Skip to content

fix(deps): bump litellm to >=1.83.7 to patch GHSA-xqmj-j6mv-4862#8

Merged
fcogidi merged 4 commits intomainfrom
fix/litellm-cve-1.83.7
Apr 28, 2026
Merged

fix(deps): bump litellm to >=1.83.7 to patch GHSA-xqmj-j6mv-4862#8
fcogidi merged 4 commits intomainfrom
fix/litellm-cve-1.83.7

Conversation

@amrit110
Copy link
Copy Markdown
Member

@amrit110 amrit110 commented Apr 28, 2026
edited
Loading

Summary

  • Bumps litellm lower bound from >=1.83.0 to >=1.83.7 to address GHSA-xqmj-j6mv-4862 — a remote code execution vulnerability in LiteLLM's proxy server POST /prompts/test endpoint (fixed in 1.83.7)
  • Relaxes pydantic bound from >=2.13.0 to >=2.12.5 to remain compatible with litellm 1.83.7+'s pydantic~=2.12.5 requirement; safe because infermesh only uses BaseModel
  • Ignores CVE-2026-3219 in CI audit — affects pip itself, no fix version available
  • Bumps version to 0.3.1

Test plan

  • uv lock resolves cleanly with litellm >=1.83.7
  • Existing tests pass

@amrit110
fix(deps): bump litellm to >=1.83.7 to patch GHSA-xqmj-j6mv-4862
b949634 
Patches a remote code execution vulnerability in litellm's proxy server
POST /prompts/test endpoint. Relaxes pydantic bound to >=2.12.5 to
remain compatible with litellm 1.83.7+'s pydantic~=2.12.5 requirement.
@amrit110 amrit110 requested a review from fcogidi April 28, 2026 22:04
@amrit110 amrit110 self-assigned this Apr 28, 2026
@amrit110 amrit110 added the dependencies Pull requests that update a dependency file label Apr 28, 2026
fcogidi
fcogidi approved these changes Apr 28, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@fcogidi fcogidi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this!
Looks like pip is upgradable with uv sync --upgrade-package pip, so I upgraded it, as well as the pip-audit command in the ci.

@fcogidi fcogidi merged commit f36e7b2 into main Apr 28, 2026
10 checks passed
@fcogidi fcogidi deleted the fix/litellm-cve-1.83.7 branch April 28, 2026 22:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fcogidi fcogidi fcogidi approved these changes

Assignees

@amrit110 amrit110

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@amrit110 @fcogidi