From 20e9472e6facf433825ae75117c8cb698f984b2c Mon Sep 17 00:00:00 2001
From: jschweiz <jonas.schweizer@oracle.com>
Date: Wed, 17 Dec 2025 16:00:38 +0100
Subject: [PATCH] fix: fix clean installation script & bump lower bound version
 for urllib3 to avoid CVE

---
 clean-install-dev.sh                    | 2 +-
 pyagentspec/constraints/constraints.txt | 1 +
 pyagentspec/setup.py                    | 1 +
 3 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/clean-install-dev.sh b/clean-install-dev.sh
index f38b9774..25891227 100755
--- a/clean-install-dev.sh
+++ b/clean-install-dev.sh
@@ -19,7 +19,7 @@ source ./_installation_tools.sh
 
 create_venv
 
-upgrade_pip_or_uv
+upgrade_pip
 
 ./install-all-dev.sh
 
diff --git a/pyagentspec/constraints/constraints.txt b/pyagentspec/constraints/constraints.txt
index 84a8077f..91489e4f 100644
--- a/pyagentspec/constraints/constraints.txt
+++ b/pyagentspec/constraints/constraints.txt
@@ -2,6 +2,7 @@ jsonschema==4.23.0
 pydantic==2.12.4
 pyyaml==6.0.3
 httpx==0.28.1
+urllib3==2.6.2
 
 # AutoGen adapter
 autogen-core==0.7.4
diff --git a/pyagentspec/setup.py b/pyagentspec/setup.py
index 083de0e6..679ab293 100644
--- a/pyagentspec/setup.py
+++ b/pyagentspec/setup.py
@@ -56,6 +56,7 @@ def read(file_name):
         "pydantic>=2.10,<2.13",
         "pyyaml>=6,<7",
         "httpx>0.28.0",
+        "urllib3>=2.5.0",  # needed to avoid a CVE present on earlier versions
     ],
     test_suite="tests",
     entry_points={