Back to Gpt Researcher

GPT-Researcher — Issue Backlog & Triage Board

ISSUE_BACKLOG.md

3.6.050.9 KB
Original Source

GPT-Researcher — Issue Backlog & Triage Board

Generated: 2026-06-24 · Open issues: ~146 (was 181) · Workflow: draft-for-approval (nothing posted to GitHub without Assaf's OK)

This file is the shared source of truth. Status column legend: TODODRAFTED (PR/reply ready for review) → POSTEDDONE.

Session log

  • 2026-06-24 — Bucket B DONE. Closed 35 (10 stale-fixed, 5 duplicates, 20 promo/spam; promo locked). Kept open + relabeled: #1076 (good-first-issue, provider PR invite), #1684 (reframed as scraper bug).
  • 2026-06-25 — Bucket A (security) mostly DONE. Threat-model decision: backend is operator-run, no built-in auth by design. Closed 8 auth-cluster issues with that comment (#1695 #1694 #1675 #1794 #1805 #1549 #1693 #1696). Opened PR #1820 (content hardening) → closes #1719 #1659 #1819 #1103 on merge. Remaining: #1692 (reflected XSS, deferred small fix), #1063 (PyMuPDF AGPL → moved to Bucket F decision). Next up: Bucket C (quick-win PRs) or Bucket F decisions.

How we work each session

  1. Pick the next bucket below (start with Cleanup, then Quick-win PRs).
  2. For each issue: Claude reads it + the code, drafts a PR and/or reply.
  3. Assaf approves → Claude posts/pushes → mark status here.

Snapshot

  • 69 bug · 39 feature · 22 promo/spam · 14 security · 13 question · 11 stale · 6 needs-info · 5 duplicate · 2 docs
  • Actions: 59 reply-close · 53 needs-maintainer-decision · 45 fix-PR · 24 reply-needs-info

🔒 BUCKET A — Security (review first; do NOT discuss exploit details in public threads until fixed)

IssueDiffConfAreaSummary / recommendation
#1719trivial0.9docsSecurity Vulnerability Report - Awaiting Acknowledgment — Researcher asks for a private disclosure channel; enable GitHub private vulnerability reporting and add SECURITY.md (none exists today).
#1659trivial0.85scrapersBrotli decompression bomb DoS via scraper (CVE-2025-6176) — pin brotli >= 1.2.0 — Scraper decompresses brotli responses without size limit (CVE-2025-6176); pin brotli>=1.2.0 in dependencies as a quick mitigation.
#1819trivial0.8configDependency hardening: pin minimum safe dependency versions — Low-priority hygiene: pin brotli>=1.2.0 (and similar) to avoid downgrading into known CVEs; small requirements/pyproject change.
#1692small0.8frontendReflected Cross-Site Scripting (XSS) via Task Name in gpt-researcher — User task string is rendered via innerHTML in lightweight frontend, enabling reflected XSS; sanitize/escape log output in frontend scripts.js.
#1794medium0.9scrapers[Security] Unauthenticated Server-Side Request Forgery (SSRF) — Confirmed: source_urls/document_urls from unauthenticated /ws reach scrapers with no URL validation, enabling SSRF to internal hosts/metadata; add scheme allowlist + private-IP/metadata blocklist before session.get.
#1805medium0.85scrapersUnauthenticated arbitrary local PDF file read via source_urls — Related to SSRF #1794: bare local paths ending in .pdf route to PyMuPDFScraper local-file branch enabling arbitrary local PDF read; fix by validating URL scheme/rejecting local paths in the source_urls path.
#1549small0.8websocketGPT-Researcher File Upload Vulnerability Summary — Upload endpoint accepts arbitrary file types with no size/type validation; maintainer noted backend is demo-only, but adding type/size validation in handle_file_upload is a cheap hardening win to decide on.
#1694medium0.9mcpUnauthenticated Remote Code Execution via MCP Command Injection — Unauthenticated /ws endpoint passes user mcp_configs command/args to subprocess spawn (CVSS 10.0 RCE); needs auth gating and/or disabling user-supplied MCP commands — same root cause as #1675.
#1675medium0.85mcpcommand-injection lead to Remote Code Execution — Unauthenticated WebSocket lets user-supplied mcp_configs spawn arbitrary commands (RCE); needs validation/allowlisting or auth gating on MCP configs — duplicate of #1694.
#1693small0.55frontendStored Cross-Site Scripting (XSS) via Unauthenticated Report API — Stored XSS via unauthenticated report API (CVE-2026-5632); body is sparse but credible — needs maintainer to confirm sink and sanitize report rendering/storage.
#1063medium0.7configPossible License Issue (PyMuPDF AGPL-3.0) — PyMuPDF is AGPL-3.0, which conflicts with GPTR's permissive license for SaaS users; maintainer should decide whether to swap to a permissively-licensed PDF parser (e.g. pypdf) or make it optional.
#1103medium0.6frontendSecurity Issue - LLM05 - Insecure output handling (XSS) — Reports containing XSS payloads render unsanitized in the hosted/vanilla frontend; needs markdown sanitization on report rendering (NextJS frontend likely safer). Real concern but scope/owner decision needed.
#1695large0.85websocketMissing Authentication and Unrestricted Access to Critical Functions — All REST/WebSocket endpoints are unauthenticated (CVSS 9.8); design decision needed on whether to add optional auth or document that the server is intended for trusted/local use.
#1696unknown0.4unknownCVE-2026-5633 — Body is just a CVE number with no detail; ask reporter for specifics or cross-link to the related August829 security reports (likely the RCE/auth set).

