Skip to content

build(deps): bump crawl4ai from 0.8.0 to 0.8.9 in /python#68

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/python/crawl4ai-0.8.9
Closed

build(deps): bump crawl4ai from 0.8.0 to 0.8.9 in /python#68
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/python/crawl4ai-0.8.9

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 18, 2026

Copy link
Copy Markdown
Contributor

Bumps crawl4ai from 0.8.0 to 0.8.9.

Release notes

Sourced from crawl4ai's releases.

Release v0.8.9

🎉 Crawl4AI v0.8.9 Released!

📦 Installation

PyPI:

pip install crawl4ai==0.8.9

Docker:

docker pull unclecode/crawl4ai:0.8.9
docker pull unclecode/crawl4ai:latest

Note: Docker images are being built and will be available shortly. Check the Docker Release workflow for build status.

📝 What's Changed

See CHANGELOG.md for details.

Release v0.8.8

🎉 Crawl4AI v0.8.8 Released!

📦 Installation

PyPI:

pip install crawl4ai==0.8.8

Docker:

docker pull unclecode/crawl4ai:0.8.8
docker pull unclecode/crawl4ai:latest

Note: Docker images are being built and will be available shortly. Check the Docker Release workflow for build status.

📝 What's Changed

See CHANGELOG.md for details.

Release v0.8.7

🎉 Crawl4AI v0.8.7 Released!

📦 Installation

PyPI:

... (truncated)

Changelog

Sourced from crawl4ai's changelog.

[0.8.9] - 2026-06-04

0.8.9 is a follow-up, backward-compatible security patch for the self-hosted Docker API server, closing an SSRF path that 0.8.8 did not cover. Upgrade in place; no configuration changes required.

Security

A security advisory accompanies this release.

  • SSRF via proxy settings (CWE-918): the SSRF destination check was applied only to the crawl target URL, not to the proxy address. An unauthenticated /crawl, /crawl/stream, or /crawl/job request could set browser_config.proxy_config.server (or the deprecated browser_config.proxy, or crawler_config.proxy_config, or a --proxy-server / --host-resolver-rules flag in extra_args) to an internal address and route the browser through it, reaching internal services and cloud-metadata endpoints. All proxy destinations are now validated with the same global-routability check before the browser is built, and proxy/DNS-redirecting flags are stripped from extra_args. A legitimate public proxy still works. Credit: Geo (geo-chen).

Backward compatible. Note: raw --proxy-server / --host-resolver-rules / --proxy-bypass-list / --proxy-pac-url flags passed via extra_args are now ignored; configure proxies through proxy_config (which is validated).

[0.8.8] - 2026-06-04

0.8.8 is a focused, backward-compatible security patch for the self-hosted Docker API server. Upgrade in place; no configuration changes are required. If you run the Docker server, upgrade. If it is exposed to a network, also set CRAWL4AI_API_TOKEN.

Security

Security advisories accompany this release.

  • SSRF filter gaps closed (CWE-918): the Docker server's SSRF protection now rejects any resolved address that is not globally routable, evaluated on IPv6 transition forms too (NAT64 64:ff9b::/96, 6to4 2002::/16, IPv4-mapped, and the unspecified ::), which previously bypassed the explicit blocklist and could reach internal services and cloud-metadata endpoints. SSRF errors no longer echo the resolved address. Credit: internal security audit.
  • Arbitrary file write via output_path hardened (CWE-59/22): /screenshot and /pdf now resolve symlinks and re-check containment before writing, and write with O_NOFOLLOW, closing a symlink/TOCTOU bypass of the directory restriction. output_path behavior is unchanged for normal use. Credit: internal security audit.
  • LLM credential exfiltration closed (CWE-522/200): the LLM endpoints (/md, /llm, /llm/job) ignore a request-supplied base_url, so the configured provider key can no longer be redirected to an attacker endpoint. LLMConfig additionally refuses to resolve protected environment variables via the env: token form. The base_url field is still accepted but no longer honored. Credit: Geo (geo-chen); the env: hardening from internal security audit.
  • CRLF-safe logging (CWE-117) and webhook request-header validation (CWE-93): log records are stripped of CR/LF/control characters, and user-supplied webhook headers are validated (name pattern, no control characters, hop-by-hop/sensitive headers denied).

