r4q5-qw2c' --

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.pre-commit-config.yaml around lines 29 - 31, Add inline comments to the
pip-audit entry in .pre-commit-config.yaml explaining why each ignored
vulnerability is excluded: annotate CVE-2026-3219 with the specific rationale
from the PR and annotate GHSA-f4j7-r4q5-qw2c noting it targets chromadb's HTTP
server which is not reachable in our embedded usage and that no patched version
exists; use YAML comments (#) immediately after the --ignore-vuln tokens (or on
the same line) and reference the vulnerability IDs (CVE-2026-3219,
GHSA-f4j7-r4q5-qw2c) and the PR justification so future reviewers can understand
the decision.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.pre-commit-config.yaml:
- Line 31: The pip-audit ignore flags in the pre-commit entry (the bash command
string in .pre-commit-config.yaml that runs "uv run pip-audit --skip-editable
--ignore-vuln CVE-2026-3219 --ignore-vuln GHSA-f4j7-r4q5-qw2c") are out of sync
with the CI workflow (vulnerability-scan.yml) which ignores a long PYSEC-* list
but not CVE-2026-3219; update both to use the same ignore set by either
extracting ignores into a shared file/variable or by adding the PYSEC-*
identifiers from vulnerability-scan.yml into the pre-commit pip-audit command
and adding CVE-2026-3219 to the CI workflow’s pip-audit step, and document the
rationale for each ignored ID so local pre-push and CI behave identically.

---

Nitpick comments:
In @.pre-commit-config.yaml:
- Around line 29-31: Add inline comments to the pip-audit entry in
.pre-commit-config.yaml explaining why each ignored vulnerability is excluded:
annotate CVE-2026-3219 with the specific rationale from the PR and annotate
GHSA-f4j7-r4q5-qw2c noting it targets chromadb's HTTP server which is not
reachable in our embedded usage and that no patched version exists; use YAML
comments (#) immediately after the --ignore-vuln tokens (or on the same line)
and reference the vulnerability IDs (CVE-2026-3219, GHSA-f4j7-r4q5-qw2c) and the
PR justification so future reviewers can understand the decision.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 505f800e-2da2-4d01-a419-cfb9c063c23c

📥 Commits

Reviewing files that changed from the base of the PR and between 5cdc420 and 43408de.

⛔ Files ignored due to path filters (1)

• uv.lock is excluded by !**/*.lock

📒 Files selected for processing (2)

• .pre-commit-config.yaml
• pyproject.toml

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/vulnerability-scan.yml:
- Line 85: Update the GHSA comment for GHSA-f4j7-r4q5-qw2c / CVE-2026-45829 in
the vulnerability-scan workflow to align with the official advisory: remove or
reword the claim "unreachable in embedded use" unless you add a brief
repo-specific justification explaining why our usage is not vulnerable, and
explicitly note the advisory's vulnerable range (>=1.0.0, <=1.5.9) and the
absence of a firstPatchedVersion (i.e., no fix available); ensure the comment
clearly states either the factual advisory details or a short,
repository-specific mitigation rationale referencing GHSA-f4j7-r4q5-qw2c and
CVE-2026-45829.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 8de44bec-6535-43df-ac5d-1ea891866671

📥 Commits

Reviewing files that changed from the base of the PR and between 43408de and 7621ce2.

📒 Files selected for processing (1)

• .github/workflows/vulnerability-scan.yml