Conversation
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Scanned FilesNone |
There was a problem hiding this comment.
Pull request overview
Pins key Agent Framework dependencies in the Python Agent Framework sample to avoid breakages caused by upstream dependency changes (notably around OpenTelemetry semantic conventions).
Changes:
- Pin
agent-framework-azure-aiand add/pinagent-framework-coreto a specific pre-release build. - Add an explicit pin for
opentelemetry-semantic-conventions-ai. - Add minimum versions for some
microsoft-agents-*dependencies.
Comments suppressed due to low confidence (1)
python/agent-framework/sample-agent/pyproject.toml:15
- This file still allows dependency drift (e.g.,
azure-ai-agents>=.../azure-ai-projects>=...). If the goal is fully reproducible installs for the sample, pin these direct dependencies too (or introduce a lock/constraints workflow) so users don’t pick up breaking pre-release updates unexpectedly.
# Azure AI Projects - explicitly require pre-release version
"azure-ai-agents>=1.2.0b5",
"azure-ai-projects>=2.0.0b2",
| "microsoft-agents-hosting-aiohttp", | ||
| "microsoft-agents-hosting-core", | ||
| "microsoft-agents-hosting-core>= 0.4.0", | ||
| "microsoft-agents-authentication-msal", | ||
| "microsoft-agents-activity", | ||
| "microsoft-agents-activity>= 0.4.0", |
There was a problem hiding this comment.
Only some microsoft-agents-* packages have version constraints now (hosting-core, activity), while hosting-aiohttp and authentication-msal are unbounded. To reduce the chance of pulling incompatible combinations, apply a consistent pin/range strategy across the whole microsoft-agents-* set (ideally keeping them on the same version).
| "agent-framework-azure-ai==1.0.0b251114", | ||
| "agent-framework-core==1.0.0b251114", | ||
|
|
There was a problem hiding this comment.
PR description mentions pinning to versions defined in a constraints file, but this sample project doesn’t include or reference any constraints/lock file (and the only change here is direct pinning in dependencies). Consider either adding a repo-local constraints/lock mechanism (e.g., uv.lock or documented constraints usage) or updating the PR description to match the actual approach.
Issue
The sample apps does not use fixed dependencies.
Solution
Pin the dependencies to the version defined in constraints file
https://github.com/[microsoft/Agent365-python](https://github.com/microsoft/Agent365-python/blob/main/pyproject.toml#L68)/blob/main/pyproject.toml#L68
This specific issue also occurred because agent-framework has a hard dependency on semantic conventions. The agent365 SDK should consider pinning the semantic convention version when using agent-framework like in agent-framework tooling extention