🧹 BUCKET B — Cleanup closes (promo / duplicate / stale, conf ≥ 0.7) — fast, low-risk

IssueTypeSummary
#1801integration-promoRuntime Open Federation — federate GPT-Researcher, earn USDC — Crypto/USDC federation node promotion (multilingual spam); close as promo.
#1729integration-promoYour MCP server earned an A security grade on Loaditout — Loaditout badge solicitation; close as promotional, no action needed.
#1733integration-promoAdd AgentWeb — free business data API for agents �� AgentWeb product promotion; close as promo.
#1736integration-promoProposal: Enabling agent monetization and commerce via Merxex — Merxex agent-commerce promotion (one of several duplicates); close as promo.
#1744duplicateMerxex Integration: Enabling Agent-to-Agent Commerce — Duplicate Merxex promo (see #1736/#1745/#1747); close.
#1745duplicateProposal: Enabling Agent-to-Agent Commerce via Merxex — Duplicate Merxex promo (verbatim copy of #1736); close.
#1747duplicateStandardizing Agent Commerce: Merxex Integration Proposal — Duplicate Merxex promo; close.
#1789integration-promoIndependent trust comparison data available for GPT Researcher — HVTracker ranking/badge promotion; close as promo.
#1105staleInconsistent required Python versions — pyproject said python >=3.10,<3.12 while README said 3.11+; pyproject.toml now declares python >=3.11 (and requires-python >=3.11), so the inconsistency is resolved.
#1079staleError when trying to submit a form (LLM retry loop returns on first attempt) — Reported that the retry for _ in range(10) loop returned on the first iteration; current llm.py has been rewritten with a proper attempt loop and exception handling, so this is already fixed.
#1131staleLong prompts give FileNotFoundError (filename too long) — Long queries created over-long output filenames on Windows; sanitize_filename in server_utils.py now hashes the task portion (md5[:10]) instead of embedding the full prompt, so this is fixed.
#1415staleSource verification failed: 'PromptFamily' object has no attribute 'curate_soures' — Typo curate_soures vs curate_sources; current code uses the correct spelling everywhere (prompts.py, curator.py), so already fixed—close.
#1808integration-promoIntegration idea: BGPT evidence retrieval tool — BGPT literature-evidence MCP/API promotion; close as promo.
#1254staleParse Dimensions Function Appears to Be Incorrect — parse_dimension converted to int and didn't handle decimals/%; current scraper/utils.py now does int(float(value)) handling decimals. Percent handling still absent but the core bug is fixed; close or label-only.
#1391staleCould not connect to MCP Server via HTTP — MCP server moved to a dedicated repo (assafelovic/gptr-mcp); maintainer already redirected the user—close as moved.
#1279staleAttributeError: 'list' object has no attribute 'split' in deep research (count_words) — count_words crashed on list input when CURATE_SOURCES=true; deep_research.py count_words now handles lists and there's an explicit extend-vs-append fix for curated context. Likely resolved on latest master though one comment (2026-04) reports it on an older pip; verify version and close.
#1398staleDeep Research - Runtime error (temperature None for ChatOpenAI) — Pydantic temperature=None validation error on reasoning models; current base.py has NO_SUPPORT_TEMPERATURE_MODELS handling, so likely already fixed—verify and close.
#1751integration-promoProvider suggestion: SerpBase for lower-cost SERP access — Vendor self-promoting SerpBase as a SERP retriever (with sockpuppet comment); close as promo unless Assaf wants a community PR.
#1098staleo3 / reasoning models reject temperature argument — Requested support for o3/o-series models that don't accept temperature; base.py now has NO_SUPPORT_TEMPERATURE_MODELS handling for o1/o3/o4/gpt-5, so the core ask is implemented (LiteLLM users must match exact model name) and the thread can be closed.
#1232stalegpt-researcher npm package does not support https/wss host — npm package hardcoded ws:// instead of wss:// for https hosts; a contributor commented that http/https support has since been added to the npm package, so verify and close.
#1687integration-promoProposal: Research Agent Discovery Pipeline via WheatCoin Community — Crypto/token discovery-platform promotion; close as out of scope.
#1711integration-promoYour AI agent has a profile on AgentFolio — claim it — Automated AgentFolio/Solana directory-claim promo; close as spam.
#1714integration-promoClarvia AEO Badge — verify gpt-researcher MCP quality score — Clarvia badge/promo outreach; close as out of scope.
#1629integration-promoIntegration Proposal: MoltBridge Trust Layer for Agent-to-Agent Research — Self-promotion of MoltBridge product as an integration; close as not aligned with project scope.
#1685duplicateFeature request: anybrowse MCP integration for Cloudflare-protected scraping — Exact duplicate of #1684 (anybrowse promo); close as duplicate.
#1689integration-promoFeature: AgentID for verifiable researcher agent identity — Self-promotion of AgentID identity layer; close as not aligned with project scope.
#1699integration-promoAI Village: Agent-to-agent collaboration invitation — Automated agent-collaboration outreach with no concrete code ask; close as out of scope.
#1707duplicateSecurity audit findings — tool description injection + missing output sanitization — Duplicate of #1706 (same paid-audit solicitation); close as duplicate/spam.
#1716integration-promoMCP integration: Add Clarvia for tool quality research and discovery — Clarvia MCP-server self-promotion; close as not aligned with project scope.
#1706integration-promoSecurity audit findings — tool description injection + missing output sanitization — Paywalled '$29 audit report' solicitation framed as security findings; close as spam/promo (prompt-injection concerns are generic, not actionable as filed).
#1732integration-promoTrust layer for autonomous research sources? — Thread of competing third-party 'trust score' / smsh / PCH / joy-connect promos; close as spam/promo.
#1796integration-promoFeature: Add persistent behavioral memory via Agent Magnet integration — Agent Magnet / Universal Memory Protocol cross-promo thread; close as promo.
#1684integration-promoFeature request: anybrowse MCP integration for Cloudflare-protected scraping — Promotes anybrowse paid scraper as a fallback; real underlying problem (silent 403 on Cloudflare sites) is valid but the ask is product promo — close or redirect to generic fallback-scraper discussion.
#1704integration-promoIdea: Plasmate for faster, cheaper web content extraction — Promotes Plasmate scraper as a token-reducing extraction option; close or label as optional third-party suggestion.
#1728integration-promoVerifiable research audit trail — signed receipts for agent actions — Promotion of the 'protect-mcp' / veritasacta signed-receipt product framed as a feature; close as out-of-scope promo.
#1702integration-promoAre current benchmarks enough to measure research agents? — Discussion-style promotion of ResearchClawBench benchmark; informational, close or redirect to Discussions.
#1076integration-promoAdd open-source provider AI/ML API — Vendor (aimlapi.com) offering to contribute an AI/ML API provider integration; maintainer green-light decision — likely accept as a community PR given generic provider support.

