ISSUE_BACKLOG.md
Generated: 2026-06-24 · Open issues: ~146 (was 181) · Workflow: draft-for-approval (nothing posted to GitHub without Assaf's OK)
This file is the shared source of truth. Status column legend: TODO → DRAFTED (PR/reply ready for review) → POSTED → DONE.
| Issue | Diff | Conf | Area | Summary / recommendation |
|---|---|---|---|---|
| #1719 | trivial | 0.9 | docs | Security Vulnerability Report - Awaiting Acknowledgment — Researcher asks for a private disclosure channel; enable GitHub private vulnerability reporting and add SECURITY.md (none exists today). |
| #1659 | trivial | 0.85 | scrapers | Brotli decompression bomb DoS via scraper (CVE-2025-6176) — pin brotli >= 1.2.0 — Scraper decompresses brotli responses without size limit (CVE-2025-6176); pin brotli>=1.2.0 in dependencies as a quick mitigation. |
| #1819 | trivial | 0.8 | config | Dependency hardening: pin minimum safe dependency versions — Low-priority hygiene: pin brotli>=1.2.0 (and similar) to avoid downgrading into known CVEs; small requirements/pyproject change. |
| #1692 | small | 0.8 | frontend | Reflected Cross-Site Scripting (XSS) via Task Name in gpt-researcher — User task string is rendered via innerHTML in lightweight frontend, enabling reflected XSS; sanitize/escape log output in frontend scripts.js. |
| #1794 | medium | 0.9 | scrapers | [Security] Unauthenticated Server-Side Request Forgery (SSRF) — Confirmed: source_urls/document_urls from unauthenticated /ws reach scrapers with no URL validation, enabling SSRF to internal hosts/metadata; add scheme allowlist + private-IP/metadata blocklist before session.get. |
| #1805 | medium | 0.85 | scrapers | Unauthenticated arbitrary local PDF file read via source_urls — Related to SSRF #1794: bare local paths ending in .pdf route to PyMuPDFScraper local-file branch enabling arbitrary local PDF read; fix by validating URL scheme/rejecting local paths in the source_urls path. |
| #1549 | small | 0.8 | websocket | GPT-Researcher File Upload Vulnerability Summary — Upload endpoint accepts arbitrary file types with no size/type validation; maintainer noted backend is demo-only, but adding type/size validation in handle_file_upload is a cheap hardening win to decide on. |
| #1694 | medium | 0.9 | mcp | Unauthenticated Remote Code Execution via MCP Command Injection — Unauthenticated /ws endpoint passes user mcp_configs command/args to subprocess spawn (CVSS 10.0 RCE); needs auth gating and/or disabling user-supplied MCP commands — same root cause as #1675. |
| #1675 | medium | 0.85 | mcp | command-injection lead to Remote Code Execution — Unauthenticated WebSocket lets user-supplied mcp_configs spawn arbitrary commands (RCE); needs validation/allowlisting or auth gating on MCP configs — duplicate of #1694. |
| #1693 | small | 0.55 | frontend | Stored Cross-Site Scripting (XSS) via Unauthenticated Report API — Stored XSS via unauthenticated report API (CVE-2026-5632); body is sparse but credible — needs maintainer to confirm sink and sanitize report rendering/storage. |
| #1063 | medium | 0.7 | config | Possible License Issue (PyMuPDF AGPL-3.0) — PyMuPDF is AGPL-3.0, which conflicts with GPTR's permissive license for SaaS users; maintainer should decide whether to swap to a permissively-licensed PDF parser (e.g. pypdf) or make it optional. |
| #1103 | medium | 0.6 | frontend | Security Issue - LLM05 - Insecure output handling (XSS) — Reports containing XSS payloads render unsanitized in the hosted/vanilla frontend; needs markdown sanitization on report rendering (NextJS frontend likely safer). Real concern but scope/owner decision needed. |
| #1695 | large | 0.85 | websocket | Missing Authentication and Unrestricted Access to Critical Functions — All REST/WebSocket endpoints are unauthenticated (CVSS 9.8); design decision needed on whether to add optional auth or document that the server is intended for trusted/local use. |
| #1696 | unknown | 0.4 | unknown | CVE-2026-5633 — Body is just a CVE number with no detail; ask reporter for specifics or cross-link to the related August829 security reports (likely the RCE/auth set). |
| Issue | Type | Summary |
|---|---|---|
| #1801 | integration-promo | Runtime Open Federation — federate GPT-Researcher, earn USDC — Crypto/USDC federation node promotion (multilingual spam); close as promo. |
| #1729 | integration-promo | Your MCP server earned an A security grade on Loaditout — Loaditout badge solicitation; close as promotional, no action needed. |
| #1733 | integration-promo | Add AgentWeb — free business data API for agents �� AgentWeb product promotion; close as promo. |
| #1736 | integration-promo | Proposal: Enabling agent monetization and commerce via Merxex — Merxex agent-commerce promotion (one of several duplicates); close as promo. |
| #1744 | duplicate | Merxex Integration: Enabling Agent-to-Agent Commerce — Duplicate Merxex promo (see #1736/#1745/#1747); close. |
| #1745 | duplicate | Proposal: Enabling Agent-to-Agent Commerce via Merxex — Duplicate Merxex promo (verbatim copy of #1736); close. |
| #1747 | duplicate | Standardizing Agent Commerce: Merxex Integration Proposal — Duplicate Merxex promo; close. |
| #1789 | integration-promo | Independent trust comparison data available for GPT Researcher — HVTracker ranking/badge promotion; close as promo. |
| #1105 | stale | Inconsistent required Python versions — pyproject said python >=3.10,<3.12 while README said 3.11+; pyproject.toml now declares python >=3.11 (and requires-python >=3.11), so the inconsistency is resolved. |
| #1079 | stale | Error when trying to submit a form (LLM retry loop returns on first attempt) — Reported that the retry for _ in range(10) loop returned on the first iteration; current llm.py has been rewritten with a proper attempt loop and exception handling, so this is already fixed. |
| #1131 | stale | Long prompts give FileNotFoundError (filename too long) — Long queries created over-long output filenames on Windows; sanitize_filename in server_utils.py now hashes the task portion (md5[:10]) instead of embedding the full prompt, so this is fixed. |
