Skip to content

chore(deps): migrate pipecat integration to pipecat-ai 1.x (clears 4 high-severity alerts)#2380

Open
dcbouius wants to merge 1 commit into
mainfrom
chore/pipecat-1x-security
Open

chore(deps): migrate pipecat integration to pipecat-ai 1.x (clears 4 high-severity alerts)#2380
dcbouius wants to merge 1 commit into
mainfrom
chore/pipecat-1x-security

Conversation

@dcbouius

@dcbouius dcbouius commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

What

Migrates the pipecat integration from pipecat-ai>=0.0.100,<1.0 to >=1.4.0,<2.0, clearing four high-severity Dependabot alerts that have no fix available within the 0.0.x line:

Alert Advisory
#1006, #1005 Telephony WebSocket /ws unauthenticated call-control abuse
#560, #559 Path traversal in Pipecat runner /files endpoint (arbitrary file read)

The fix versions (1.2.0 / 1.4.0) are only on the 1.x line, which the integration previously capped out (<1.0, "1.0+ restructured modules; needs migration"). This PR does that migration.

Why it's a small change

pipecat 1.x replaced the per-provider OpenAILLMContext with the universal LLMContext and removed the pipecat.processors.aggregators.openai_llm_context module. The processor already imported the modern LLMContextFrame, and LLMContext.messages is still a live list of OpenAI-format dicts — so the recall/retain/inject logic is unchanged. The migration is mostly swapping the removed legacy imports.

Changes

  • memory.py — drop the now-impossible legacy OpenAILLMContextFrame import branch; match on LLMContextFrame directly. Runtime injection logic untouched.
  • tests — build frames from LLMContextFrame; add TestRealLLMContext that exercises a real pipecat LLMContext + LLMContextFrame (not mocks) to pin the live-list-mutation contract the integration relies on — the migration's highest-risk assumption.
  • examples — migrate basic_pipeline.py to LLMContext + LLMContextAggregatorPair + LLMRunFrame kickoff (create_context_aggregator / get_context_frame were removed in 1.x); update interactive_chat.py mock frame.
  • pyproject — pipecat 1.x requires Python >=3.11, so bump requires-python and drop the 3.10 classifier (CI's .python-version is already 3.11).
  • README / docstringsOpenAILLMContextFrameLLMContextFrame.

Testing

19 passed, 1 skipped (live)

uv run ruff check / format clean; uv lock --check consistent; wheel builds.

@dcbouius
chore(deps): migrate pipecat integration to pipecat-ai 1.x (security)
35cc6be 
Bumps pipecat-ai from 0.0.x to >=1.4.0,<2.0, clearing four high-severity
Dependabot advisories for the file-read CVEs in the older 0.0.x/1.0.x line
(telephony /ws + runner /files path traversal; alerts #1006, #1005, #560, #559).

pipecat 1.x replaced the per-provider OpenAILLMContext with the universal
LLMContext and removed the pipecat.processors.aggregators.openai_llm_context
module. The integration already imported the modern LLMContextFrame, so the
runtime change is small:

- memory.py: drop the now-impossible legacy OpenAILLMContextFrame import branch
  and match on LLMContextFrame directly. LLMContext.messages is still a live
  list of OpenAI-format dicts, so the in-place injection logic is unchanged.
- tests: build frames from LLMContextFrame; add TestRealLLMContext that exercises
  a real pipecat LLMContext + LLMContextFrame to pin the live-list mutation
  contract the integration depends on.
- examples: migrate to LLMContext + LLMContextAggregatorPair and the LLMRunFrame
  kickoff (create_context_aggregator / get_context_frame were removed in 1.x).
- pyproject: pipecat 1.x requires Python >=3.11, so bump requires-python and
  drop the 3.10 classifier (CI already runs 3.11).

Tests: 19 passed, 1 skipped (live).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dcbouius