← Back to the AI Dependency AtlasExact repository supply-chain dossier

AI

iqsh/collaboration-online-board/ai
pypi

This dossier retains 43 exact component occurrences from 2 published evidence files at one immutable repository commit.

opencode:36087cc4cbe5064bproject ID + commit SHA + exact evidence path

Published dependency evidence does not prove deployment, productive use, procurement or runtime reachability.

project ID + commit SHA + exact evidence path
43exact component occurrences
41package identities
2evidence files
52OSV records returned
Exact published evidence

Files that resolve this repository’s dependencies

Every file remains tied to the observed commit. A parse error stays visible and never becomes a zero.

Evidence pathrequirements.txt
Format
exact-manifest-pin
Parser state
parsed
Resolved components
2
Open exact source ↗
Evidence pathSPDX_v2.0.0.ymlsha256:e053bc3719cac7ca6a6b278c6593b5be1eef3090462cdd7398ae6d6ac3f21457
Format
spdx-yaml
Parser state
parsed
Resolved components
41
Open exact source ↗
Observed relations

Package identities at this commit

pypiOpenAI SDKpypi:openai
2 Occurrences1.14.2 · 1.91.0
Apache-2.0
pypitiktokenpypi:tiktoken
2 Occurrences0.7.0
non-standard
pypipillowpypi:pillow
1 Occurrence10.3.0
HPND · MIT-CMU15 OSV records returned
pypiurllib3pypi:urllib3
1 Occurrence2.2.2
MIT7 OSV records returned
pypiwerkzeugpypi:werkzeug
1 Occurrence3.0.1
BSD-3-Clause · non-standard6 OSV records returned
pypiflask-corspypi:flask-cors
1 Occurrence4.0.0
MIT5 OSV records returned
pypijinja2pypi:jinja2
1 Occurrence3.1.3
BSD-3-Clause · non-standard4 OSV records returned
pypirequestspypi:requests
1 Occurrence2.32.3
Apache-2.03 OSV records returned
pypisetuptoolspypi:setuptools
1 Occurrence69.2.0
MIT3 OSV records returned
pypicertifipypi:certifi
1 Occurrence2024.6.2
MPL-2.01 OSV record returned
pypiclickpypi:click
1 Occurrence8.1.7
BSD-3-Clause · non-standard1 OSV record returned
pypiflaskpypi:flask
1 Occurrence3.0.2
BSD-3-Clause · non-standard1 OSV record returned
pypih11pypi:h11
1 Occurrence0.14.0
MIT1 OSV record returned
pypiidnapypi:idna
1 Occurrence3.7
BSD-3-Clause · non-standard1 OSV record returned
pypipytestpypi:pytest
1 Occurrence7.2.2
MIT1 OSV record returned
pypipython-dotenvpypi:python-dotenv
1 Occurrence1.0.1
BSD-3-Clause1 OSV record returned
pypitqdmpypi:tqdm
1 Occurrence4.66.2
MIT AND MPL-2.01 OSV record returned
pypiwheelpypi:wheel
1 Occurrence0.43.0
MIT1 OSV record returned
pypiannotated-typespypi:annotated-types
1 Occurrence0.6.0
MIT
pypianyiopypi:anyio
1 Occurrence4.3.0
MIT
pypiattrspypi:attrs
1 Occurrence23.2.0
MIT
pypiblinkerpypi:blinker
1 Occurrence1.7.0
MIT
pypicharset-normalizerpypi:charset-normalizer
1 Occurrence3.3.2
MIT
pypicoveragepypi:coverage
1 Occurrence7.2.2
Apache-2.0
pypidistropypi:distro
1 Occurrence1.9.0
Apache-2.0
pypiflask-sqlalchemypypi:flask-sqlalchemy
1 Occurrence3.1.1
non-standard
pypigreenletpypi:greenlet
1 Occurrence3.0.3
MIT · MIT AND PSF-2.0 · MIT AND Python-2.0
pypihttpcorepypi:httpcore
1 Occurrence1.0.4
BSD-3-Clause
pypihttpxpypi:httpx
1 Occurrence0.27.0
BSD-3-Clause
pypiiniconfigpypi:iniconfig
1 Occurrence2.0.0
MIT
pypiitsdangerouspypi:itsdangerous
1 Occurrence2.1.2
BSD-3-Clause · non-standard
pypimarkupsafepypi:markupsafe
1 Occurrence2.1.5
BSD-3-Clause · non-standard
pypipackagingpypi:packaging
1 Occurrence24.1
Apache-2.0 OR BSD-2-Clause · non-standard
pypipluggypypi:pluggy
1 Occurrence1.5.0
MIT
pypipsycopg2-binarypypi:psycopg2-binary
1 Occurrence2.9.9
non-standard
pypipydanticpypi:pydantic
1 Occurrence2.6.4
MIT
pypipydantic-corepypi:pydantic-core
1 Occurrence2.16.3
MIT
pypiregexpypi:regex
1 Occurrence2024.5.15
Apache-2.0 AND CNRI-Python · non-standard
pypisniffiopypi:sniffio
1 Occurrence1.3.1
Apache-2.0 OR MIT
pypisqlalchemypypi:sqlalchemy
1 Occurrence2.0.29
MIT
pypityping-extensionspypi:typing-extensions
1 Occurrence4.10.0
PSF-2.0 · non-standard
OSV