⚡ BUCKET C — Quick-win fix-PRs (trivial/small, fix-pr, conf ≥ 0.7, non-security)

IssueDiffAreaSummary / recommendation
#1759trivialdocsSECURITY INQUIRY — Request to add SECURITY.md and enable GitHub vuln reporting; add the file (overlaps #1719).
#794trivialllm-providerUnlogged error while using Groq (missing langchain-groq) — Groq import failure is swallowed and shown as a misleading JSON-repair warning; log the real exception in choose_agent/get_llm so missing langchain-groq is actionable.
#1580trivialfrontendCloudflare MITM included in the self-hosted codebase — Static frontend/index.html loads font-awesome and showdown from cdnjs.cloudflare.com CDN (not a MITM, just external CDN deps); vendor these assets locally to remove the external dependency.
#1006smallscrapersPDFs are not always scraped correctly (non-.pdf URLs) — scraper.py picks PyMuPDFScraper only when link.endswith('.pdf') (line 201); SemanticScholar returns PDF links without the extension — detect PDF by content-type/header instead of suffix.
#1787smallllm-providerFeature: JSON constrained output for Deep Research query extraction — Deep Research uses fragile startswith('Query:'/'Learning'/'Question:') parsing (confirmed in deep_research.py) causing 0 queries on some models; switch to JSON-constrained output + json_repair like query_processing.py.
#1306smallllm-provider<think> text gets to the output when using deepseek models with ollama — deepseek-r1 via ollama leaks <think>...</think> reasoning into the final report; strip think tags from LLM responses (same root cause as #1303).
#1457smallscrapersError using SCRAPER=browser (missing overlay.js) — Selenium scraper fails because js/overlay.js isn't shipped in the pip package; add the js data files to package_data/MANIFEST so they install alongside the module.
#1067smallconfigOpenAI API Key required even when .env has DeepSeek settings — Default EMBEDDING is still 'openai:text-embedding-3-small', so OpenAI key is demanded even with DeepSeek LLMs; users must also set EMBEDDING — improve error/docs and validate embedding config (recurring, latest comment 2026-05).
#1263smallretrieversLong queries cause an uncaught Tavily bug (400, max 400 chars) — Tavily rejects queries >400 chars with a 400 error that propagates uncaught; tavily_search.py has no length guard. Fix is to truncate/validate query length before calling the Tavily API.
#1303smallllm-providerBUG: Pydantic error: Input should be a valid string — Thinking models (ollama qwen3/deepseek) wrap query-generation output in <think> tags, breaking json_repair and yielding nested/empty sub_query lists; strip reasoning tags in the generic LLM provider response.
#1367smallconfigLlama.cpp Server: Separate LLM and Embedding Endpoints — Request to point embeddings at a different OpenAI-compatible base URL than the LLM; add OPENAI_EMBEDDING_BASE_URL support (a contributor flagged a PR; issue 1380 has the concrete patch).
#1380smallllm-providerOut Of Memory with deep research + local embedding model — Local embedding model competes with LLM for VRAM; a contributor proposes adding OPENAI_EMBEDDING_BASE_URL to CustomEmbedding so embeddings can be offloaded to a separate endpoint (overlaps 1367).
#1449smallconfigInstall Poetry dependencies will cause incompatible constraints — pyproject.toml has conflicting json-repair constraints between [tool.poetry] and [project] sections causing poetry install to fail; reconcile the dependency versions.
#1520smallfrontendError converting markdown to pdf (pdf_styles.css not found) — PDF export fails with relative path './styles/pdf_styles.css' not found when CWD differs; fix by resolving the CSS path relative to the module/package rather than CWD.
#591smallconfigSupport disabling of API response streaming via config — Streaming is hardcoded in actions.py; add a config flag to disable streaming for LLMs/APIs that mishandle it (still relevant per 2025 GPT-5 streaming comment).
#1051smallwebsocketSend 400/500 error status on Internal Server Error — Server errors leave the UI hanging with no status; add try/catch in the main request/websocket handler and surface errors to the client (raised by collaborator ElishaKay).
#1087smalldocsError When Running Ollama LLM Test Script for GPTR (OLLAMA_BASE_URL KeyError) — Docs Ollama test script passes base_url both as kwarg and via os.environ['OLLAMA_BASE_URL'], causing KeyError / duplicate-arg errors; fix is to align the doc script and base.py to read OLLAMA_BASE_URL from env safely.
#1275smallretrieversNo error handling on empty search results from retriever — When the retriever returns zero results, empty context is streamed to the LLM producing an unhelpful response; add explicit handling/logging and a friendly 'no sources found' message instead of generating a report.
#1325smallfrontend[Feature request] Download markdown and json logs in NextJS backend — Markdown and JSON-log downloads work in the uvicorn frontend but are missing/broken in the NextJS frontend; add the markdown/json export buttons there.
#1332smallconfigDeep Research - Context Trimming Failure — trim_context_to_word_limit got nested lists of dicts instead of strings (introduced by PR #1195); count_words now coerces lists but deep_research still passes nested structures, so flatten all_context before trimming.
#1359smallfrontendIncorrect Placement of Deep Research Option in Frontend Forms — Deep Research appears under the sources form instead of the report-type form; minor frontend reorganization to align with ReportType enum.
#1373smallretrieversKeyError: 'organic' error while calling the execution via Docker Linux — Serper returns an error payload (e.g. 'Query too long. Max 2048 characters') instead of 'organic', causing a KeyError; add graceful handling of Serper error responses.
#1517smallconfigFrontend docker image is ARM64, missing AMD64 — Next.js frontend Docker image is published only for arm64; fix the docker build/publish workflow to do multi-arch (buildx amd64+arm64), possibly removing the primp dep blocker as a collaborator noted.