All changes are backward compatible.

Coming next: secure-by-default Docker server (~1-2 weeks)

The next release is a larger, secure-by-default update for the self-hosted Docker API server, with intentional breaking changes. We are giving advance notice so you can prepare. If you run the Docker server, start planning now and test in staging before upgrading:

  • Authentication will be on by default. The server binds loopback unless a credential (CRAWL4AI_API_TOKEN) is configured.
  • Request bodies are validated more strictly and safer defaults apply (TLS verification on, stricter outbound egress controls, declarative hook actions instead of inline code).
  • A few request options move server-side: /screenshot and /pdf return an artifact id instead of a file path, and the LLM endpoint is selected by provider name.
  • Hardened container defaults (least-privilege compose, Redis authentication, loopback bind).

A full migration guide will accompany the pre-announcement on Discord and X.

[0.8.7] - 2026-06-01

0.8.7 is a security-hardening release. It bundles every responsibly-disclosed vulnerability patched since 0.8.6, plus the new DomainMapper feature and a batch of scraping, deep-crawl, and LLM fixes.

Security

This release fixes multiple critical vulnerabilities in the Docker API server. If you self-host the Docker API, upgrade immediately. Two GitHub Security Advisories accompany this release.

  • CRITICAL: AST Sandbox Escape leading to Pre-Auth RCE (CVSS 9.8, CWE-94/913): a gi_frame.f_back frame-chain escape in the computed-field eval() path. Removed eval() from computed fields entirely and deleted _safe_eval_expression. Credit: Song Binglin (q1uf3ng).
  • CRITICAL: Hook Sandbox Escape RCE (CVSS 9.8, CWE-94): injected module objects (asyncio, json, re) carried a full __builtins__, bypassing the __import__ block. Stripped injected builtins and removed dangerous allowlist entries. Credit: by111 (August829).
  • CRITICAL: Hardcoded JWT Secret (CVSS 9.8, CWE-798): the default signing key "mysecret" allowed token forgery. Removed the default, reject weak/short secrets, and auto-generate an ephemeral key when JWT is enabled with no key set. Credit: by111 (August829).
  • HIGH: Arbitrary File Write via output_path (CVSS 9.1, CWE-22): /screenshot and /pdf wrote to any path. Restricted writes to CRAWL4AI_OUTPUT_DIR and reject .. traversal. Credit: Jeongbean Jeon, wulonchia.

... (truncated)

Commits
  • cdf2ead security: patch proxy SSRF in Docker server (0.8.9)
  • 930dc0a security(credits): credit Geo (geo-chen) for 0.8.8 base_url exfil; update sec...
  • 5d3d0fe docs: 0.8.8 release notes, changelog, README; pre-announce next secure-by-def...
  • aa81e8f security: non-breaking hardening patch (0.8.8)
  • 72fd78e chore: gitignore out/ local pipeline output
  • 7259d73 security(credits): credit IcySun & Yashon (co-reporter) per their request
  • 7b280d3 chore: gitignore .security/ - advisory payloads stay private, published via G...
  • 4bf6071 chore: bump version to 0.8.7
  • 30187e6 docs: 0.8.7 release notes, changelog, README highlights; finalize security cr...
  • d705d7c security(credits): acknowledge independent reporters Velayutham S and IcySun
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
build(deps): bump crawl4ai from 0.8.0 to 0.8.9 in /python
77746c0 
Bumps [crawl4ai](https://github.com/unclecode/crawl4ai) from 0.8.0 to 0.8.9.
- [Release notes](https://github.com/unclecode/crawl4ai/releases)
- [Changelog](https://github.com/unclecode/crawl4ai/blob/main/CHANGELOG.md)
- [Commits](unclecode/crawl4ai@v0.8.0...v0.8.9)

---
updated-dependencies:
- dependency-name: crawl4ai
  dependency-version: 0.8.9
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code labels Jun 18, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jun 18, 2026

Copy link
Copy Markdown
Contributor Author

Superseded by #69.

@dependabot dependabot Bot closed this Jun 18, 2026
@dependabot dependabot Bot deleted the dependabot/uv/python/crawl4ai-0.8.9 branch June 18, 2026 18:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants