fix: remove unregistered PyPI packages from notebooks and requirements (dependency confusion)

[x4v13r64]

Summary

This PR removes Python package names that do not exist on PyPI from notebooks and requirements.txt files, preventing dependency confusion attacks.

Notebooks — agent-os replaced with local install:

All six tutorial notebooks contained !pip install agent-os which queries PyPI for agent-os. This package is not published to PyPI — it is the internal package defined in packages/agent-os/ within this repository. An attacker who registers agent-os on PyPI would have arbitrary code silently executed in any notebook session that runs these cells.

Each install cell has been replaced with !pip install -e ../.. to install the local package directly.

Notebook	Before	After
01-hello-agent-os.ipynb	!pip install agent-os --quiet	!pip install -e ../.. --quiet
02-episodic-memory-demo.ipynb	!pip install agent-os emk --quiet	!pip install -e ../.. emk --quiet
03-time-travel-debugging.ipynb	!pip install agent-os --quiet	!pip install -e ../.. --quiet
04-cross-model-verification.ipynb	!pip install agent-os[cmvk] --quiet	!pip install -e ..[cmvk] --quiet
05-multi-agent-coordination.ipynb	!pip install agent-os[iatp] --quiet	!pip install -e ..[iatp] --quiet
06-policy-engine.ipynb	!pip install agent-os --quiet	!pip install -e ../.. --quiet

customer-service/requirements.txt — fake CRM SDK names replaced:

• zendesk-sdk is not on PyPI → replaced with zenpy (the real Zendesk Python client)
• freshdesk-sdk is not on PyPI → replaced with freshdesk (the real Freshdesk Python client)

healthcare-hipaa/requirements.txt — stdlib masquerading as a package:

• hashlib-compat is not on PyPI → removed. hashlib is part of Python's standard library and requires no installation.

Test plan

• Run each notebook cell-by-cell and confirm agent-os is installed from the local repository, not from PyPI
• Confirm pip install -r packages/agent-os/examples/customer-service/requirements.txt succeeds with zenpy and freshdesk
• Confirm pip install -r packages/agent-os/examples/healthcare-hipaa/requirements.txt succeeds without attempting to fetch hashlib-compat

[github-actions]

Welcome to the Agent Governance Toolkit! Thanks for your first pull request.
Please ensure tests pass, code follows style (ruff check), and you have signed the CLA.
See our Contributing Guide.

[github-actions]

🤖 AI Agent: contributor-guide

Welcome! 🎉

Hi there, and welcome to the microsoft/agent-governance-toolkit community! Thank you for taking the time to contribute — we’re thrilled to have you here. Your effort to improve the project is greatly appreciated, and we’re excited to review your pull request. 😊

---

What You Did Well 🌟

1. Thorough Problem Identification: You clearly identified a critical security issue (dependency confusion) and provided a detailed explanation of the problem. This is a great example of responsible and thoughtful contribution.

2. Comprehensive Changes: Your PR addresses the issue across multiple files, including notebooks and requirements.txt files, ensuring consistency throughout the project.

3. Clear Documentation: The PR description is well-structured, with a summary, detailed explanation, and a test plan. The use of tables to show "Before" and "After" changes in the notebooks is especially helpful for reviewers.

4. Security Awareness: Highlighting the risks of unregistered PyPI packages and providing safer alternatives demonstrates a strong focus on security, which is critical for this project.

---

Suggestions for Improvement ✨

While your PR is excellent overall, here are a few suggestions to align it more closely with the project's conventions and best practices:

1. Linting with Ruff:

   • The project uses Ruff for linting, specifically with rules for E, F, and W codes. Please ensure your changes pass linting checks. You can run Ruff locally with:

     ruff check .

2. Testing:

   • The test plan you provided is great! However, we recommend adding automated tests for the changes to ensure they are verified in CI. For example:
     • Add tests for the updated requirements.txt files to confirm that the correct packages are installed.
     • Add tests for the updated notebook installation commands to verify that the local package is installed correctly.
   • Tests should be placed in the packages/{name}/tests/ directory. For example, tests for agent-os should go in packages/agent-os/tests/.

3. Commit Message Format:

   • The project follows the Conventional Commits specification. Your commit message fix: remove unregistered PyPI packages from notebooks and requirements (dependency confusion) is close, but it could be refined slightly. Consider:

     fix(dependencies): remove unregistered PyPI packages to prevent dependency confusion
     

4. Notebook Updates:

   • While your changes to the notebooks are excellent, it would be helpful to confirm that the updated notebooks run without errors. If you haven’t already, please run each notebook end-to-end to ensure the changes work as expected.

