Fix CVE 2025 69872 diskcache

[realcarsonterry]

Problem

AG2 has a hard dependency on diskcache which is affected by CVE-2025-69872
(CVSS 9.8 Critical) - an unsafe pickle deserialization vulnerability. This
blocks deployments in security-sensitive environments using vulnerability
scanners like Aquasec, Snyk, or Trivy.

Solution

This PR makes diskcache an **optional dependency** and changes the default
cache backend to InMemoryCache.

Changes

• ✅ Removed diskcache from core dependencies in pyproject.toml
• ✅ Added diskcache as optional dependency ag2\[diskcache]
• ✅ Updated DiskCache to raise helpful error when diskcache not installed
• ✅ Changed cache\_factory default fallback to InMemoryCache
• ✅ Updated all error messages and documentation
• ✅ Updated tests to handle optional import
• ✅ Added comprehensive security advisory document

Migration Path

Users have three options:

1. **InMemoryCache** (default) - No persistence, no security risk
2. **RedisCache** - Persistent, secure, production-ready
3. **DiskCache** - Persistent but requires pip install ag2\[diskcache]

Breaking Changes

⚠️ Users who rely on persistent caching without explicit configuration will
now use InMemoryCache (no persistence between runs). To restore previous
behavior: pip install ag2\[diskcache]

Security Impact

✅ Resolves CVE-2025-69872
✅ Security scanners will no longer flag ag2
✅ Safe for deployment in security-sensitive environments

[CLAassistant]

All committers have signed the CLA.

[marklysze]

@cym3118288-afk thanks so much for this, would you be able to run "pre-commit run --all-files" and push the setup_autogen.py file.

It should have diskcache in it:

...
        "ag-ui": ["ag2[ag-ui]==" + __version__],
        "diskcache": ["ag2[diskcache]==" + __version__],
        "openai": ["ag2[openai]==" + __version__],
...

[realcarsonterry]

sure ,I will give it a try later

[realcarsonterry]

Hi, Mark @marklysze

I have fixed the trailing newline issues and updated the branch with latest main.
All checks are now passing.

Could you please review this PR when you have time?
I'm deeply sorry for not making the changes promptly last time. I hope you will continue to provide guidance in the future.
Thank you!

[marklysze]

A very valuable contribution, thanks @cym3118288-afk!

[codecov]

Codecov Report

❌ Patch coverage is 45.00000% with 11 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
autogen/cache/cache_factory.py	50.00%	5 Missing and 1 partial ⚠️
autogen/cache/disk_cache.py	42.85%	2 Missing and 2 partials ⚠️
autogen/oai/client.py	0.00%	1 Missing ⚠️

Files with missing lines	Coverage Δ
autogen/oai/client.py	54.47% <0.00%> (-3.61%)	⬇️
autogen/cache/disk_cache.py	83.33% <42.85%> (-16.67%)	⬇️
autogen/cache/cache_factory.py	45.16% <50.00%> (-2.67%)	⬇️

... and 20 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.