| #1415 | stale | Source verification failed: 'PromptFamily' object has no attribute 'curate_soures' — Typo curate_soures vs curate_sources; current code uses the correct spelling everywhere (prompts.py, curator.py), so already fixed—close. |
| #1808 | integration-promo | Integration idea: BGPT evidence retrieval tool — BGPT literature-evidence MCP/API promotion; close as promo. |
| #1254 | stale | Parse Dimensions Function Appears to Be Incorrect — parse_dimension converted to int and didn't handle decimals/%; current scraper/utils.py now does int(float(value)) handling decimals. Percent handling still absent but the core bug is fixed; close or label-only. |
| #1391 | stale | Could not connect to MCP Server via HTTP — MCP server moved to a dedicated repo (assafelovic/gptr-mcp); maintainer already redirected the user—close as moved. |
| #1279 | stale | AttributeError: 'list' object has no attribute 'split' in deep research (count_words) — count_words crashed on list input when CURATE_SOURCES=true; deep_research.py count_words now handles lists and there's an explicit extend-vs-append fix for curated context. Likely resolved on latest master though one comment (2026-04) reports it on an older pip; verify version and close. |
| #1398 | stale | Deep Research - Runtime error (temperature None for ChatOpenAI) — Pydantic temperature=None validation error on reasoning models; current base.py has NO_SUPPORT_TEMPERATURE_MODELS handling, so likely already fixed—verify and close. |
| #1751 | integration-promo | Provider suggestion: SerpBase for lower-cost SERP access — Vendor self-promoting SerpBase as a SERP retriever (with sockpuppet comment); close as promo unless Assaf wants a community PR. |
| #1098 | stale | o3 / reasoning models reject temperature argument — Requested support for o3/o-series models that don't accept temperature; base.py now has NO_SUPPORT_TEMPERATURE_MODELS handling for o1/o3/o4/gpt-5, so the core ask is implemented (LiteLLM users must match exact model name) and the thread can be closed. |
| #1232 | stale | gpt-researcher npm package does not support https/wss host — npm package hardcoded ws:// instead of wss:// for https hosts; a contributor commented that http/https support has since been added to the npm package, so verify and close. |
| #1687 | integration-promo | Proposal: Research Agent Discovery Pipeline via WheatCoin Community — Crypto/token discovery-platform promotion; close as out of scope. |
| #1711 | integration-promo | Your AI agent has a profile on AgentFolio — claim it — Automated AgentFolio/Solana directory-claim promo; close as spam. |
| #1714 | integration-promo | Clarvia AEO Badge — verify gpt-researcher MCP quality score — Clarvia badge/promo outreach; close as out of scope. |
| #1629 | integration-promo | Integration Proposal: MoltBridge Trust Layer for Agent-to-Agent Research — Self-promotion of MoltBridge product as an integration; close as not aligned with project scope. |
| #1685 | duplicate | Feature request: anybrowse MCP integration for Cloudflare-protected scraping — Exact duplicate of #1684 (anybrowse promo); close as duplicate. |
| #1689 | integration-promo | Feature: AgentID for verifiable researcher agent identity — Self-promotion of AgentID identity layer; close as not aligned with project scope. |
| #1699 | integration-promo | AI Village: Agent-to-agent collaboration invitation — Automated agent-collaboration outreach with no concrete code ask; close as out of scope. |
| #1707 | duplicate | Security audit findings — tool description injection + missing output sanitization — Duplicate of #1706 (same paid-audit solicitation); close as duplicate/spam. |
| #1716 | integration-promo | MCP integration: Add Clarvia for tool quality research and discovery — Clarvia MCP-server self-promotion; close as not aligned with project scope. |
| #1706 | integration-promo | Security audit findings — tool description injection + missing output sanitization — Paywalled '$29 audit report' solicitation framed as security findings; close as spam/promo (prompt-injection concerns are generic, not actionable as filed). |
| #1732 | integration-promo | Trust layer for autonomous research sources? — Thread of competing third-party 'trust score' / smsh / PCH / joy-connect promos; close as spam/promo. |
| #1796 | integration-promo | Feature: Add persistent behavioral memory via Agent Magnet integration — Agent Magnet / Universal Memory Protocol cross-promo thread; close as promo. |
| #1684 | integration-promo | Feature request: anybrowse MCP integration for Cloudflare-protected scraping — Promotes anybrowse paid scraper as a fallback; real underlying problem (silent 403 on Cloudflare sites) is valid but the ask is product promo — close or redirect to generic fallback-scraper discussion. |
| #1704 | integration-promo | Idea: Plasmate for faster, cheaper web content extraction — Promotes Plasmate scraper as a token-reducing extraction option; close or label as optional third-party suggestion. |
| #1728 | integration-promo | Verifiable research audit trail — signed receipts for agent actions — Promotion of the 'protect-mcp' / veritasacta signed-receipt product framed as a feature; close as out-of-scope promo. |
| #1702 | integration-promo | Are current benchmarks enough to measure research agents? — Discussion-style promotion of ResearchClawBench benchmark; informational, close or redirect to Discussions. |
| #1076 | integration-promo | Add open-source provider AI/ML API — Vendor (aimlapi.com) offering to contribute an AI/ML API provider integration; maintainer green-light decision — likely accept as a community PR given generic provider support. |
| Issue | Diff | Area | Summary / recommendation |
|---|---|---|---|
| #1759 | trivial | docs | SECURITY INQUIRY — Request to add SECURITY.md and enable GitHub vuln reporting; add the file (overlaps #1719). |
| #794 | trivial | llm-provider | Unlogged error while using Groq (missing langchain-groq) — Groq import failure is swallowed and shown as a misleading JSON-repair warning; log the real exception in choose_agent/get_llm so missing langchain-groq is actionable. |
