fix: pre-publication hardening (BOMs, redirect-CVE pin, None guard, lint)

Publication-readiness fixes on v1.6.0:

Security / correctness (HIGH):
- Strip UTF-8 BOM from function.json so strict JSON parsers (including
  OWUI's manifest loader, which uses json.load) can read it. LICENSE BOM
  removed too for encoding consistency.
- Guard exc.response is None in pipes() HTTPError handler — manually-raised
  HTTPError without a response object would crash with AttributeError on
  .status_code / .json(); now returns "HTTP error fetching models
  (no response)".
- Bump minimum requests dependency to >=2.32.4 in requirements.txt,
  function.json, and the module docstring. Pre-2.32 versions leak the
  Authorization header to redirect targets when the header is set manually
  (CVE-2024-35195 family).

Lint / hygiene (LOW):
- Remove unused prefix_str local in _expand_variant_models.
- test_pipe.py: drop unused traceback / time-as-_time_mod imports; drop the
  unnecessary f-prefix on a placeholder-free string.
- integration_test.py: drop the unnecessary f-prefix on a placeholder-free
  assertion message.

CI:
- Install pinned deps via `pip install -r requirements.txt` so the tested
  environment enforces the security-critical requests>=2.32.4 floor instead
  of installing unpinned `requests pydantic`.

Test suite: 622 passing; mypy + pyflakes clean.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Author: sena-labs

.github/workflows/tests.yml

@@ -27,7 +27,7 @@ jobs:
       - name: Install dependencies
         run: |
           python -m pip install --upgrade pip
-          pip install requests pydantic
+          pip install -r requirements.txt
 
       - name: Run tests
         run: python test_pipe.py

LICENSE

@@ -1,4 +1,4 @@
-MIT License
+MIT License
 
 Copyright (c) 2026 Sena Labs
 

function.json

@@ -1,4 +1,4 @@
-{
+{
   "id": "openrouter_pipe",
   "name": "OpenRouter Pipe",
   "type": "manifold",
@@ -12,7 +12,7 @@
       "version": "1.6.0",
       "license": "MIT",
       "required_open_webui_version": "0.4.0",
-      "requirements": ["requests>=2.20", "pydantic>=2.0"]
+      "requirements": ["requests>=2.32.4", "pydantic>=2.0"]
     },
     "tags": [
       "openrouter",

integration_test.py

@@ -214,7 +214,7 @@ async def _test_non_stream() -> str:
 
     _assert(isinstance(ns_result, str), "non-stream returns string")
     _assert(len(ns_result) > 0, f"non-stream has content ({len(ns_result)} chars)")
-    _assert("Error" not in ns_result or "INTEGRATION" in ns_result, f"no error in response")
+    _assert("Error" not in ns_result or "INTEGRATION" in ns_result, "no error in response")
     print(f"  ⏱ Response in {elapsed:.2f}s")
     print(f"  ℹ Response: {ns_result[:150]}{'...' if len(ns_result) > 150 else ''}")
 