---

Resources 📚

Here are some resources to help you with the above suggestions:

• CONTRIBUTING.md: Guidelines for contributing to this project.
• QUICKSTART.md: Instructions for setting up the project locally.
• Ruff Documentation: For linting rules and configuration.

---

Next Steps 🚀

Here’s what happens next:

1. Address Feedback: Please review the suggestions above and make any necessary updates to your PR.
2. Run Tests and Linting: Ensure your changes pass all tests and adhere to the linting rules.
3. Update the PR: Push your changes to the same branch, and they’ll automatically update this PR.
4. Further Review: Once you’ve made updates, let us know by commenting here. We’ll review your changes again and provide further feedback if needed.

If you have any questions or need help with anything, don’t hesitate to ask! We’re here to support you. 😊

Thank you again for your contribution — we’re looking forward to collaborating with you! 🎉

[github-actions]

🤖 AI Agent: security-scanner

Security Review of PR: "fix: remove unregistered PyPI packages from notebooks and requirements (dependency confusion)"

---

Summary of Changes

This PR addresses potential dependency confusion vulnerabilities by:

1. Replacing references to non-existent PyPI packages in Jupyter notebooks with local package installations.
2. Updating requirements.txt files to replace non-existent or incorrect package names with valid ones.
3. Removing unnecessary or invalid dependencies from requirements.txt.

---

Security Findings

1. Dependency Confusion Mitigation

• Risk: Dependency confusion occurs when an attacker registers a malicious package on a public package repository (e.g., PyPI) with the same name as an internal package. If the repository is queried for the package, the malicious version could be installed instead of the intended internal package.
• Finding: The PR effectively mitigates this risk by replacing !pip install agent-os in notebooks with !pip install -e ../.., ensuring that the local version of the agent-os package is installed instead of querying PyPI. Additionally, the PR replaces non-existent PyPI package names in requirements.txt with valid alternatives or removes them entirely.
• Rating: 🔵 LOW (The issue is addressed in this PR).

Recommendation: Ensure that all developers are aware of the risks of dependency confusion and follow best practices, such as using private package repositories or specifying exact package sources in requirements.txt.

---

2. Potential for Supply Chain Attacks

• Risk: The use of external dependencies (zenpy, freshdesk, etc.) introduces a potential supply chain attack vector. If these dependencies are compromised, malicious code could be introduced into the project.
• Finding: While the PR replaces non-existent packages with valid ones, it does not address the broader risk of supply chain attacks.
• Rating: 🟡 MEDIUM

Recommendation:

• Pin dependencies to specific versions in requirements.txt to prevent unintentional updates to malicious versions.
• Use tools like pip-audit or safety to regularly scan dependencies for known vulnerabilities.
• Consider implementing dependency signing or using a private PyPI mirror to ensure the integrity of dependencies.

---

3. Potential for Debugging Information Leakage

• Risk: Debugging output in notebooks (e.g., print statements) could inadvertently expose sensitive information, such as credentials or internal details, if the notebooks are shared or executed in an untrusted environment.
• Finding: While the PR does not introduce new sensitive information in the debugging output, it does not explicitly address the risk of sensitive data leakage in the existing debug output.
• Rating: 🔵 LOW

Recommendation:

• Review all debug output to ensure no sensitive information (e.g., API keys, internal paths, or sensitive data) is exposed.
• Consider implementing a logging mechanism that redacts sensitive information before outputting it.

---

Positive Observations

• The PR addresses a critical security vulnerability (dependency confusion) effectively.
• The changes are well-documented, with clear explanations of the modifications made.
• The test plan includes steps to verify that the changes work as intended.

---

Final Assessment

• Overall Rating: 🔵 LOW
• Approval Status: ✅ Approved with Recommendations

This PR addresses a critical dependency confusion vulnerability effectively. However, the broader risks of supply chain attacks and potential debugging information leakage should be addressed in future updates. It is recommended to implement dependency version pinning and conduct regular dependency vulnerability scans. Additionally, ensure that debug output does not expose sensitive information.

[github-actions]

🤖 AI Agent: code-reviewer

Pull Request Review: Dependency Confusion Mitigation

This PR addresses a critical security issue by removing references to unregistered PyPI packages from notebooks and requirements.txt files, mitigating the risk of dependency confusion attacks. Below is a detailed review of the changes.