Related OSV records

GHSA-248v-346w-9cwc

Certifi removes GLOBALTRUST root certificate

1 repository10 Jun 2026
GHSA-29vq-49wr-vm6x

Werkzeug safe_join() allows Windows special device names

6 repositories13 Jul 2026
GHSA-2g68-c3qc-8985

Werkzeug debugger vulnerable to remote execution when interacting with attacker controlled domain

1 repository07 Jul 2026
GHSA-2xpw-w6gg-jr37

urllib3 streaming API improperly handles highly compressed data

13 repositories07 Jul 2026
GHSA-38jv-5279-wg99

Decompression-bomb safeguards bypassed when following HTTP redirects (streaming API)

13 repositories07 Jul 2026
GHSA-43qf-4rqw-9q2g

Flask-CORS vulnerable to Improper Handling of Case Sensitivity

2 repositories07 Jul 2026
GHSA-48p4-8xcf-vxj5

urllib3 does not control redirects in browsers and Node.js

7 repositories07 Jul 2026
GHSA-5rjg-fvgr-3xxf

setuptools has a path traversal vulnerability in PackageIndex.download that leads to Arbitrary File Write

2 repositories11 May 2026
GHSA-5xmw-vc9v-4wf2

Pillow has a heap buffer overflow with nested list coordinates

10 repositories13 Jul 2026
GHSA-65pc-fj4g-8rjx

Internationalized Domain Names in Applications (IDNA): Specially crafted inputs to idna.encode() can bypass CVE-2024-3651 fix

17 repositories08 Jul 2026
GHSA-68rp-wp8r-4726

Flask session does not add `Vary: Cookie` header when accessed in some ways

6 repositories13 Jul 2026
GHSA-6w46-j5rx-g56g

pytest has vulnerable tmpdir handling

6 repositories07 Jul 2026
GHSA-7rxf-gvfg-47g4

Flask-CORS improper regex path matching vulnerability

2 repositories07 Jul 2026
GHSA-84pr-m4jr-85g5

flask-cors vulnerable to log injection when the log level is set to debug

1 repository10 Jun 2026
GHSA-87hc-h4r5-73f7

Werkzeug safe_join() allows Windows special device names with compound extensions

5 repositories07 Jul 2026
GHSA-8rrh-rw8j-w5fx

Wheel Affected by Arbitrary File Permission Modification via Path Traversal in wheel unpack

2 repositories07 Jul 2026
GHSA-8vgw-p6qm-5gr7

Flask-CORS allows for inconsistent CORS matching

2 repositories07 Jul 2026
GHSA-9hjg-9r4m-mvj7

Requests vulnerable to .netrc credentials leak via malicious URLs

7 repositories07 Jul 2026
GHSA-9wx4-h78v-vm56

Requests `Session` object does not verify requests after making first request with verify=False

1 repository07 Jul 2026
GHSA-cfh3-3jmp-rvhc

Pillow affected by out-of-bounds write when loading PSD images

12 repositories13 Jul 2026
GHSA-cpwx-vrp4-4pq7

Jinja2 vulnerable to sandbox breakout through attr filter selecting format method