🛠️ BUCKET D — Larger fix-PRs / medium-large (fix-pr, not quick-win)

IssueDiffAreaSummary / recommendation
#605smallllm-providerCrashes instead of graceful message when no answers found / bad LLM JSON — Detailed report crashes with AttributeError when subtopics LLM JSON parse fails (non-GPT models); wrap get_sub_queries/subtopics parsing to return empty list gracefully.
#1586smallwebsocketWebSocket error, fixable with reload — Starting a new research raises an unhandled WebSocketDisconnect (1005) in handle_websocket_communication, requiring a page reload; handle the disconnect gracefully instead of logging an error/breaking the loop.
#565smallconfigNo references are returned for detailed reports on local data — References for local docs are missing because they derive from visited_urls; reporter proposed tracking sources in ContextCompressor — likely partially addressed already but worth verifying against current source-tracking code.
#766smallconfiggpt-researcher pip package ships messy file structure (backend/, etc.) — The published wheel includes top-level backend/ and other dirs polluting site-packages; tighten packaging (find_packages/include) in setup.py/pyproject — verify against current packaging config.
#1037smallscrapersError parsing dimension value 100%: invalid literal for int() base 10 '100%' — Image/dimension parsing chokes on percentage values like '100%' (int() cast) during image extraction; guard non-numeric width/height in get_relevant_images. Non-fatal but noisy.
#1628smallllm-provideradd support for gemini-3-flash-preview — New Gemini 3 model fails with a content-format mismatch; likely needs litellm/google provider bump and possibly message-format handling.
#1028smallllm-providerMistral embedding bug ("An error occurred with MistralAI: 'data'") — Mistral embeddings raise a KeyError 'data' during context retrieval; likely a response-shape/batching mismatch in the embeddings wrapper — reproduce with Mistral embedding provider and fix parsing.
#1523mediummcpMCP server configs not found when agent asks follow-up questions — MCP configs work for the initial query but are lost (empty mcp_configs) for agent-generated sub-queries and in deep research mode; fix config/researcher-instance propagation to sub-researchers.
#1572mediumreport-generationReport Generator Hallucinates Sources — When context is empty the writer invents fake/homepage URLs; reporter also found writer.py/ReportGenerator don't thread the custom prompt_family and deep-research process_research_results bypasses it, fix prompt_family propagation plus add an empty-context / URL-allowlist guard.
#1605mediumconfigMove Docker image publishing to GHCR only and remove AWS ECR/OIDC dependency — ECR push via OIDC assume-role is failing and blocking image builds; consolidate Docker publishing to GHCR (packages: write) and drop the AWS credential/ECR steps from build.yml/deploy.yml.
#1119mediumreport-generationDetailed Report on local docs: missing/empty references and broken citations — Detailed reports over local docs produce empty reference lists and hallucinated URLs because local documents never get URLs set in visited_urls; fix is to populate document file paths/URLs so add_references works.
#1307mediumfrontendFollow-up questions broken — The NextJS 'ask questions about this report' chat freezes/redirects to homepage instead of running; chat agent wiring in websocket_manager + frontend needs fixing.
#1534mediumdocument-loaderRunning research on local documents doesn't work — Selecting 'My Documents' with DOC_PATH set produces no output; maintainer committed to testing, needs reproduction of the DOC_PATH/local-docs flow in the FastAPI backend and a fix.
#1579mediumdeep-researchDEEP mode does not stop when retrievers cannot obtain context — Deep research loops forever when retrievers return no context (e.g. bad Tavily key / no internet); add an empty-context termination / max-iteration guard in deep_research.
#1602mediumscrapersFireCrawl scraper returns empty content under concurrent requests in deep research — FireCrawl scraper hits API rate limits under deep-research concurrency (~71% empty content) with no retry/backoff; add rate-limit handling/retry-with-backoff or concurrency throttling in the firecrawl scraper.
#1137mediummcpMulti-Agent endless loop / endless failure in json_repair — Multi-agent reviewer loop can spin forever when LLM JSON can't be repaired (often truncated by low SMART_TOKEN_LIMIT); needs a max-retry / hard-failure guard and a shared text->JSON util in multi_agents/agents/utils/llms.py.

