This release includes 4 breaking changes for platform teams planning a safe upgrade.
✓ No known CVEs patched in this version
Topics
+4 more
Affected surfaces
ReleasePort's take
Moderate signalThe python-1.4.0 release introduces breaking changes to skill folder discovery and spec metadata handling in agent‑framework-core, tightens default access controls and CORS posture in DevUI, and migrates a2a-sdk to version 1.0.
Why it matters: Operators must update skill directories and manifest formats per the agentskills.io spec before upgrading; otherwise applications may fail to load skills. The tighter DevUI security settings require reviewing existing integrations for CORS compliance prior to deployment of python-1.4.0.
Summary
AI summary[BREAKING] Align file skill folder discovery, extract spec metadata into SkillFrontmatter, tighten default access controls and CORS posture, migrate a2a-sdk to v1.0.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Security | Medium |
Reject path-traversal context IDs in checkpoint storage of foundry-hosting Reject path-traversal context IDs in checkpoint storage of foundry-hosting Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Breaking | Medium |
Tighten default access controls and CORS posture in agent-framework-devui Tighten default access controls and CORS posture in agent-framework-devui Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Breaking | Medium |
Align file skill folder discovery with agentskills.io spec in agent-framework-core Align file skill folder discovery with agentskills.io spec in agent-framework-core Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Breaking | Medium |
Extract skill spec metadata into SkillFrontmatter in agent-framework-core Extract skill spec metadata into SkillFrontmatter in agent-framework-core Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Breaking | Medium |
Migrate to a2a-sdk v1.0 in agent-framework-a2a Migrate to a2a-sdk v1.0 in agent-framework-a2a Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Feature | Medium |
Forward MCP tool call metadata in agent-framework-core Forward MCP tool call metadata in agent-framework-core Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Feature | Medium |
Support list[str] arguments for file-based skill scripts in agent-framework-core Support list[str] arguments for file-based skill scripts in agent-framework-core Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Feature | Medium |
Strip server-issued response item IDs under storage in agent-framework-core Strip server-issued response item IDs under storage in agent-framework-core Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Feature | Medium |
Add tool result display channel in agent-framework-ag-ui Add tool result display channel in agent-framework-ag-ui Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Feature | Medium |
Promote DevUI to release candidate stage in agent-framework-devui Promote DevUI to release candidate stage in agent-framework-devui Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Feature | Medium |
Improvements for DevUI in agent-framework-devui Improvements for DevUI in agent-framework-devui Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Bugfix | Medium |
Fix A2A v1.0 non-streaming response and sample runtime issues in agent-framework-a2a Fix A2A v1.0 non-streaming response and sample runtime issues in agent-framework-a2a Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Bugfix | Medium |
Prevent MCP message_handler deadlock on notification reload in agent-framework-core Prevent MCP message_handler deadlock on notification reload in agent-framework-core Source: llm_adapter@2026-05-21 Confidence: high |
— |
Full changelog
[1.4.0] - 2026-05-14
Added
- agent-framework-core: Forward MCP tool call metadata (#5815)
- agent-framework-core: Support
list[str]arguments for file-based skill scripts (#5850) - agent-framework-core: Strip server-issued response item IDs under storage (#5690)
- agent-framework-ag-ui: Add tool result display channel (#5762)
- agent-framework-ag-ui: Promote to release candidate stage (#5844)
- agent-framework-devui: Improvements for DevUI (#5840)
Changed
- agent-framework-core: [BREAKING] — experimental skills API] Align file skill folder discovery with agentskills.io spec (#5807)
- agent-framework-core: [BREAKING] — experimental skills API] Extract skill spec metadata into
SkillFrontmatter(#5775) - agent-framework-devui: [BREAKING] Tighten default access controls and CORS posture (#5740)
- agent-framework-a2a: [BREAKING] Migrate to a2a-sdk v1.0 (#5752)
Fixed
Breaking Changes
- Align file skill folder discovery with agentskills.io spec (BREAKING change).
- Extract skill spec metadata into SkillFrontmatter struct (BREAKING change).
- Tighten default access controls and CORS posture in agent-framework-devui (BREAKING change).
- Migrate a2a-sdk dependency to version 1.0 (BREAKING change).
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About agent-framework
A framework for building, orchestrating and deploying AI agents and multi-agent workflows with support for Python and .NET.
Related context
Related tools
Earlier breaking changes
- vdotnet-1.9.0 Removes [Experimental] tag from .NET Orchestrations, marking them stable.
- vpython-1.7.0 Remove Python-only declarative actions and rename alias kinds to C# canonical names in agent-framework-declarative.
- vpython-1.6.0 Enable instrumentation by default in agent-framework-core and agent-framework-foundry.
- vdotnet-1.6.1 Align file skill folder discovery with agentskills.io spec (Python BREAKING)
- vdotnet-1.6.1 Tighten default access controls and CORS posture in DevUI (Python BREAKING)
Beta — feedback welcome: [email protected]