| #1580 | trivial | frontend | Cloudflare MITM included in the self-hosted codebase — Static frontend/index.html loads font-awesome and showdown from cdnjs.cloudflare.com CDN (not a MITM, just external CDN deps); vendor these assets locally to remove the external dependency. |
| #1006 | small | scrapers | PDFs are not always scraped correctly (non-.pdf URLs) — scraper.py picks PyMuPDFScraper only when link.endswith('.pdf') (line 201); SemanticScholar returns PDF links without the extension — detect PDF by content-type/header instead of suffix. |
| #1787 | small | llm-provider | Feature: JSON constrained output for Deep Research query extraction — Deep Research uses fragile startswith('Query:'/'Learning'/'Question:') parsing (confirmed in deep_research.py) causing 0 queries on some models; switch to JSON-constrained output + json_repair like query_processing.py. |
| #1306 | small | llm-provider | <think> text gets to the output when using deepseek models with ollama — deepseek-r1 via ollama leaks <think>...</think> reasoning into the final report; strip think tags from LLM responses (same root cause as #1303). |
| #1457 | small | scrapers | Error using SCRAPER=browser (missing overlay.js) — Selenium scraper fails because js/overlay.js isn't shipped in the pip package; add the js data files to package_data/MANIFEST so they install alongside the module. |
| #1067 | small | config | OpenAI API Key required even when .env has DeepSeek settings — Default EMBEDDING is still 'openai:text-embedding-3-small', so OpenAI key is demanded even with DeepSeek LLMs; users must also set EMBEDDING — improve error/docs and validate embedding config (recurring, latest comment 2026-05). |
| #1263 | small | retrievers | Long queries cause an uncaught Tavily bug (400, max 400 chars) — Tavily rejects queries >400 chars with a 400 error that propagates uncaught; tavily_search.py has no length guard. Fix is to truncate/validate query length before calling the Tavily API. |
| #1303 | small | llm-provider | BUG: Pydantic error: Input should be a valid string — Thinking models (ollama qwen3/deepseek) wrap query-generation output in <think> tags, breaking json_repair and yielding nested/empty sub_query lists; strip reasoning tags in the generic LLM provider response. |
| #1367 | small | config | Llama.cpp Server: Separate LLM and Embedding Endpoints — Request to point embeddings at a different OpenAI-compatible base URL than the LLM; add OPENAI_EMBEDDING_BASE_URL support (a contributor flagged a PR; issue 1380 has the concrete patch). |
| #1380 | small | llm-provider | Out Of Memory with deep research + local embedding model — Local embedding model competes with LLM for VRAM; a contributor proposes adding OPENAI_EMBEDDING_BASE_URL to CustomEmbedding so embeddings can be offloaded to a separate endpoint (overlaps 1367). |
| #1449 | small | config | Install Poetry dependencies will cause incompatible constraints — pyproject.toml has conflicting json-repair constraints between [tool.poetry] and [project] sections causing poetry install to fail; reconcile the dependency versions. |
| #1520 | small | frontend | Error converting markdown to pdf (pdf_styles.css not found) — PDF export fails with relative path './styles/pdf_styles.css' not found when CWD differs; fix by resolving the CSS path relative to the module/package rather than CWD. |
| #591 | small | config | Support disabling of API response streaming via config — Streaming is hardcoded in actions.py; add a config flag to disable streaming for LLMs/APIs that mishandle it (still relevant per 2025 GPT-5 streaming comment). |
| #1051 | small | websocket | Send 400/500 error status on Internal Server Error — Server errors leave the UI hanging with no status; add try/catch in the main request/websocket handler and surface errors to the client (raised by collaborator ElishaKay). |
| #1087 | small | docs | Error When Running Ollama LLM Test Script for GPTR (OLLAMA_BASE_URL KeyError) — Docs Ollama test script passes base_url both as kwarg and via os.environ['OLLAMA_BASE_URL'], causing KeyError / duplicate-arg errors; fix is to align the doc script and base.py to read OLLAMA_BASE_URL from env safely. |
| #1275 | small | retrievers | No error handling on empty search results from retriever — When the retriever returns zero results, empty context is streamed to the LLM producing an unhelpful response; add explicit handling/logging and a friendly 'no sources found' message instead of generating a report. |
| #1325 | small | frontend | [Feature request] Download markdown and json logs in NextJS backend — Markdown and JSON-log downloads work in the uvicorn frontend but are missing/broken in the NextJS frontend; add the markdown/json export buttons there. |
| #1332 | small | config | Deep Research - Context Trimming Failure — trim_context_to_word_limit got nested lists of dicts instead of strings (introduced by PR #1195); count_words now coerces lists but deep_research still passes nested structures, so flatten all_context before trimming. |
| #1359 | small | frontend | Incorrect Placement of Deep Research Option in Frontend Forms — Deep Research appears under the sources form instead of the report-type form; minor frontend reorganization to align with ReportType enum. |
| #1373 | small | retrievers | KeyError: 'organic' error while calling the execution via Docker Linux — Serper returns an error payload (e.g. 'Query too long. Max 2048 characters') instead of 'organic', causing a KeyError; add graceful handling of Serper error responses. |
| #1517 | small | config | Frontend docker image is ARM64, missing AMD64 — Next.js frontend Docker image is published only for arm64; fix the docker build/publish workflow to do multi-arch (buildx amd64+arm64), possibly removing the primp dep blocker as a collaborator noted. |
| Issue | Diff | Area | Summary / recommendation |
|---|---|---|---|
| #605 | small | llm-provider | Crashes instead of graceful message when no answers found / bad LLM JSON — Detailed report crashes with AttributeError when subtopics LLM JSON parse fails (non-GPT models); wrap get_sub_queries/subtopics parsing to return empty list gracefully. |
