Issue Station
Sign In
Tools hereToolbox

hermes - 💡(How to fix) Fix fix(stt,tts): lift mistralai blanket-ban — 2.4.8+ is clean

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…

Error Message

"error": "Mistral Voxtral TTS is disabled — " Test STT réel : fichier audio de 47 s (voicemail Freebox en français) → Mistral Voxtral transcrit avec succès, qualité correcte, aucune exception.

Fix Action

Fix / Workaround

Patch STT

Patch TTS

Autres points de contact (non patchés, à débloquer séparément)

Code Example

if provider == "mistral":
    logger.warning(
        "STT provider 'mistral' configured but `mistralai` is "
        "quarantined on PyPI — refusing"
    )
    return "none"

---

if provider == "mistral":
    # `mistralai` PyPI package was quarantined on 2026-05-12 after a
    # malicious 2.4.6 release. Version 2.4.8 (and later) is clean.
    # Check for actual credentials instead of blanket-banning.
    if get_env_value("MISTRAL_API_KEY"):
        return "mistral"
    logger.warning(
        "STT provider 'mistral' configured but MISTRAL_API_KEY not set"
    )
    return "none"

---

elif provider == "mistral":
    return json.dumps({
        "success": False,
        "error": "Mistral Voxtral TTS is disabled — "
                 "`mistralai` package quarantined on PyPI after "
                 "shai-hulud-2026-05 worm"
    })

---

elif provider == "mistral":
    # `mistralai` PyPI package was quarantined on 2026-05-12 after a
    # malicious 2.4.6 release. Version 2.4.8+ is clean.
    logger.info("Generating speech with Mistral Voxtral TTS...")
    _generate_mistral_tts(text, file_str, tts_config)

---

$ uv pip show mistralai
Name: mistralai
Version: 2.4.8

$ python -c "import mistralai; print('OK')"
OK
RAW_BUFFERClick to expand / collapse

Problème

Le package mistralai a été mis en quarantaine sur PyPI le 2026-05-12 après la campagne Mini Shai-Hulud ciblant la version 2.4.6.

Le blocage est implémenté en dur dans le runtime, sans échappatoire pour les utilisateurs qui ont vérifié manuellement que leur version installée (2.4.8+) est saine.

Manifestation

Un utilisateur avec provider: mistral dans sa config STT ou TTS obtient un refus silencieux :

  • STT (tools/transcription_tools.py:794-803) : retourne "none" quelle que soit la version
  • TTS (tools/tts_tool.py:1976-1980) : retourne une erreur JSON, ne passe jamais à _generate_mistral_tts

Patch STT

Fichier : tools/transcription_tools.py (l.794-803)

Avant :

if provider == "mistral":
    logger.warning(
        "STT provider 'mistral' configured but `mistralai` is "
        "quarantined on PyPI — refusing"
    )
    return "none"

Après :

if provider == "mistral":
    # `mistralai` PyPI package was quarantined on 2026-05-12 after a
    # malicious 2.4.6 release. Version 2.4.8 (and later) is clean.
    # Check for actual credentials instead of blanket-banning.
    if get_env_value("MISTRAL_API_KEY"):
        return "mistral"
    logger.warning(
        "STT provider 'mistral' configured but MISTRAL_API_KEY not set"
    )
    return "none"

Patch TTS

Fichier : tools/tts_tool.py (l.1976-1980)

Avant :

elif provider == "mistral":
    return json.dumps({
        "success": False,
        "error": "Mistral Voxtral TTS is disabled — "
                 "`mistralai` package quarantined on PyPI after "
                 "shai-hulud-2026-05 worm"
    })

Après :

elif provider == "mistral":
    # `mistralai` PyPI package was quarantined on 2026-05-12 after a
    # malicious 2.4.6 release. Version 2.4.8+ is clean.
    logger.info("Generating speech with Mistral Voxtral TTS...")
    _generate_mistral_tts(text, file_str, tts_config)

Autres points de contact (non patchés, à débloquer séparément)

FichierÉtat
tools/lazy_deps.py:100-104Entrées tts.mistral / stt.mistral absentes
pyproject.toml:120-135Extra mistral supprimé + checklist de restoration détaillée
hermes_cli/web_server.py:320Mistral caché du sélecteur STT du dashboard
hermes_cli/tools_config.py:247Voxtral TTS caché du provider picker
hermes_cli/security_advisories.pyAdvisory shai-hulud-2026-05 — à archiver

Logs de validation

$ uv pip show mistralai
Name: mistralai
Version: 2.4.8

$ python -c "import mistralai; print('OK')"
OK

Test STT réel : fichier audio de 47 s (voicemail Freebox en français) → Mistral Voxtral transcrit avec succès, qualité correcte, aucune exception.

Notes

  • La version compromise mistralai 2.4.6 n'est plus installable via pip — PyPI la bloque au niveau registry
  • La version courante 2.4.8 a été auditée (changelog, aucune activité suspecte)
  • L'utilisateur doit configurer MISTRAL_API_KEY explicitement

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING

hermes - 💡(How to fix) Fix fix(stt,tts): lift mistralai blanket-ban — 2.4.8+ is clean