mirrors/hermes-agent
1
0
Fork 0
mirror of https://github.com/NousResearch/hermes-agent.git synced 2026-05-22 05:22:09 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 10

fix(deps): unbreak [all] install — drop mistralai while PyPI quarantined (#24205)

Browse source 
The `mistralai` PyPI package was quarantined on 2026-05-12 after a
malicious 2.4.6 release. Every fresh resolve (AUR makepkg, Docker build,
CI run, install.sh first-run) currently fails on
`mistralai>=2.3.0,<3` because PyPI returns zero candidates.

Existing users running `hermes update` mostly didn't notice — `hermes
update` falls back from `.[all]` to per-extra retries and silently
skips mistral with a warning that scrolls past. But fresh installs
hard-fail or lose every other extra.

Changes:
- pyproject.toml: drop `hermes-agent[mistral]` from `[all]` and
  `[termux-all]`. The `mistral` extra itself is preserved so users
  can opt back in once PyPI un-quarantines.
- hermes_cli/tools_config.py: hide Mistral Voxtral TTS from the
  `hermes tools` provider picker until restored.
- hermes_cli/web_server.py: drop "mistral" from dashboard STT options.
- tools/transcription_tools.py: explicit `provider: mistral` returns
  "none" with a clear status message; auto-detect skips mistral.
- tools/tts_tool.py: dispatcher returns a clear "temporarily disabled"
  error before any SDK import attempt (avoids cached-stale-package
  surprises).
- tests/tools/: update three test files to assert the new disabled
  behavior. Each test docstring records why and points at the rollback
  trigger (PyPI un-quarantines mistralai).

Restore plan: revert this commit once the package is available on PyPI
again. The behavior change is intentional and documented in code
comments + test docstrings to make the rollback trivial.

Validation:
- scripts/run_tests.sh tests/tools/ -k 'mistral or stt or tts' →
  425/425 passing.

Refs: https://pypi.org/simple/mistralai/ (currently
"pypi:project-status: quarantined").
This commit is contained in:
Teknium 2026-05-11 23:02:15 -07:00 committed by GitHub
parent 407683b72d
commit 99ad2d1372
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
8 changed files with 90 additions and 48 deletions
Download patch file Download diff file Expand all files Collapse all files

11
pyproject.toml
View file

@ -111,7 +111,10 @@ termux-all = [
"hermes-agent[dingtalk]",
"hermes-agent[feishu]",
"hermes-agent[google]",
"hermes-agent[mistral]",
# mistral: omitted from broad termux-all profile — `mistralai` PyPI package
# is currently quarantined (malicious 2.4.6 release). Users who explicitly
# want Voxtral STT/TTS can still `pip install hermes-agent[mistral]`
# directly once PyPI un-quarantines.
"hermes-agent[bedrock]",
"hermes-agent[homeassistant]",
"hermes-agent[sms]",
@ -169,7 +172,11 @@ all = [
"hermes-agent[dingtalk]",
"hermes-agent[feishu]",
"hermes-agent[google]",
"hermes-agent[mistral]",
# mistral: omitted from [all] — `mistralai` PyPI package is currently
# quarantined (malicious 2.4.6 release on 2026-05-12). Pulling it from
# [all] would break every fresh install / AUR build / Docker build / CI
# run until PyPI un-quarantines. Users who explicitly want Voxtral STT/TTS
# can still `pip install hermes-agent[mistral]` once it's available again.
"hermes-agent[bedrock]",
"hermes-agent[web]",
"hermes-agent[youtube]",