❓ BUCKET E — Reply / needs-info (answer the reporter; may close)

IssueTypeAreaSummary
#1696securityunknownCVE-2026-5633 — Body is just a CVE number with no detail; ask reporter for specifics or cross-link to the related August829 security reports (likely the RCE/auth set).
#1288bugllm-providerNeeded workaround for "Error: 429 Resource has been exhausted" — Requested 429 retry-with-backoff in the LLM completion loop is already implemented in current llm.py (try/except + exponential backoff over max_attempts); close as resolved.
#1343questiondocsHow can i use local ollama instead of openAI api? — User asks how to use local Ollama; answered in comments with the OLLAMA_BASE_URL/FAST_LLM/EMBEDDING env config, close pointing to the Ollama docs.
#1712bugwebsocketBug: Missing import os in backend/server/websocket_manager.py causes NameError — Reported NameError from missing import os; current code already imports os (line 1) and a fix PR (#1717) exists — verify and close as resolved.
#1358questionllm-providerNotImplementedError: Provider claude-3-5-sonnet-...does not support chat — User omitted the provider prefix; answer already given in comments (use bedrock:claude-... format) so reply confirming and close.
#1705questionconfigHow was the version 0.14.8 on PyPI published? — Asks why PyPI 0.14.8 didn't match pyproject 0.14.7; repo is now at 0.15.1, so this is a stale release-process question — answer and close.
#578bugscrapersTitle of scraped articles not scraped — Scrapers previously didn't return titles causing hallucinated reference titles; current code extracts title (extract_title) and threads it through scraper.py, so this is fixed — verify and close (PR #1118).
#1386questionconfigDeep research - request too large for gpt-4.1 — 429 TPM rate-limit from OpenAI on gpt-4.1, not a GPTR bug; maintainer already responded recommending o4-mini and tuning deep-research params—close.
#1447questionconfigCustomize the Report prompt — User wants a custom_prompt argument on write_report(); this already exists (write_report(custom_prompt=...)), so reply pointing to it and close.
#1496questionconfigHow/where to set DEEP_RESEARCH_BREADTH so multi-agent uses it — User wants to know where to point a custom config.json / set deep research params; answer is via .env or config_file param (a commenter already confirmed .env works), reply and close.
#1378questionconfigresearcher.write_report() yields incomplete/inconsistent results — Truncated deep-research reports caused by token limits and provider TPM caps; maintainer already advised raising SMART_TOKEN_LIMIT, resolved—reply and close.
#1423bugscrapers'ScrapeResponse' object is not subscriptable - even after updating to latest package — Firecrawl ScrapeResponse accessed with subscript; current firecrawl.py uses attribute access, so likely resolved on master—verify against a fresh release and close (relates to 1404).
#1404bugscrapersSelf hosted firecrawl returning 0 scraped results — Firecrawl response accessed as dict instead of object attributes; current firecrawl.py already uses dot notation (response.metadata/response.markdown), so likely fixed—verify and close (duplicate of 1423).
#1427bugllm-providerchoose_agent failing on OpenAI models that don't support temperature — o3 fails in choose_agent due to unsupported temperature; base.py now maintains NO_SUPPORT_TEMPERATURE_MODELS including o3, so likely fixed—verify choose_agent path and close.
#1047bugretrieversTavily - Too Many Requests (429) -> empty response — Tavily 429 leads to empty report; mostly a free-tier rate-limit/usage issue — reply with retry/backoff guidance and graceful fallback note, close unless we want retry logic in the Tavily retriever.
#1430questionconfigStructured JSON output — User asks how to get schema-constrained JSON output; not currently a first-class feature—answer with custom_prompt/post-processing guidance and close (or label as feature if desired).
#1480bugmcpMCP Integration Not Using Structured Content — Reports MCP integration ignores structured_content; code in gpt_researcher/mcp/research.py already handles structured_content (preferring it over content), so likely already fixed in a later version, verify against reporter's v3.3.3 then close.
#510featurellm-providerHuggingFace Open Source Models Integration — Old request to support HuggingFace LLMs/embeddings; GPTR now supports many providers via generic langchain init, so this is effectively addressed/stale and can be closed pointing to current LLM docs.
#1229questionretrieversFeature request: use official tavily python client (async) — Asks why GPTR uses raw HTTP instead of tavily-python's Async client; maintainer explained intentional choice to keep the pip package light. Answer and close (or label as low-priority enhancement).
#676bugllm-providerERROR: Exception in ASGI application when running with Ollama — Reporter confirmed it works after upgrading the pip package and pulling latest; resolved — close.
#1458questionscrapersCan you have the crawler follow links? — User asks whether the scraper can recursively follow links on parsed pages; it does not, this is a clarifying question to answer and close (research is driven by retriever search results, not link crawling).
#1239needs-infomcpChapters on reports generated by multi-agent systems don't match TOC — Chapter names vs. appended chapter list mismatch when using a local Ollama 32b model; maintainer indicated this is model-quality related (better on OpenAI). Likely a duplicate of the multi-agent formatting issues; close or merge into #1139.
#1259featuremcpFeature Request: Adding Human Feedback to Research Strategy Planning — Wants a human-in-the-loop review/edit step before research strategy is finalized; maintainer notes this already exists for the multi_agents flow via include_human_feedback in task.json. Point user there and close, or keep open for the single-agent flow.
