Skip to content

build(deps): bump pydantic-ai from 1.101.0 to 1.107.0#21

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/pydantic-ai-1.107.0
Open

build(deps): bump pydantic-ai from 1.101.0 to 1.107.0#21
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/pydantic-ai-1.107.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 19, 2026

Copy link
Copy Markdown
Contributor

Bumps pydantic-ai from 1.101.0 to 1.107.0.

Release notes

Sourced from pydantic-ai's releases.

v1.107.0 (2026-06-10)

What's Changed

🛡️ Security

  • Handle UploadedFile consistently with FileUrl in UI adapters by @​dsfaccini in pydantic/pydantic-ai#5772
    • Security advisory: VercelAIAdapter trusts client-controlled provider metadata to construct UploadedFile references (confused-deputy file read) GHSA-h7p7-w5gc-xj3w
    • This fix went out in v1.106.0 and v2.0.0b6.
    • You are affected only if your application passes untrusted client-submitted message history to an agent through a UI adapter (e.g. VercelAIAdapter), AND your model-provider or cloud-storage account holds files referenceable by an attacker-guessable UploadedFile id or storage URI (e.g. s3://…, gs://…).
    • You are not affected if you do not pass untrusted client-submitted message history to the agent, or you strip UploadedFile parts before running it.
    • You are not affected via AGUIAdapter / Agent.to_ag_ui on defaults — the preserve_file_data flag that re-enables this path is off by default.

🚀 Features

🐛 Bug Fixes

📦 Dependencies

New Contributors

Full Changelog: pydantic/pydantic-ai@v1.106.0...v1.107.0

v1.106.0 (2026-06-04)

What's Changed

🛡️ Security

  • Handle UploadedFile consistently with FileUrl in UI adapters by @​dsfaccini in pydantic/pydantic-ai#5772
    • Security advisory: VercelAIAdapter trusts client-controlled provider metadata to construct UploadedFile references (confused-deputy file read) GHSA-h7p7-w5gc-xj3w
    • You are affected only if your application passes untrusted client-submitted message history to an agent through a UI adapter (e.g. VercelAIAdapter), AND your model-provider or cloud-storage account holds files referenceable by an attacker-guessable UploadedFile id or storage URI (e.g. s3://…, gs://…).
    • You are not affected if you do not pass untrusted client-submitted message history to the agent, or you strip UploadedFile parts before running it.
    • You are not affected via AGUIAdapter / Agent.to_ag_ui on defaults — the preserve_file_data flag that re-enables this path is off by default.

🚀 Features

🐛 Bug Fixes

New Contributors

Full Changelog: pydantic/pydantic-ai@v1.105.0...v1.106.0

... (truncated)

Commits
  • b1d7af9 Add Claude Fable 5 (claude-fable-5) and Claude Mythos 5 (claude-mythos-5)...
  • c5b2666 Fix flaky test_tool_cancelled_when_agent_cancelled under CI load (#5852)
  • b6798f7 feat(openrouter): add CachePoint and prompt caching support (#4604)
  • 619639a chore(deps): bump the python-packages group across 1 directory with 18 update...
  • 64b9204 Fix AnthropicModel.count_tokens with native tools (#5704)
  • 26808a1 fix(anthropic): guard message=None Bedrock start events in stream path (#5818)
  • 950aed9 Add known_model_names() to enumerate KnownModelName members (#5803)
  • 837b03e Document testing philosophy and Case parametrization pattern in `tests/AGEN...
  • 1b42945 fix(messages): from_data_uri crashes on a valid non-base64 data URI (#5779)
  • 78bfaae Add api_host and timeout to XaiProvider (#5742)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [pydantic-ai](https://github.com/pydantic/pydantic-ai) from 1.101.0 to 1.107.0.
- [Release notes](https://github.com/pydantic/pydantic-ai/releases)
- [Changelog](https://github.com/pydantic/pydantic-ai/blob/main/docs/changelog.md)
- [Commits](pydantic/pydantic-ai@v1.101.0...v1.107.0)

---
updated-dependencies:
- dependency-name: pydantic-ai
  dependency-version: 1.107.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update python code labels Jun 19, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file python Pull requests that update python code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants