upgrade-advisor
by thatgeeman
Overview
AI-powered agent for Python package dependency analysis, vulnerability detection, and upgrade recommendations using `uv` and PyPI/GitHub data.
Installation
python app.pyEnvironment Variables
- GITHUB_PAT
- HF_TOKEN
- GITHUB_TOOLSETS
- GITHUB_READ_ONLY
- AGENT_MODEL
- HF_INFERENCE_PROVIDER
- GRADIO_SERVER_NAME
- GRADIO_SERVER_PORT
- GRADIO_SHARE
- CHAT_HISTORY_TURNS_CUTOFF
- CHAT_HISTORY_WORD_CUTOFF
- CHAT_MODEL
Security Notes
The server executes external commands, specifically installing `uv` using `curl -LsSf https://astral.sh/uv/<VERSION>/install.sh | sh` and then running `uv pip compile` on user-uploaded `pyproject.toml` files. While executed in a temporary directory, this involves running untrusted shell scripts from an external URL and processing potentially malicious configuration files, which presents significant supply chain and command injection risks. The `smolagents` framework introduces potential LLM prompt injection vulnerabilities, where malicious input could lead to misuse of tools or generation of harmful content. File uploads are checked for path traversal, but the core execution model involving dynamic `uv` installation and execution is a high-risk area.
Similar Servers
python-dependency-manager-companion-mcp-server
Provides up-to-date information and commands for various Python package managers (pip, conda, poetry, uv, pixi, pdm) by cross-referencing official documentation.
package-registry-mcp
Enables AI assistants and agents to search various package registries (NPM, Cargo, NuGet, PyPI, Go) and retrieve up-to-date package information.
pypi-query-mcp-server
A Model Context Protocol (MCP) server for querying PyPI package information, dependencies, and compatibility checking, assisting AI agents in Python development workflows.
uv-mcp
Provides AI-native environment diagnostics, repair, and dependency management for Python projects using the uv package manager.