| #1586 | small | websocket | WebSocket error, fixable with reload — Starting a new research raises an unhandled WebSocketDisconnect (1005) in handle_websocket_communication, requiring a page reload; handle the disconnect gracefully instead of logging an error/breaking the loop. |
| #565 | small | config | No references are returned for detailed reports on local data — References for local docs are missing because they derive from visited_urls; reporter proposed tracking sources in ContextCompressor — likely partially addressed already but worth verifying against current source-tracking code. |
| #766 | small | config | gpt-researcher pip package ships messy file structure (backend/, etc.) — The published wheel includes top-level backend/ and other dirs polluting site-packages; tighten packaging (find_packages/include) in setup.py/pyproject — verify against current packaging config. |
| #1037 | small | scrapers | Error parsing dimension value 100%: invalid literal for int() base 10 '100%' — Image/dimension parsing chokes on percentage values like '100%' (int() cast) during image extraction; guard non-numeric width/height in get_relevant_images. Non-fatal but noisy. |
| #1628 | small | llm-provider | add support for gemini-3-flash-preview — New Gemini 3 model fails with a content-format mismatch; likely needs litellm/google provider bump and possibly message-format handling. |
| #1028 | small | llm-provider | Mistral embedding bug ("An error occurred with MistralAI: 'data'") — Mistral embeddings raise a KeyError 'data' during context retrieval; likely a response-shape/batching mismatch in the embeddings wrapper — reproduce with Mistral embedding provider and fix parsing. |
| #1523 | medium | mcp | MCP server configs not found when agent asks follow-up questions — MCP configs work for the initial query but are lost (empty mcp_configs) for agent-generated sub-queries and in deep research mode; fix config/researcher-instance propagation to sub-researchers. |
| #1572 | medium | report-generation | Report Generator Hallucinates Sources — When context is empty the writer invents fake/homepage URLs; reporter also found writer.py/ReportGenerator don't thread the custom prompt_family and deep-research process_research_results bypasses it, fix prompt_family propagation plus add an empty-context / URL-allowlist guard. |
| #1605 | medium | config | Move Docker image publishing to GHCR only and remove AWS ECR/OIDC dependency — ECR push via OIDC assume-role is failing and blocking image builds; consolidate Docker publishing to GHCR (packages: write) and drop the AWS credential/ECR steps from build.yml/deploy.yml. |
| #1119 | medium | report-generation | Detailed Report on local docs: missing/empty references and broken citations — Detailed reports over local docs produce empty reference lists and hallucinated URLs because local documents never get URLs set in visited_urls; fix is to populate document file paths/URLs so add_references works. |
| #1307 | medium | frontend | Follow-up questions broken — The NextJS 'ask questions about this report' chat freezes/redirects to homepage instead of running; chat agent wiring in websocket_manager + frontend needs fixing. |
| #1534 | medium | document-loader | Running research on local documents doesn't work — Selecting 'My Documents' with DOC_PATH set produces no output; maintainer committed to testing, needs reproduction of the DOC_PATH/local-docs flow in the FastAPI backend and a fix. |
| #1579 | medium | deep-research | DEEP mode does not stop when retrievers cannot obtain context — Deep research loops forever when retrievers return no context (e.g. bad Tavily key / no internet); add an empty-context termination / max-iteration guard in deep_research. |
| #1602 | medium | scrapers | FireCrawl scraper returns empty content under concurrent requests in deep research — FireCrawl scraper hits API rate limits under deep-research concurrency (~71% empty content) with no retry/backoff; add rate-limit handling/retry-with-backoff or concurrency throttling in the firecrawl scraper. |
| #1137 | medium | mcp | Multi-Agent endless loop / endless failure in json_repair — Multi-agent reviewer loop can spin forever when LLM JSON can't be repaired (often truncated by low SMART_TOKEN_LIMIT); needs a max-retry / hard-failure guard and a shared text->JSON util in multi_agents/agents/utils/llms.py. |
| Issue | Type | Area | Summary |
|---|---|---|---|
| #1696 | security | unknown | CVE-2026-5633 — Body is just a CVE number with no detail; ask reporter for specifics or cross-link to the related August829 security reports (likely the RCE/auth set). |
| #1288 | bug | llm-provider | Needed workaround for "Error: 429 Resource has been exhausted" — Requested 429 retry-with-backoff in the LLM completion loop is already implemented in current llm.py (try/except + exponential backoff over max_attempts); close as resolved. |
| #1343 | question | docs | How can i use local ollama instead of openAI api? — User asks how to use local Ollama; answered in comments with the OLLAMA_BASE_URL/FAST_LLM/EMBEDDING env config, close pointing to the Ollama docs. |
| #1712 | bug | websocket | Bug: Missing import os in backend/server/websocket_manager.py causes NameError — Reported NameError from missing import os; current code already imports os (line 1) and a fix PR (#1717) exists — verify and close as resolved. |
| #1358 | question | llm-provider | NotImplementedError: Provider claude-3-5-sonnet-...does not support chat — User omitted the provider prefix; answer already given in comments (use bedrock:claude-... format) so reply confirming and close. |
| #1705 | question | config | How was the version 0.14.8 on PyPI published? — Asks why PyPI 0.14.8 didn't match pyproject 0.14.7; repo is now at 0.15.1, so this is a stale release-process question — answer and close. |
| #578 | bug | scrapers | Title of scraped articles not scraped — Scrapers previously didn't return titles causing hallucinated reference titles; current code extracts title (extract_title) and threads it through scraper.py, so this is fixed — verify and close (PR #1118). |
| #1386 | question | config | Deep research - request too large for gpt-4.1 — 429 TPM rate-limit from OpenAI on gpt-4.1, not a GPTR bug; maintainer already responded recommending o4-mini and tuning deep-research params—close. |
| #1447 | question | config | Customize the Report prompt — User wants a custom_prompt argument on write_report(); this already exists (write_report(custom_prompt=...)), so reply pointing to it and close. |
| #1496 | question | config | How/where to set DEEP_RESEARCH_BREADTH so multi-agent uses it — User wants to know where to point a custom config.json / set deep research params; answer is via .env or config_file param (a commenter already confirmed .env works), reply and close. |
| #1378 | question | config | researcher.write_report() yields incomplete/inconsistent results — Truncated deep-research reports caused by token limits and provider TPM caps; maintainer already advised raising SMART_TOKEN_LIMIT, resolved—reply and close. |
| #1423 | bug | scrapers | 'ScrapeResponse' object is not subscriptable - even after updating to latest package — Firecrawl ScrapeResponse accessed with subscript; current firecrawl.py uses attribute access, so likely resolved on master—verify against a fresh release and close (relates to 1404). |
| #1404 | bug | scrapers | Self hosted firecrawl returning 0 scraped results — Firecrawl response accessed as dict instead of object attributes; current firecrawl.py already uses dot notation (response.metadata/response.markdown), so likely fixed—verify and close (duplicate of 1423). |
| #1427 | bug | llm-provider | choose_agent failing on OpenAI models that don't support temperature — o3 fails in choose_agent due to unsupported temperature; base.py now maintains NO_SUPPORT_TEMPERATURE_MODELS including o3, so likely fixed—verify choose_agent path and close. |
| #1047 | bug | retrievers | Tavily - Too Many Requests (429) -> empty response — Tavily 429 leads to empty report; mostly a free-tier rate-limit/usage issue — reply with retry/backoff guidance and graceful fallback note, close unless we want retry logic in the Tavily retriever. |
| #1430 | question | config | Structured JSON output — User asks how to get schema-constrained JSON output; not currently a first-class feature—answer with custom_prompt/post-processing guidance and close (or label as feature if desired). |
| #1480 | bug | mcp | MCP Integration Not Using Structured Content — Reports MCP integration ignores structured_content; code in gpt_researcher/mcp/research.py already handles structured_content (preferring it over content), so likely already fixed in a later version, verify against reporter's v3.3.3 then close. |
| #510 | feature | llm-provider | HuggingFace Open Source Models Integration — Old request to support HuggingFace LLMs/embeddings; GPTR now supports many providers via generic langchain init, so this is effectively addressed/stale and can be closed pointing to current LLM docs. |
| #1229 | question | retrievers | Feature request: use official tavily python client (async) — Asks why GPTR uses raw HTTP instead of tavily-python's Async client; maintainer explained intentional choice to keep the pip package light. Answer and close (or label as low-priority enhancement). |
| #676 | bug | llm-provider | ERROR: Exception in ASGI application when running with Ollama — Reporter confirmed it works after upgrading the pip package and pulling latest; resolved — close. |
| #1458 | question | scrapers | Can you have the crawler follow links? — User asks whether the scraper can recursively follow links on parsed pages; it does not, this is a clarifying question to answer and close (research is driven by retriever search results, not link crawling). |
| #1239 | needs-info | mcp | Chapters on reports generated by multi-agent systems don't match TOC — Chapter names vs. appended chapter list mismatch when using a local Ollama 32b model; maintainer indicated this is model-quality related (better on OpenAI). Likely a duplicate of the multi-agent formatting issues; close or merge into #1139. |
| #1259 | feature | mcp | Feature Request: Adding Human Feedback to Research Strategy Planning — Wants a human-in-the-loop review/edit step before research strategy is finalized; maintainer notes this already exists for the multi_agents flow via include_human_feedback in task.json. Point user there and close, or keep open for the single-agent flow. |
| #1331 | bug | scrapers | Can't find local pdf documents when using pip package — DOC_PATH local docs work via CLI but 'no documents found' through the pip package; likely missing optional parsing deps or report_source not set to local, needs DEBUG logs to confirm. |
| #1526 | bug | llm-provider | No embedding data received — User points FAST/SMART/STRATEGIC_LLM at a vLLM gpt-oss endpoint but no EMBEDDING is configured, so embedding calls hit an incompatible endpoint; reply explaining EMBEDDING config requirement and that the chat base_url doesn't serve embeddings. |
| #1442 | question | llm-provider | Can't use Groq provider — GPTR still demands OPENAI_API_KEY despite Groq config; Groq is supported in base.py but EMBEDDING likely still defaults to OpenAI—needs full config to confirm vs ask reporter. |
| #717 | bug | mcp | Publisher agent 'directory not found' with multi-agent + local docs — multi_agents publisher_agent fails to save report when output dir doesn't exist; likely an mkdir(exist_ok) fix, but reporter never confirmed on latest — ask for repro on current version or close as stale. |
| #1041 | bug | config | Cannot set custom variables via config.json (TOTAL_WORDS ignored) — User reports config.json passed via config_path is ignored; load_config now reads the JSON file so likely fixed or a key-casing/path issue — verify on current config.py and reply, or fix if keys still not applied. |
| #1244 | needs-info | llm-provider | Issue with Anthropic llm provider (claude-2.1 / opus) — Error in get_llm when configuring anthropic provider with old models (claude-2.1, claude-3-opus); truncated traceback. Anthropic support exists in base.py, so ask for full error and suggest current model names / installing langchain_anthropic. |
