From 18cbd18fa98fe53fe7866ae823b2998c1ef2bd98 Mon Sep 17 00:00:00 2001
From: Teknium <127238744+teknium1@users.noreply.github.com>
Date: Tue, 24 Mar 2026 07:03:16 -0700
Subject: [PATCH] fix: remove litellm/typer/platformdirs from hermes-agent deps
 (supply chain compromise) (#2796)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

litellm 1.82.7/1.82.8 contained a credential stealer (.pth auto-exec
payload). PyPI quarantined the entire package, blocking all fresh
hermes-agent installs since litellm was listed as a hard dependency.

These three deps (litellm, typer, platformdirs) are only used by the
mini-swe-agent submodule, which has its own pyproject.toml and manages
its own dependencies. They were redundantly duplicated in hermes-agent's
pyproject.toml.

Also fixes install.sh to not print 'mini-swe-agent installed' on
failure, and updates warning messages in both install scripts to clarify
that only Docker/Modal backends are affected — local terminal is
unaffected.

Ref: https://github.com/BerriAI/litellm/issues/24512
---
 pyproject.toml     | 4 ----
 scripts/install.sh | 7 +++++--
 setup-hermes.sh    | 2 +-
 3 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/pyproject.toml b/pyproject.toml
index cb5141829..5059b9ef6 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -32,10 +32,6 @@ dependencies = [
   # Text-to-speech (Edge TTS is free, no API key needed)
   "edge-tts",
   "faster-whisper>=1.0.0",
-  # mini-swe-agent deps (terminal tool)
-  "litellm>=1.75.5",
-  "typer",
-  "platformdirs",
   # Skills Hub (GitHub App JWT auth — optional, only needed for bot identity)
   "PyJWT[crypto]",
 ]
diff --git a/scripts/install.sh b/scripts/install.sh
index b6dc34d9c..9671b99d5 100755
--- a/scripts/install.sh
+++ b/scripts/install.sh
@@ -721,8 +721,11 @@ install_deps() {
     # Install submodules
     log_info "Installing mini-swe-agent (terminal tool backend)..."
     if [ -d "mini-swe-agent" ] && [ -f "mini-swe-agent/pyproject.toml" ]; then
-        $UV_CMD pip install -e "./mini-swe-agent" || log_warn "mini-swe-agent install failed (terminal tools may not work)"
-        log_success "mini-swe-agent installed"
+        if $UV_CMD pip install -e "./mini-swe-agent"; then
+            log_success "mini-swe-agent installed"
+        else
+            log_warn "mini-swe-agent install failed (Docker/Modal terminal backends may not work, local terminal is unaffected)"
+        fi
     else
         log_warn "mini-swe-agent not found (run: git submodule update --init)"
     fi
diff --git a/setup-hermes.sh b/setup-hermes.sh
index 9b548d226..5db5e6bbc 100755
--- a/setup-hermes.sh
+++ b/setup-hermes.sh
@@ -130,7 +130,7 @@ echo -e "${CYAN}→${NC} Installing submodules..."
 if [ -d "mini-swe-agent" ] && [ -f "mini-swe-agent/pyproject.toml" ]; then
     $UV_CMD pip install -e "./mini-swe-agent" && \
         echo -e "${GREEN}✓${NC} mini-swe-agent installed" || \
-        echo -e "${YELLOW}⚠${NC} mini-swe-agent install failed (terminal tools may not work)"
+        echo -e "${YELLOW}⚠${NC} mini-swe-agent install failed (Docker/Modal terminal backends may not work, local terminal is unaffected)"
 else
     echo -e "${YELLOW}⚠${NC} mini-swe-agent not found (run: git submodule update --init --recursive)"
 fi