fix: pin marvin<3.1.0 to fix contact-extractor crash#211
Open
fix: pin marvin<3.1.0 to fix contact-extractor crash#211
Conversation
Marvin 3.0.x/3.1.x are incompatible with pydantic-ai>=1.56.0 (required for CVE-2026-25580). The Agent class lost the `_deprecated_result_tool_name` attribute in pydantic-ai 1.56+, causing AttributeError in marvin's streaming.py when using `run_async()` with union result_type. Upgrade to marvin>=3.2.0 which is compatible with modern pydantic-ai. Assisted-By: Claude (Anthropic AI) <noreply@anthropic.com> Signed-off-by: Paolo Dettori <dettori@us.ibm.com>
pdettori
force-pushed
the
fix/pin-marvin-below-3.1
branch
from
28a610e to
ad8d3af
Compare
Pin indirect dependencies to fix code scanning alerts: - fastmcp>=3.2.0: CVE-2026-32871 (critical SSRF), CVE-2026-27124 (high) - anthropic>=0.87.0: CVE-2026-34452, CVE-2026-34450 - aiohttp>=3.13.4: CVE-2026-34525, CVE-2026-34516, CVE-2026-34515, CVE-2026-22815, and 6 low-severity CVEs Assisted-By: Claude (Anthropic AI) <noreply@anthropic.com> Signed-off-by: Paolo Dettori <dettori@us.ibm.com>
Marvin upgrades can break the contact-extractor agent due to pydantic-ai compatibility issues. Require manual testing before accepting major version bumps. Assisted-By: Claude (Anthropic AI) <noreply@anthropic.com> Signed-off-by: Paolo Dettori <dettori@us.ibm.com>
cwiklik
requested changes
Apr 2, 2026
Collaborator
cwiklik
left a comment
cwiklik
left a comment
There was a problem hiding this comment.
Review Summary
The code changes are solid — upgrading marvin to >=3.2.0 for pydantic-ai compatibility, pinning CVE-affected indirect deps (fastmcp>=3.2.0, anthropic>=0.87.0, aiohttp>=3.13.4), and configuring dependabot to avoid risky auto-upgrades. All 3 commits signed-off with proper Assisted-By trailer. All 11 CI checks passing.
Areas reviewed: Python (deps), YAML (dependabot), Security (CVEs), Commit conventions
Commits: 3 commits, all signed-off: ✅
CI status: all 11 checks passing ✅
Must-fix
PR title and description are stale and contradict the actual changes:
- Title says
fix: pin marvin<3.1.0 to fix contact-extractor crash— but the actual constraint ismarvin>=3.2.0 - Body says
marvin 3.1.1 → 3.0.6— but the lockfile showsmarvin 3.1.1 → 3.2.7 - Body says
Pin marvin>=3.0.0,<3.1.0— but pyproject.toml showsmarvin>=3.2.0
The PR title becomes permanent git history (squash/merge commit). Please update to match the actual change, e.g.:
- Title:
fix: upgrade marvin>=3.2.0 to fix contact-extractor crash - Body: Update the summary bullets and uv.lock line to reflect the upgrade
Highlights
- Good approach pinning CVE-affected indirect deps as direct constraints with clear comments
- Smart dependabot ignore for marvin major bumps given the pydantic-ai compatibility sensitivity
- Clean commit structure — each commit addresses a distinct concern (marvin fix, CVE bumps, dependabot config)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
marvin>=3.0.0,<3.1.0ina2a/a2a_contact_extractor/pyproject.toml_deprecated_result_tool_namefrom Agent, breakingrun_async()with unionresult_typeRoot Cause
Observed in the Kind cluster (team1 namespace) when sending any task to the contact-extractor agent.
Test plan
Assisted-By: Claude (Anthropic AI) noreply@anthropic.com