fix: remove litellm/typer/platformdirs from hermes-agent deps (supply chain compromise) (#2796)

litellm 1.82.7/1.82.8 contained a credential stealer (.pth auto-exec payload). PyPI quarantined the entire package, blocking all fresh hermes-agent installs since litellm was listed as a hard dependency. These three deps (litellm, typer, platformdirs) are only used by the mini-swe-agent submodule, which has its own pyproject.toml and manages its own dependencies. They were redundantly duplicated in hermes-agent's pyproject.toml. Also fixes install.sh to not print 'mini-swe-agent installed' on failure, and updates warning messages in both install scripts to clarify that only Docker/Modal backends are affected — local terminal is unaffected. Ref: https://github.com/BerriAI/litellm/issues/24512
2026-03-24 07:03:16 -07:00
parent b641ee88f4
commit 18cbd18fa9
3 changed files with 6 additions and 7 deletions
--- a/scripts/install.sh
+++ b/scripts/install.sh
@@ -721,8 +721,11 @@ install_deps() {
    # Install submodules
    log_info "Installing mini-swe-agent (terminal tool backend)..."
    if [ -d "mini-swe-agent" ] && [ -f "mini-swe-agent/pyproject.toml" ]; then
-        $UV_CMD pip install -e "./mini-swe-agent" || log_warn "mini-swe-agent install failed (terminal tools may not work)"
-        log_success "mini-swe-agent installed"
+        if $UV_CMD pip install -e "./mini-swe-agent"; then
+            log_success "mini-swe-agent installed"
+        else
+            log_warn "mini-swe-agent install failed (Docker/Modal terminal backends may not work, local terminal is unaffected)"
+        fi
    else
        log_warn "mini-swe-agent not found (run: git submodule update --init)"
    fi