#1331bugscrapersCan't find local pdf documents when using pip package — DOC_PATH local docs work via CLI but 'no documents found' through the pip package; likely missing optional parsing deps or report_source not set to local, needs DEBUG logs to confirm.
#1526bugllm-providerNo embedding data received — User points FAST/SMART/STRATEGIC_LLM at a vLLM gpt-oss endpoint but no EMBEDDING is configured, so embedding calls hit an incompatible endpoint; reply explaining EMBEDDING config requirement and that the chat base_url doesn't serve embeddings.
#1442questionllm-providerCan't use Groq provider — GPTR still demands OPENAI_API_KEY despite Groq config; Groq is supported in base.py but EMBEDDING likely still defaults to OpenAI—needs full config to confirm vs ask reporter.
#717bugmcpPublisher agent 'directory not found' with multi-agent + local docs — multi_agents publisher_agent fails to save report when output dir doesn't exist; likely an mkdir(exist_ok) fix, but reporter never confirmed on latest — ask for repro on current version or close as stale.
#1041bugconfigCannot set custom variables via config.json (TOTAL_WORDS ignored) — User reports config.json passed via config_path is ignored; load_config now reads the JSON file so likely fixed or a key-casing/path issue — verify on current config.py and reply, or fix if keys still not applied.
#1244needs-infollm-providerIssue with Anthropic llm provider (claude-2.1 / opus) — Error in get_llm when configuring anthropic provider with old models (claude-2.1, claude-3-opus); truncated traceback. Anthropic support exists in base.py, so ask for full error and suggest current model names / installing langchain_anthropic.
#1369questionconfigUsing every documents in local mode — Only a fraction of uploaded docs used; likely similarity-threshold/embedding retrieval limiting, needs config guidance (SIMILARITY_THRESHOLD, MAX_SEARCH_RESULTS) or more info.
#1393bugscrapersThe function get_research_sources has garbled characters — Non-ASCII/special characters render as garbled (encoding issue) in research sources; image-only report, needs repro details but likely an encoding fix in source handling.
#1414bugscrapersdocument_urls path inconsistent with get_research_context() reference path — Passed document_urls paths don't match the citation paths generated in research context; image-only report (Chinese), needs repro but plausibly a path-normalization fix.
#1311bugconfigIndexError: list index out of range when running a research — Detailed report on local docs with Gemini/DeepSeek crashes with IndexError in subtopic report generation; likely empty subtopics list, needs repro/logs but a guard in detailed_report is the likely fix.
#1617bugllm-providerLatest version cannot final export report documents — Final export hangs with an error in the embeddings_filter contextual-compression path (embeddings.embed_documents failing); likely an embedding-provider misconfig or langchain_classic compat issue, needs the full traceback/embedding config to pinpoint.
#1330bugfrontendNextJS UI Issues — Multiple NextJS UI console errors on load/preferences page behind a reverse proxy; mix of config (NEXT_PUBLIC_GPTR_API_URL) and possible missing build deps, needs clarification/repro.
#1334bugscrapersMy Documents Mode pulls information from the internet — In Documents-only mode the report includes external web sources/citations; need to verify report_source handling restricts retrieval to local docs, repro details requested.
#1575bugfrontendCan't output PDF and more — PDF button opens a blank page (200 OK) and N8N HTTP requests return temp_id without executing; likely same PDF-export path issue as #1520 plus async task handling, needs more detail/repro.
#1764bugllm-providerResearch gets stuck with no meaningful logs/UI hints — Research hangs intermittently with local SearXNG+Ollama and no timeout/retry feedback; likely missing timeouts on external LLM/search calls — needs repro details and could lead to adding timeout/retry+logging.
#883bugconfigPossible embedding bug (runaway embedding cost, process stuck) — Embeddings appear to loop/explode in cost on large local content; hard to act without repro details (doc size, config) — needs info, possibly related to chunking/max_results.
#1483needs-infowebsocketGPTR Randomly Fails to Generate a Report — Intermittent failure to start research with no reproduction; maintainer already asked for more logs, keep as needs-info or close as stale (no response since Aug 2025).
#1262needs-infounknownFails at fairly straightforward, deterministic search tasks — User expects exhaustive deterministic results (enumerating files across a repo) that GPTR doesn't fully return; this is a general capability expectation. Maintainer already asked for the config/report type; await response or close as out-of-scope.
#1336bugllm-providerNo / Empty Report Generated — Empty report when using Gemini + DuckDuckGo via Docker; maintainer asked for logs/outputs folder contents, blocked on reporter info.
#558featurefrontendChange/Add Code interpreter on user input — Vague request about toggling a 'code interpreter' field in the UI; underspecified and stale (2024), needs clarification or close.
#1357needs-infounknownTypeError: expected string or bytes-like object, got 'NoneType' — Empty body bug report with no repro, version, or stack trace; a second user reports the same but the issue is unactionable without details.
#1619needs-infoconfigYOU ARE STILL INFECTED WITH GPL POISONING — Vague licensing complaint about a GPL dependency with no specifics; ask reporter which dependency/file they mean or close as non-actionable.
#751bugllm-provideropenai BadRequest error — Bare OpenAI BadRequest traceback with no model/config details; stale (2024) and under-specified — needs info or close.