openrouter_pipe.py

@@ -7,7 +7,7 @@
 license: MIT
 icon_url: data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHZpZXdCb3g9IjAgMCAxMDAgMTAwIj48ZGVmcz48bGluZWFyR3JhZGllbnQgaWQ9ImJnIiB4MT0iMCUiIHkxPSIwJSIgeDI9IjEwMCUiIHkyPSIxMDAlIj48c3RvcCBvZmZzZXQ9IjAlIiBzdG9wLWNvbG9yPSIjNmQyOGQ5Ii8+PHN0b3Agb2Zmc2V0PSIxMDAlIiBzdG9wLWNvbG9yPSIjYTc4YmZhIi8+PC9saW5lYXJHcmFkaWVudD48L2RlZnM+PHJlY3Qgd2lkdGg9IjEwMCIgaGVpZ2h0PSIxMDAiIHJ4PSIyMCIgZmlsbD0idXJsKCNiZykiLz48cGF0aCBkPSJNMjAgNTAgQzIwIDMwLCA0MCAzMCwgNTAgMzAgTDUwIDIyIEw2OCA0MCBMNTAgNTggTDUwIDUwIEM0MCA1MCwgMzUgNDUsIDMwIDUwIEMyNSA1NSwgMjAgNzAsIDIwIDUwIFoiIGZpbGw9IndoaXRlIiBvcGFjaXR5PSIwLjk1Ii8+PGNpcmNsZSBjeD0iNzgiIGN5PSIzMCIgcj0iNyIgZmlsbD0id2hpdGUiIG9wYWNpdHk9IjAuOCIvPjxjaXJjbGUgY3g9IjgyIiBjeT0iNTAiIHI9IjciIGZpbGw9IndoaXRlIiBvcGFjaXR5PSIwLjk1Ii8+PGNpcmNsZSBjeD0iNzgiIGN5PSI3MCIgcj0iNyIgZmlsbD0id2hpdGUiIG9wYWNpdHk9IjAuOCIvPjxsaW5lIHgxPSI2OCIgeTE9IjQwIiB4Mj0iNzYiIHkyPSIzMiIgc3Ryb2tlPSJ3aGl0ZSIgc3Ryb2tlLXdpZHRoPSIyIiBvcGFjaXR5PSIwLjUiLz48bGluZSB4MT0iNjgiIHkxPSI0MCIgeDI9Ijc2IiB5Mj0iNTAiIHN0cm9rZT0id2hpdGUiIHN0cm9rZS13aWR0aD0iMiIgb3BhY2l0eT0iMC41Ii8+PGxpbmUgeDE9IjY4IiB5MT0iNDAiIHgyPSI3NiIgeTI9IjY4IiBzdHJva2U9IndoaXRlIiBzdHJva2Utd2lkdGg9IjIiIG9wYWNpdHk9IjAuNSIvPjwvc3ZnPg==
 required_open_webui_version: 0.4.0
-requirements: requests>=2.20, pydantic>=2.0
+requirements: requests>=2.32.4, pydantic>=2.0
 description: The definitive OpenRouter integration for Open WebUI. Full catalog (chat/TTS/audio/image/embeddings), variant routing (:nitro/:exacto/:thinking/:online/:free/:extended), web search plugin with domain filters, server-side category filter, deprecation warnings, extended reasoning (minimal→xhigh + max_tokens + summary), Anthropic interleaved thinking + cache TTL, ZDR enforcement, tool/free-tier filters, provider preferences (only/quantizations/max_price/allow_fallbacks), service tier routing (auto/flex/priority/scale), generation-ID auditability, cached-input cost breakdown, model fallbacks, middle-out compression, citations, auto-discovered provider icons.
 """
 
@@ -765,14 +765,17 @@ def pipes(self) -> List[dict]:
         except requests.exceptions.Timeout:
             return [{"id": "error", "name": "Timeout fetching models. Try again or increase REQUEST_TIMEOUT."}]
         except requests.exceptions.HTTPError as exc:
-            msg = f"HTTP {exc.response.status_code} fetching models"
-            try:
-                err = exc.response.json().get("error", {})
-                detail = err.get("message", str(err)) if isinstance(err, dict) else str(err)
-                if detail:
-                    msg += f": {detail}"
-            except Exception:
-                pass
+            if exc.response is not None:
+                msg = f"HTTP {exc.response.status_code} fetching models"
+                try:
+                    err = exc.response.json().get("error", {})
+                    detail = err.get("message", str(err)) if isinstance(err, dict) else str(err)
+                    if detail:
+                        msg += f": {detail}"
+                except Exception:
+                    pass
+            else:
+                msg = "HTTP error fetching models (no response)"
             print(f"[OpenRouter Pipe] {msg}")
             return [{"id": "error", "name": msg}]
         except Exception as exc:
@@ -1341,7 +1344,6 @@ def _expand_variant_models(self, models: List[dict], prefix: str) -> List[dict]:
         if not specs:
             return models
 
-        prefix_str = prefix or ""
         # Strip the user-set prefix so we can reuse base names verbatim.
         by_id: dict = {}
         for entry in models:

requirements.txt

@@ -1,2 +1,2 @@
-requests>=2.20
+requests>=2.32.4
 pydantic>=2.0

test_pipe.py

@@ -16,7 +16,6 @@
 import json
 import os
 import sys
-import traceback
 from types import ModuleType
 from typing import List
 from unittest.mock import MagicMock, patch
@@ -131,7 +130,7 @@ def _section(title: str):
 # The default is os.getenv() evaluated at class-definition time (module load);
 # if the env var was set at that point, the default is non-empty — by design.
 frozen_default = Pipe.Valves.model_fields["OPENROUTER_API_KEY"].default
-_assert(v.OPENROUTER_API_KEY == frozen_default, f"API key default matches frozen class default")
+_assert(v.OPENROUTER_API_KEY == frozen_default, "API key default matches frozen class default")
 _assert(v.OPENROUTER_BASE_URL == "https://openrouter.ai/api/v1", "base URL default")
 _assert(v.REASONING_EFFORT == "", "reasoning effort empty")
 _assert(v.INCLUDE_REASONING is True, "include_reasoning True by default")