2 repositories07 Jul 2026
GHSA-cx63-2mw6-8hw5

setuptools vulnerable to Command Injection via package URL

1 repository07 Jul 2026
GHSA-f9vj-2wh5-fj8j

Werkzeug safe_join not safe on Windows

1 repository07 Jul 2026
GHSA-g7vv-2v7x-gj9p

tqdm CLI arguments injection attack

1 repository07 Jul 2026
GHSA-gc5v-m9x4-r6x2

Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function

15 repositories13 Jul 2026
GHSA-gm62-xv2j-4w53

urllib3 allows an unbounded number of links in the decompression chain

13 repositories07 Jul 2026
GHSA-gmj6-6f8f-6699

Jinja has a sandbox breakout through malicious filenames

1 repository07 Jul 2026
GHSA-h75v-3vvj-5mfj

Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter

1 repository07 Jul 2026
GHSA-hgf8-39gv-g3f2

Werkzeug safe_join() allows Windows special device names

5 repositories07 Jul 2026
GHSA-hxwh-jpp2-84pm

Flask-CORS allows the `Access-Control-Allow-Private-Network` CORS header to be set to true by default

1 repository09 Jul 2026
GHSA-mf9v-mfxr-j63j

urllib3: Decompression-bomb safeguards bypassed in parts of the streaming API

3 repositories08 Jun 2026
GHSA-mf9w-mj56-hr94

python-dotenv: Symlink following in set_key allows arbitrary file overwrite via cross-device rename fallback

11 repositories13 Jul 2026
GHSA-pq67-6m6q-mj2v

urllib3 redirects are not disabled when retries are disabled on PoolManager instantiation

7 repositories07 Jul 2026
GHSA-pwv6-vv43-88gr

Pillow has an OOB Write with Invalid PSD Tile Extents (Integer Overflow)

13 repositories13 Jul 2026
GHSA-q2x7-8rv6-6q7h

Jinja has a sandbox breakout through indirect reference to format method

1 repository07 Jul 2026
GHSA-q34m-jh98-gwm2

Werkzeug possible resource exhaustion when parsing file data in forms

1 repository13 Jul 2026
GHSA-qccp-gfcp-xxvc

urllib3: Sensitive headers forwarded across origins in proxied low-level redirects

15 repositories20 May 2026
GHSA-r73j-pqj5-w3x7

Pillow has a PDF Parsing Trailer Infinite Loop (DoS)

13 repositories13 Jul 2026
GHSA-vqfr-h8mv-ghfj

h11 accepts some malformed Chunked-Encoding bodies

3 repositories01 Jul 2026
GHSA-whj4-6x5x-4v2j

FITS GZIP decompression bomb in Pillow

13 repositories13 Jul 2026
GHSA-wjx4-4jcj-g98j

Pillow has an integer overflow when processing fonts

13 repositories09 Jun 2026
GHSA-xg8h-j46f-w952

Pillow vulnerability can cause write buffer overflow on BCn encoding

4 repositories04 Feb 2026
PYSEC-2026-2132

Not reported

14 repositories13 Jul 2026
PYSEC-2026-2253

Not reported

13 repositories13 Jul 2026
PYSEC-2026-2254

Not reported

13 repositories13 Jul 2026
PYSEC-2026-2255

Not reported

13 repositories13 Jul 2026
PYSEC-2026-2256

Not reported

13 repositories13 Jul 2026
PYSEC-2026-2257

Not reported

13 repositories13 Jul 2026
Interpretation boundary

Exact identities in, explicit limits out

The collector reads bounded lockfiles, SBOMs and exact double-equals pins at one immutable commit. Version ranges are never resolved by assumption.

Retrieval, parsing, matching and publishing use no generative AI model.

i6eal (2026): AI — exact AI dependency evidence dossier, data state 19 Jul 2026. https://i6eal.de/en/tools/ki-abhaengigkeitsatlas/repository/opencode-3608/

Reading this dossier

Does this repository dossier prove deployment?
No. It documents dependencies published at one observed commit, not a deployed environment.
Why are exact versions required?
OSV and registry metadata can be linked reproducibly only to an observed package@version tuple. The collector never substitutes a newest release for a range.
Does a missing row mean the dependency is absent?
No. It means not observed within the bounded files and repository checkpoint. Incomplete trees and parser failures remain explicit.

Need a permanent dependency evidence trail for another public code cohort?

We build source-backed data products with stable identities, reproducible joins and boundaries that remain visible.

Discuss a data projectExplore all tools