🤔 BUCKET F — Needs maintainer decision (Assaf: yes/no on direction before any work)

IssueTypeDiffAreaSummary
#1549securitysmallwebsocketGPT-Researcher File Upload Vulnerability Summary — Upload endpoint accepts arbitrary file types with no size/type validation; maintainer noted backend is demo-only, but adding type/size validation in handle_file_upload is a cheap hardening win to decide on.
#1694securitymediummcpUnauthenticated Remote Code Execution via MCP Command Injection — Unauthenticated /ws endpoint passes user mcp_configs command/args to subprocess spawn (CVSS 10.0 RCE); needs auth gating and/or disabling user-supplied MCP commands — same root cause as #1675.
#1675securitymediummcpcommand-injection lead to Remote Code Execution — Unauthenticated WebSocket lets user-supplied mcp_configs spawn arbitrary commands (RCE); needs validation/allowlisting or auth gating on MCP configs — duplicate of #1694.
#1693securitysmallfrontendStored Cross-Site Scripting (XSS) via Unauthenticated Report API — Stored XSS via unauthenticated report API (CVE-2026-5632); body is sparse but credible — needs maintainer to confirm sink and sanitize report rendering/storage.
#1063securitymediumconfigPossible License Issue (PyMuPDF AGPL-3.0) — PyMuPDF is AGPL-3.0, which conflicts with GPTR's permissive license for SaaS users; maintainer should decide whether to swap to a permissively-licensed PDF parser (e.g. pypdf) or make it optional.
#1103securitymediumfrontendSecurity Issue - LLM05 - Insecure output handling (XSS) — Reports containing XSS payloads render unsanitized in the hosted/vanilla frontend; needs markdown sanitization on report rendering (NextJS frontend likely safer). Real concern but scope/owner decision needed.
#1695securitylargewebsocketMissing Authentication and Unrestricted Access to Critical Functions — All REST/WebSocket endpoints are unauthenticated (CVSS 9.8); design decision needed on whether to add optional auth or document that the server is intended for trusted/local use.
#1222featuresmallconfigLightweight docker image (without Playwright) — Requests a slim Docker image (~680MB) without Playwright for users relying on external scrapers like Firecrawl; reporter offered a PR, so maintainer just needs to greenlight an additional lite Dockerfile.
#1076integration-promosmallllm-providerAdd open-source provider AI/ML API — Vendor (aimlapi.com) offering to contribute an AI/ML API provider integration; maintainer green-light decision — likely accept as a community PR given generic provider support.
#1582featuresmallscrapersGPL License Alternative PDF Scraper Implementation — Proposes a pdfminer.six (MIT) PDF scraper to avoid PyMuPDF AGPL licensing (re #1571); maintainer to decide whether to swap/offer alternative scraper, code is provided.
#1598questionsmallconfigwhy ECR and not Github Container Registry? — Asks why Docker images depend on AWS ECR rather than a free registry like GHCR; overlaps with #1605, decide on registry strategy (likely move to GHCR).
#1800featuresmallscrapersAdd Obscura as a scraper backend — Plausible community contribution adding an Obscura (Rust headless) scraper backend with a PR ready; Assaf to decide whether to accept the new dependency/backend.
#1591featuresmallconfigOptional CI check for agent behavior? — Contributor offering to add an optional snapshot-based agent-behavior eval CI check; maintainer to decide if wanted and which entrypoint to wire it to.
#1718bugsmallfrontendPDF generation does not work — Frontend PDF export button does nothing; reporter linked PR #1720 with a fix, so review/merge that PR.
#1356docsmediumdocsAPI Reference Docs — User requests comprehensive API/config-reference docs (not just how-to guides); maintainer aware, needs decision on producing a reference section enumerating all config options.
#1300featuremediumconfigReranker models — Support dedicated reranker models (Cohere/AWS) for source curation with the current LLM-prompt ranking as fallback; needs a configurable reranker abstraction.
#1326featuremediumllm-provider[FEATURE REQUEST] Multiple OpenAI base URLs for local hosting — Allow separate OpenAI base URLs per role (fast/smart/strategic/embedding) so e.g. OpenRouter + a local embedding endpoint can coexist; workaround is a LiteLLM proxy.
#1081featuremediumscrapersCloudflare Protection Blocking Crunchbase Results — Scraping Crunchbase via Tavily hits Cloudflare blocks; suggested adding Tavily Extract / headless-browser fallback to bypass anti-bot pages, which is a real but non-trivial scraper enhancement.
#1293featuremediumintegrationFEATURE REQUEST: Build Open-WebUI tool / integration — Build an Open-WebUI tool/integration using the GPTR pip library; a trivial PR (#1241) exists but deep integration (shared knowledgebase embeddings) is undecided.
#1403featuremediumretrieversSpecifying time range for research — Request to expose a time-range filter so searches are constrained to a recency window; needs per-retriever support and an API/config surface decision.
#1468featuremediumconfigConnect with Langfuse (single trace per operation) — Request to wrap a full research run in a single Langfuse trace instead of many; requires adding tracing/observability context propagation, a design decision for the maintainer.
#1321bugmediumfrontendConnection from NextJS Frontend to GPTR Backend — Frontend connects to backend directly from the browser via NEXT_PUBLIC_GPTR_API_URL, forcing backend port exposure; proxying requests through the Next server would avoid exposing port 8000.
#1354featuremediumconfigBetter leverage large context length LLMs — Make hard-coded content-truncation lengths configurable so 1M-token models (Gemini/GPT-4.1) can ingest more content; needs auditing truncation points and exposing config.
#1495bugmediummulti-agentsMulti agents still have redundant content across different sections — Multi-agent reports still repeat content across chapters (regression of #548); needs prompt/orchestration work in multi_agents to dedupe section content.
#1603featuremediumconfigAdd summarization flag to quick_search: search-grounded quick summaries — Feature request for an opt-in aggregated-summary mode on quick_search (single grounded synthesis without full deep_research pipeline); maintainer to decide on API surface.
#563featuremediumscrapersAdd support for GPT to research from images (.png/.jpg/.jpeg) and OCR — Feature request to support image inputs/OCR and embedding scraped images in reports; multiple volunteers but no merged PR — Assaf should decide scope/assignment.
#1030featuremediumllm-providerBest way to impose a global rate limit on LLM interactions — Request for a built-in/configurable global rate limiter to avoid provider 429s; langchain supports InMemoryRateLimiter — maintainer should decide whether to wire it into config.
