pydantic-ai 1.107.0

v1.107.0 (2026-06-10)

on Python PyPI

What's Changed

🛡️ Security

• Handle UploadedFile consistently with FileUrl in UI adapters by @dsfaccini in #5772
  • Security advisory: VercelAIAdapter trusts client-controlled provider metadata to construct UploadedFile references (confused-deputy file read) GHSA-h7p7-w5gc-xj3w
  • This fix went out in v1.106.0 and v2.0.0b6.
  • You are affected only if your application passes untrusted client-submitted message history to an agent through a UI adapter (e.g. VercelAIAdapter), AND your model-provider or cloud-storage account holds files referenceable by an attacker-guessable UploadedFile id or storage URI (e.g. s3://…, gs://…).
  • You are not affected if you do not pass untrusted client-submitted message history to the agent, or you strip UploadedFile parts before running it.
  • You are not affected via AGUIAdapter / Agent.to_ag_ui on defaults — the preserve_file_data flag that re-enables this path is off by default.

🚀 Features

• Add known_model_names() to enumerate KnownModelName members by @dsfaccini in #5803
• feat(openrouter): add CachePoint and prompt caching support by @Adversarian in #4604
• Add Claude Fable 5 (claude-fable-5) and Claude Mythos 5 (claude-mythos-5) support by @dsfaccini in #5849

🐛 Bug Fixes

• fix(anthropic): guard message=None Bedrock start events in stream path by @Bartok9 in #5818
• Fix AnthropicModel.count_tokens with native tools by @kazmer97 in #5704

📦 Dependencies

• chore(deps): bump the python-packages group across 1 directory with 18 updates by @dependabot[bot] in #5768

New Contributors

• @Bartok9 made their first contribution in #5818
• @kazmer97 made their first contribution in #5704

Full Changelog: v1.106.0...v1.107.0