| #1369 | question | config | Using every documents in local mode — Only a fraction of uploaded docs used; likely similarity-threshold/embedding retrieval limiting, needs config guidance (SIMILARITY_THRESHOLD, MAX_SEARCH_RESULTS) or more info. |
| #1393 | bug | scrapers | The function get_research_sources has garbled characters — Non-ASCII/special characters render as garbled (encoding issue) in research sources; image-only report, needs repro details but likely an encoding fix in source handling. |
| #1414 | bug | scrapers | document_urls path inconsistent with get_research_context() reference path — Passed document_urls paths don't match the citation paths generated in research context; image-only report (Chinese), needs repro but plausibly a path-normalization fix. |
| #1311 | bug | config | IndexError: list index out of range when running a research — Detailed report on local docs with Gemini/DeepSeek crashes with IndexError in subtopic report generation; likely empty subtopics list, needs repro/logs but a guard in detailed_report is the likely fix. |
| #1617 | bug | llm-provider | Latest version cannot final export report documents — Final export hangs with an error in the embeddings_filter contextual-compression path (embeddings.embed_documents failing); likely an embedding-provider misconfig or langchain_classic compat issue, needs the full traceback/embedding config to pinpoint. |
| #1330 | bug | frontend | NextJS UI Issues — Multiple NextJS UI console errors on load/preferences page behind a reverse proxy; mix of config (NEXT_PUBLIC_GPTR_API_URL) and possible missing build deps, needs clarification/repro. |
| #1334 | bug | scrapers | My Documents Mode pulls information from the internet — In Documents-only mode the report includes external web sources/citations; need to verify report_source handling restricts retrieval to local docs, repro details requested. |
| #1575 | bug | frontend | Can't output PDF and more — PDF button opens a blank page (200 OK) and N8N HTTP requests return temp_id without executing; likely same PDF-export path issue as #1520 plus async task handling, needs more detail/repro. |
| #1764 | bug | llm-provider | Research gets stuck with no meaningful logs/UI hints — Research hangs intermittently with local SearXNG+Ollama and no timeout/retry feedback; likely missing timeouts on external LLM/search calls — needs repro details and could lead to adding timeout/retry+logging. |
| #883 | bug | config | Possible embedding bug (runaway embedding cost, process stuck) — Embeddings appear to loop/explode in cost on large local content; hard to act without repro details (doc size, config) — needs info, possibly related to chunking/max_results. |
| #1483 | needs-info | websocket | GPTR Randomly Fails to Generate a Report — Intermittent failure to start research with no reproduction; maintainer already asked for more logs, keep as needs-info or close as stale (no response since Aug 2025). |
| #1262 | needs-info | unknown | Fails at fairly straightforward, deterministic search tasks — User expects exhaustive deterministic results (enumerating files across a repo) that GPTR doesn't fully return; this is a general capability expectation. Maintainer already asked for the config/report type; await response or close as out-of-scope. |
| #1336 | bug | llm-provider | No / Empty Report Generated — Empty report when using Gemini + DuckDuckGo via Docker; maintainer asked for logs/outputs folder contents, blocked on reporter info. |
| #558 | feature | frontend | Change/Add Code interpreter on user input — Vague request about toggling a 'code interpreter' field in the UI; underspecified and stale (2024), needs clarification or close. |
| #1357 | needs-info | unknown | TypeError: expected string or bytes-like object, got 'NoneType' — Empty body bug report with no repro, version, or stack trace; a second user reports the same but the issue is unactionable without details. |
| #1619 | needs-info | config | YOU ARE STILL INFECTED WITH GPL POISONING — Vague licensing complaint about a GPL dependency with no specifics; ask reporter which dependency/file they mean or close as non-actionable. |
| #751 | bug | llm-provider | openai BadRequest error — Bare OpenAI BadRequest traceback with no model/config details; stale (2024) and under-specified — needs info or close. |
| Issue | Type | Diff | Area | Summary |
|---|---|---|---|---|
| #1549 | security | small | websocket | GPT-Researcher File Upload Vulnerability Summary — Upload endpoint accepts arbitrary file types with no size/type validation; maintainer noted backend is demo-only, but adding type/size validation in handle_file_upload is a cheap hardening win to decide on. |
| #1694 | security | medium | mcp | Unauthenticated Remote Code Execution via MCP Command Injection — Unauthenticated /ws endpoint passes user mcp_configs command/args to subprocess spawn (CVSS 10.0 RCE); needs auth gating and/or disabling user-supplied MCP commands — same root cause as #1675. |
| #1675 | security | medium | mcp | command-injection lead to Remote Code Execution — Unauthenticated WebSocket lets user-supplied mcp_configs spawn arbitrary commands (RCE); needs validation/allowlisting or auth gating on MCP configs — duplicate of #1694. |
| #1693 | security | small | frontend | Stored Cross-Site Scripting (XSS) via Unauthenticated Report API — Stored XSS via unauthenticated report API (CVE-2026-5632); body is sparse but credible — needs maintainer to confirm sink and sanitize report rendering/storage. |
| #1063 | security | medium | config | Possible License Issue (PyMuPDF AGPL-3.0) — PyMuPDF is AGPL-3.0, which conflicts with GPTR's permissive license for SaaS users; maintainer should decide whether to swap to a permissively-licensed PDF parser (e.g. pypdf) or make it optional. |
| #1103 | security | medium | frontend | Security Issue - LLM05 - Insecure output handling (XSS) — Reports containing XSS payloads render unsanitized in the hosted/vanilla frontend; needs markdown sanitization on report rendering (NextJS frontend likely safer). Real concern but scope/owner decision needed. |