---

🔴 CRITICAL: Security Issues

1. Dependency Confusion Attack Mitigation

   • The PR correctly replaces !pip install agent-os with !pip install -e ../.. in all notebooks, ensuring the local package is installed instead of querying PyPI. This eliminates the risk of an attacker registering a malicious agent-os package on PyPI.
   • The replacement of non-existent PyPI packages (zendesk-sdk, freshdesk-sdk, hashlib-compat) with valid alternatives or removal is appropriate and mitigates the risk of dependency confusion.

   Action Taken:

   • ✅ The changes effectively address the security vulnerability. No further action is required.

---

💡 SUGGESTION: Notebook Usability Improvements

1. Notebook Dependency Installation

   • The updated !pip install -e ../.. command assumes the user runs the notebooks from the notebooks/ directory. If the user runs the notebook from a different directory, this command will fail.

   Suggestion:

   • Add a comment or cell at the start of each notebook to ensure the user is in the correct directory before running the notebook. For example:

     import os
     if not os.path.exists("../setup.py"):
         raise RuntimeError("Please run this notebook from the 'notebooks/' directory.")

2. Unicode Characters in Notebooks

   • The PR replaces emoji characters with their Unicode equivalents (e.g., ✅ → \u2705). While this ensures compatibility across environments, it reduces readability when viewing the raw notebook files.

   Suggestion:

   • Consider adding a comment explaining the use of Unicode characters for compatibility, or provide a script to convert Unicode back to emoji for environments that support them.

---

🟡 WARNING: Potential Breaking Changes

1. Changes to requirements.txt

   • Replacing zendesk-sdk with zenpy and freshdesk-sdk with freshdesk may cause issues if users have existing code that depends on the original (non-existent) package names. While this is a necessary change for security, it could break user workflows.

   Recommendation:

   • Clearly document this change in the release notes and provide migration guidance for users who may need to adapt their code to the new package names.

2. Notebook Dependency Changes

   • Users who rely on the old !pip install agent-os command in their own scripts or workflows will need to update their code to use the new !pip install -e ../.. command.

   Recommendation:

   • Include a note in the release documentation highlighting this change and explaining how users can update their workflows.

---

💡 SUGGESTION: Testing Enhancements

1. Automated Notebook Testing

   • The test plan suggests manually running each notebook cell-by-cell to verify the changes. This process is error-prone and time-consuming.

   Suggestion:

   • Integrate automated notebook testing into the CI/CD pipeline using a tool like nbval or pytest-notebook. This will ensure that future changes to the notebooks do not introduce regressions.

2. Dependency Installation Tests

   • The test plan includes manual verification of pip install -r commands for the updated requirements.txt files.

   Suggestion:

   • Add automated tests to the CI/CD pipeline to verify that all requirements.txt files can be installed without errors. This can be done using a simple script that iterates through all requirements.txt files and runs pip install -r.

---

💡 SUGGESTION: Documentation Updates

1. Update README and Documentation

   • The changes to the installation commands in the notebooks and requirements.txt files should be reflected in the project's README and any relevant documentation.

   Suggestion:

   • Update the README to include instructions for installing the local agent-os package using pip install -e ../...
   • If the project has a "Getting Started" guide or similar documentation, ensure it reflects the updated installation instructions.

2. Explain Removed Dependencies

   • The removal of hashlib-compat and replacement of zendesk-sdk and freshdesk-sdk should be documented in the release notes or a migration guide.

---

✅ Summary of Changes

• Security Fixes: The PR effectively mitigates dependency confusion risks by removing references to unregistered PyPI packages.
• Breaking Changes: Changes to requirements.txt and notebook installation commands may break existing user workflows.
• Suggestions: Add automated testing for notebooks and dependency installation, update documentation, and provide migration guidance for users.

---

Final Recommendation

• Approve with Suggestions: The PR addresses a critical security issue and should be merged. However, the team should consider implementing the suggested improvements to enhance usability, testing, and documentation.

[x4v13r64]

@microsoft-github-policy-service agree

[imran-siddique]

Good security fix — the notebook changes are correct. However, code review found 10+ additional \pip install agent-os\ instances in docs, examples, and TypeScript codegen that aren't covered by this PR. I'll merge this as-is (the notebooks are the highest-risk surface) and push a fast-follow to catch the remaining instances.