PR #5521: test: guard uv pin against GHSA-pjjw-68hj-v9mw regression (#5520)

• Repository: crewAIInc/crewAI
• Author: devin-ai-integration[bot]
• State: closed | merged: False
• Link: https://github.com/crewAIInc/crewAI/pull/5521

Description (problem / solution / changelog)

Summary

Issue #5520 reported that crewai==1.13.0 pulled in uv==0.9.30, which is affected by GHSA-pjjw-68hj-v9mw (wheel RECORD path traversal on uninstall, fixed in uv 0.11.6). The dependency bump itself already landed on main:

• lib/crewai/pyproject.toml now pins uv~=0.11.6 (commit 62484934c).
• The workspace pyproject.toml declares uv>=0.11.6,<1 in [tool.uv].override-dependencies as a belt-and-suspenders guard for resolution across the workspace.

This PR adds a regression test so the fix cannot silently regress. The test parses both pyproject.toml files and asserts that:

1. The crewai package's uv requirement admits 0.11.6 and excludes every probed vulnerable version below it (0.9.13, 0.9.30, 0.10.0, 0.11.0, 0.11.5, etc.).
2. The workspace-level uv override, when present, likewise excludes pre-fix versions. If a future refactor removes the override entirely, the test skips with an explicit message so maintainers fall back on the package-level pin validated above.

I verified the test by:

• Running it on main: both cases pass.
• Temporarily reverting lib/crewai/pyproject.toml to the vulnerable uv~=0.9.13 pin: the test fails with a message naming GHSA-pjjw-68hj-v9mw, confirming it would have caught the original regression.

No production code changed.

Review & Testing Checklist for Human

• Confirm the regression test's location under lib/crewai/tests/ matches where you'd like this kind of packaging/security assertion to live (vs. e.g. a workspace-level test suite).
• Check that the workspace-lookup fallback (skipping when no [tool.uv].workspace is found) is acceptable for how you expect the crewai sdist/wheel to be tested downstream after being detached from the monorepo.
• Re-run the full lib/crewai/tests suite locally (uv run pytest lib/crewai/tests -vv) to confirm no incidental interaction with existing tests — I only ran the new file because the local box isn't provisioned for the full suite.

Notes

• I intentionally did not touch uv.lock; the bump is already reflected there from commit 62484934c.
• The advisory link and issue number are embedded in the test docstrings so future maintainers hitting a failure immediately see the context.

Link to Devin session: https://app.devin.ai/sessions/8de8b13f8785486db7c63cc13eac9b58

<!-- CURSOR_SUMMARY -->

---

[!NOTE] Low Risk Low risk: adds only pytest coverage that parses pyproject.toml files to assert dependency bounds, without changing runtime code or packaging behavior.

Overview Adds lib/crewai/tests/test_dependency_constraints.py to guard against regression of the security-motivated uv pin for GHSA-pjjw-68hj-v9mw.

The new tests parse lib/crewai/pyproject.toml (and, when present, the workspace pyproject.toml [tool.uv].override-dependencies) to assert uv allows 0.11.6 and rejects representative versions below it, skipping the workspace check when running outside the monorepo or when the override is absent.

^{Reviewed by Cursor Bugbot for commit c91dc8598c076ecce3c799ce39a3d7acf57a81e9. Bugbot is set up for automated code reviews on this repo. Configure here.}

<!-- /CURSOR_SUMMARY -->

Changed files

• lib/crewai/tests/test_dependency_constraints.py (added, +147/-0)