| #1695 | security | large | websocket | Missing Authentication and Unrestricted Access to Critical Functions — All REST/WebSocket endpoints are unauthenticated (CVSS 9.8); design decision needed on whether to add optional auth or document that the server is intended for trusted/local use. |
| #1222 | feature | small | config | Lightweight docker image (without Playwright) — Requests a slim Docker image (~680MB) without Playwright for users relying on external scrapers like Firecrawl; reporter offered a PR, so maintainer just needs to greenlight an additional lite Dockerfile. |
| #1076 | integration-promo | small | llm-provider | Add open-source provider AI/ML API — Vendor (aimlapi.com) offering to contribute an AI/ML API provider integration; maintainer green-light decision — likely accept as a community PR given generic provider support. |
| #1582 | feature | small | scrapers | GPL License Alternative PDF Scraper Implementation — Proposes a pdfminer.six (MIT) PDF scraper to avoid PyMuPDF AGPL licensing (re #1571); maintainer to decide whether to swap/offer alternative scraper, code is provided. |
| #1598 | question | small | config | why ECR and not Github Container Registry? — Asks why Docker images depend on AWS ECR rather than a free registry like GHCR; overlaps with #1605, decide on registry strategy (likely move to GHCR). |
| #1800 | feature | small | scrapers | Add Obscura as a scraper backend — Plausible community contribution adding an Obscura (Rust headless) scraper backend with a PR ready; Assaf to decide whether to accept the new dependency/backend. |
| #1591 | feature | small | config | Optional CI check for agent behavior? — Contributor offering to add an optional snapshot-based agent-behavior eval CI check; maintainer to decide if wanted and which entrypoint to wire it to. |
| #1718 | bug | small | frontend | PDF generation does not work — Frontend PDF export button does nothing; reporter linked PR #1720 with a fix, so review/merge that PR. |
| #1356 | docs | medium | docs | API Reference Docs — User requests comprehensive API/config-reference docs (not just how-to guides); maintainer aware, needs decision on producing a reference section enumerating all config options. |
| #1300 | feature | medium | config | Reranker models — Support dedicated reranker models (Cohere/AWS) for source curation with the current LLM-prompt ranking as fallback; needs a configurable reranker abstraction. |
| #1326 | feature | medium | llm-provider | [FEATURE REQUEST] Multiple OpenAI base URLs for local hosting — Allow separate OpenAI base URLs per role (fast/smart/strategic/embedding) so e.g. OpenRouter + a local embedding endpoint can coexist; workaround is a LiteLLM proxy. |
| #1081 | feature | medium | scrapers | Cloudflare Protection Blocking Crunchbase Results — Scraping Crunchbase via Tavily hits Cloudflare blocks; suggested adding Tavily Extract / headless-browser fallback to bypass anti-bot pages, which is a real but non-trivial scraper enhancement. |
| #1293 | feature | medium | integration | FEATURE REQUEST: Build Open-WebUI tool / integration — Build an Open-WebUI tool/integration using the GPTR pip library; a trivial PR (#1241) exists but deep integration (shared knowledgebase embeddings) is undecided. |
| #1403 | feature | medium | retrievers | Specifying time range for research — Request to expose a time-range filter so searches are constrained to a recency window; needs per-retriever support and an API/config surface decision. |
| #1468 | feature | medium | config | Connect with Langfuse (single trace per operation) — Request to wrap a full research run in a single Langfuse trace instead of many; requires adding tracing/observability context propagation, a design decision for the maintainer. |
| #1321 | bug | medium | frontend | Connection from NextJS Frontend to GPTR Backend — Frontend connects to backend directly from the browser via NEXT_PUBLIC_GPTR_API_URL, forcing backend port exposure; proxying requests through the Next server would avoid exposing port 8000. |
| #1354 | feature | medium | config | Better leverage large context length LLMs — Make hard-coded content-truncation lengths configurable so 1M-token models (Gemini/GPT-4.1) can ingest more content; needs auditing truncation points and exposing config. |
| #1495 | bug | medium | multi-agents | Multi agents still have redundant content across different sections — Multi-agent reports still repeat content across chapters (regression of #548); needs prompt/orchestration work in multi_agents to dedupe section content. |
| #1603 | feature | medium | config | Add summarization flag to quick_search: search-grounded quick summaries — Feature request for an opt-in aggregated-summary mode on quick_search (single grounded synthesis without full deep_research pipeline); maintainer to decide on API surface. |
| #563 | feature | medium | scrapers | Add support for GPT to research from images (.png/.jpg/.jpeg) and OCR — Feature request to support image inputs/OCR and embedding scraped images in reports; multiple volunteers but no merged PR — Assaf should decide scope/assignment. |
| #1030 | feature | medium | llm-provider | Best way to impose a global rate limit on LLM interactions — Request for a built-in/configurable global rate limiter to avoid provider 429s; langchain supports InMemoryRateLimiter — maintainer should decide whether to wire it into config. |
| #1255 | feature | medium | websocket | Validate followup chat feature for newly-created & saved reports — Follow-up chat on saved reports throws WebSocket close-code 1005; needs a new API endpoint to chat with previously saved reports (referenced PR #1241). Feature work requiring maintainer scoping. |
| #1282 | bug | medium | retrievers | No subquery generation if tavily api fails — Tavily fails on long (>400 char) queries and subquery generation returns an empty list instead of falling back to other configured retrievers; needs fallback logic across retrievers. |
| #1581 | feature | medium | config | [Dependency Review] 2025-12-31 — Automated dependency audit listing pending dependabot PRs, stale deps (langgraph, next, fastapi) and a UV-migration recommendation; maintainer to decide which upgrades/migrations to accept. |