#1255featuremediumwebsocketValidate followup chat feature for newly-created & saved reports — Follow-up chat on saved reports throws WebSocket close-code 1005; needs a new API endpoint to chat with previously saved reports (referenced PR #1241). Feature work requiring maintainer scoping.
#1282bugmediumretrieversNo subquery generation if tavily api fails — Tavily fails on long (>400 char) queries and subquery generation returns an empty list instead of falling back to other configured retrievers; needs fallback logic across retrievers.
#1581featuremediumconfig[Dependency Review] 2025-12-31 — Automated dependency audit listing pending dependabot PRs, stale deps (langgraph, next, fastapi) and a UV-migration recommendation; maintainer to decide which upgrades/migrations to accept.
#1139bugmediummcpMulti-Agent reviewer following guidelines makes output inconsistent (missing headers/refs) — Multi-agent reports show missing markdown header formatting and inconsistent reference aggregation, largely prompt/model-quality dependent (non-OpenAI models); needs prompt hardening rather than a clear single fix.
#1276bugmediumreport-generationAre there any known issues with the reference section? — References frequently have wrong author/link, duplicate links, or 404s (LLM mismatches source URLs during synthesis); affects multiple users/models. Needs improved citation grounding (map references to actual visited_urls) but root cause is fuzzy.
#1385bugmediumfrontendMarkdown tables wrong format and cause write_md_to_pdf to fail — Gemini-generated markdown tables are malformed and crash PDF/Word export; needs either prompt hardening or defensive table sanitization in the md-to-doc conversion.
#1004bugmediumconfigAgent is not using my documents ('my documents' still web-searches) — Selecting 'my documents' report_source still triggers web search per reporter (Azure config); needs repro on current report_source routing — recurring complaint, worth maintainer triage.
#1271bugmediumllm-providerNever Ending Generation Loop with Ollama and Searxng — With Ollama models the report generation never terminates (repeats 'End of Document'/References endlessly); appears to be a missing stop-token/length guard for non-OpenAI models. Reproducible across many models, but root cause needs investigation.
#1290featurelargefrontendFEATURE REQUEST: Add user login and rights management — Requests multi-user auth/LDAP/rights groups (OpenWebUI-style); large product decision, maintainer leans toward wrapping in OpenWebUI rather than building in-repo.
#1690featurelargeevalsImplement DeepResearchGym-style evaluations — Substantive proposal to replace existing eval modules with DeepResearchGym protocol and research-quality benchmarks; needs maintainer decision on direction.
#1710featuremediumllm-providerAdd codex auth login as alternative instead of api — Requests Codex auth-login (OAuth-style) as an alternative to API keys; one-line request needs maintainer decision and more specification.
#1767bugmediumconfigLanguage not supported well (Vietnamese output stays English) — Report output ignores input language (Vietnamese) and defaults to English; needs language/locale handling in prompts/config.
#1289featurelargeconfigFEATURE REQUEST: Allow user selection of models at query time — Let users pick FAST/SMART/STRATEGIC models per request (via headers) instead of only env vars; product-level direction decision tied to user-management work.
#1291featurelargeconfigFEATURE REQUEST: Keep history / embedding to allow query and report rewriting — Persist per-report embeddings/vector store so saved reports can be re-queried/rewritten; needs persistent vector-store support, a design decision.
#1299featurelargeconfigGraph RAG — Add knowledge-graph / Neo4j vector-store support to extract entities/relationships during research; maintainer green-lit but needs a swappable vector-store provider design.
#1361featurelargeretrieversRetrieval of documents from databases and vectorstores like PostgreSQL/pgvector — Feature request for official SQL/pgvector document retrieval; vector_store integration partly exists but a dedicated pgvector path is a larger design decision.
#1502featurelargefrontendAdd Multi-Agent Functionality to FastAPI Frontend — Request to bring multi-agent workflows (currently only in the Next.js frontend) to the FastAPI/static frontend; large feature requiring maintainer prioritization.
#1114featurelargeconfigProposal: Unified Provider Configuration Management — Proposes type-safe/dataclass-based unified provider (esp. Azure OpenAI) config instead of scattered env vars + JSON; a sizable architectural change requiring maintainer direction.
#1284featurelargewebsocketWebSocket is disconnected, how to retrieve it after the disconnection — Long deep-research runs drop the websocket and the in-progress report is lost; requires backend persistence/reconnect architecture, a larger design decision.
#1292featurelargewebsocketFEATURE REQUEST: Schedule and queue research requests — Add scheduling/queuing/throttling of research jobs for multi-user/self-hosted setups; backend job-queue architecture decision.
#1727featurelargeunknown[Feature Request] Add research quality scoring and source reliability ranking — Large enhancement to score sources and findings (authority, cross-referencing, confidence intervals); needs Assaf's roadmap decision.
#753featurelargellm-providerUsing OpenAI Batch endpoint — Request to integrate OpenAI Batch API for cost savings; architecturally significant (batch is async/offline) — maintainer decision, likely won't-fix given GPTR's interactive flow.
#1050featurelargeretrievers[Feature] Add API tool to agents + vector store for tool retrieval — Proposal to let agents call arbitrary APIs as tools, indexed in a vector store for retrieval; large architectural feature (overlaps with MCP support) — maintainer direction needed.
#1340featurelargeconfigUpload a document and have the LLM parse its format for custom formatting — Feature request to upload a template document, have the model learn its format, and generate output matching that format/length; open-ended product decision.
#1807bugunknownfrontendWebsite is broken (gptr.dev/#features client-side exception) — Marketing site gptr.dev #features crashes with a Next.js client-side exception; lives in a separate website repo, route to whoever owns gptr.dev.
#1419buglargeconfigReports with redundant, disorganized content with mis-matching TOC — Multi-agent report generator consistently yields redundant content, mismatched TOC, and excessive nesting; a structural prompt/orchestration quality issue requiring maintainer direction.