Problem
Cognee currently depends on diskcache>=5.6.3 for the filesystem session cache adapter. GitHub Advisory Database flags DiskCache through 5.6.3 as GHSA-w8v5-vhqr-4h9v because its default serialization can use pickle. There is no patched DiskCache release available as of 2026-06-01, so downstream projects that depend on Cognee receive an unfixable Dependabot alert.
The current FSCacheAdapter stores JSON strings, so Cognee does not need DiskCache's general object serialization surface for this path.
Proposed fix
Replace the filesystem adapter's DiskCache usage with a small JSON-only SQLite-backed store that supports the operations Cognee uses today:
get, set, delete, clear- TTL expiration
- transactional writes
- close handling
Then remove diskcache from pyproject.toml and the lockfile.
Impact
This should remove the vulnerable runtime dependency for downstream consumers without changing the public session cache API.
Verification target
Run the filesystem cache adapter unit tests and the relevant lint check after the dependency removal.
Problem
Cognee currently depends on
diskcache>=5.6.3for the filesystem session cache adapter. GitHub Advisory Database flags DiskCache through 5.6.3 as GHSA-w8v5-vhqr-4h9v because its default serialization can use pickle. There is no patched DiskCache release available as of 2026-06-01, so downstream projects that depend on Cognee receive an unfixable Dependabot alert.The current
FSCacheAdapterstores JSON strings, so Cognee does not need DiskCache's general object serialization surface for this path.Proposed fix
Replace the filesystem adapter's DiskCache usage with a small JSON-only SQLite-backed store that supports the operations Cognee uses today:
get,set,delete,clearThen remove
diskcachefrompyproject.tomland the lockfile.Impact
This should remove the vulnerable runtime dependency for downstream consumers without changing the public session cache API.
Verification target
Run the filesystem cache adapter unit tests and the relevant lint check after the dependency removal.