| #1139 | bug | medium | mcp | Multi-Agent reviewer following guidelines makes output inconsistent (missing headers/refs) — Multi-agent reports show missing markdown header formatting and inconsistent reference aggregation, largely prompt/model-quality dependent (non-OpenAI models); needs prompt hardening rather than a clear single fix. |
| #1276 | bug | medium | report-generation | Are there any known issues with the reference section? — References frequently have wrong author/link, duplicate links, or 404s (LLM mismatches source URLs during synthesis); affects multiple users/models. Needs improved citation grounding (map references to actual visited_urls) but root cause is fuzzy. |
| #1385 | bug | medium | frontend | Markdown tables wrong format and cause write_md_to_pdf to fail — Gemini-generated markdown tables are malformed and crash PDF/Word export; needs either prompt hardening or defensive table sanitization in the md-to-doc conversion. |
| #1004 | bug | medium | config | Agent is not using my documents ('my documents' still web-searches) — Selecting 'my documents' report_source still triggers web search per reporter (Azure config); needs repro on current report_source routing — recurring complaint, worth maintainer triage. |
| #1271 | bug | medium | llm-provider | Never Ending Generation Loop with Ollama and Searxng — With Ollama models the report generation never terminates (repeats 'End of Document'/References endlessly); appears to be a missing stop-token/length guard for non-OpenAI models. Reproducible across many models, but root cause needs investigation. |
| #1290 | feature | large | frontend | FEATURE REQUEST: Add user login and rights management — Requests multi-user auth/LDAP/rights groups (OpenWebUI-style); large product decision, maintainer leans toward wrapping in OpenWebUI rather than building in-repo. |
| #1690 | feature | large | evals | Implement DeepResearchGym-style evaluations — Substantive proposal to replace existing eval modules with DeepResearchGym protocol and research-quality benchmarks; needs maintainer decision on direction. |
| #1710 | feature | medium | llm-provider | Add codex auth login as alternative instead of api — Requests Codex auth-login (OAuth-style) as an alternative to API keys; one-line request needs maintainer decision and more specification. |
| #1767 | bug | medium | config | Language not supported well (Vietnamese output stays English) — Report output ignores input language (Vietnamese) and defaults to English; needs language/locale handling in prompts/config. |
| #1289 | feature | large | config | FEATURE REQUEST: Allow user selection of models at query time — Let users pick FAST/SMART/STRATEGIC models per request (via headers) instead of only env vars; product-level direction decision tied to user-management work. |
| #1291 | feature | large | config | FEATURE REQUEST: Keep history / embedding to allow query and report rewriting — Persist per-report embeddings/vector store so saved reports can be re-queried/rewritten; needs persistent vector-store support, a design decision. |
| #1299 | feature | large | config | Graph RAG — Add knowledge-graph / Neo4j vector-store support to extract entities/relationships during research; maintainer green-lit but needs a swappable vector-store provider design. |
| #1361 | feature | large | retrievers | Retrieval of documents from databases and vectorstores like PostgreSQL/pgvector — Feature request for official SQL/pgvector document retrieval; vector_store integration partly exists but a dedicated pgvector path is a larger design decision. |
| #1502 | feature | large | frontend | Add Multi-Agent Functionality to FastAPI Frontend — Request to bring multi-agent workflows (currently only in the Next.js frontend) to the FastAPI/static frontend; large feature requiring maintainer prioritization. |
| #1114 | feature | large | config | Proposal: Unified Provider Configuration Management — Proposes type-safe/dataclass-based unified provider (esp. Azure OpenAI) config instead of scattered env vars + JSON; a sizable architectural change requiring maintainer direction. |
| #1284 | feature | large | websocket | WebSocket is disconnected, how to retrieve it after the disconnection — Long deep-research runs drop the websocket and the in-progress report is lost; requires backend persistence/reconnect architecture, a larger design decision. |
| #1292 | feature | large | websocket | FEATURE REQUEST: Schedule and queue research requests — Add scheduling/queuing/throttling of research jobs for multi-user/self-hosted setups; backend job-queue architecture decision. |
| #1727 | feature | large | unknown | [Feature Request] Add research quality scoring and source reliability ranking — Large enhancement to score sources and findings (authority, cross-referencing, confidence intervals); needs Assaf's roadmap decision. |
| #753 | feature | large | llm-provider | Using OpenAI Batch endpoint — Request to integrate OpenAI Batch API for cost savings; architecturally significant (batch is async/offline) — maintainer decision, likely won't-fix given GPTR's interactive flow. |
| #1050 | feature | large | retrievers | [Feature] Add API tool to agents + vector store for tool retrieval — Proposal to let agents call arbitrary APIs as tools, indexed in a vector store for retrieval; large architectural feature (overlaps with MCP support) — maintainer direction needed. |
| #1340 | feature | large | config | Upload a document and have the LLM parse its format for custom formatting — Feature request to upload a template document, have the model learn its format, and generate output matching that format/length; open-ended product decision. |
| #1807 | bug | unknown | frontend | Website is broken (gptr.dev/#features client-side exception) — Marketing site gptr.dev #features crashes with a Next.js client-side exception; lives in a separate website repo, route to whoever owns gptr.dev. |
| #1419 | bug | large | config | Reports with redundant, disorganized content with mis-matching TOC — Multi-agent report generator consistently yields redundant content, mismatched TOC, and excessive nesting; a structural prompt/orchestration quality issue requiring maintainer direction. |