Skip to content

fix: bump litellm to >=1.83.0 for CVEs#6055

Open
mfleader wants to merge 1 commit into
ogx-ai:release-0.4.xfrom
mfleader:fix/CVE-2026-35029-litellm
Open

fix: bump litellm to >=1.83.0 for CVEs#6055
mfleader wants to merge 1 commit into
ogx-ai:release-0.4.xfrom
mfleader:fix/CVE-2026-35029-litellm

Conversation

@mfleader

@mfleader mfleader commented Jun 8, 2026

Copy link
Copy Markdown
Contributor

What does this PR do?

Bump litellm to >=1.83.0 in provider registry to address three security vulnerabilities:

Only applies to release-0.4.x; litellm was removed on main and release-0.7.x.

Test Plan

No functional changes. Version floor pin only.

@mfleader mfleader changed the title fix: bump litellm to >=1.83.0 (CVE-2026-35029, CVE-2026-35030, CVE-20… fix: bump litellm to >=1.83.0 for CVEs Jun 8, 2026
@mfleader mfleader force-pushed the fix/CVE-2026-35029-litellm branch from cd35891 to 83fde1a Compare June 8, 2026 15:22
@github-actions

github-actions Bot commented Jun 8, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

✱ Stainless preview builds

This PR will update the llama-stack-client SDKs with the following commit message.

fix: bump litellm to >=1.83.0 for CVEs

Edit this comment to update it. It will appear in the SDK's changelogs.

llama-stack-client-python studio · conflict

Your SDK build resulted in a merge conflict between your custom code and the newly generated changes, but this did not represent a regression.

llama-stack-client-node studio · conflict

Your SDK build resulted in a merge conflict between your custom code and the newly generated changes, but this did not represent a regression.

llama-stack-client-go studio · conflict

Your SDK build resulted in a merge conflict between your custom code and the newly generated changes, but this did not represent a regression.

llama-stack-client-openapi studio · code · diff

Your SDK build had at least one "warning" diagnostic, but this did not represent a regression.
generate ⚠️

This comment is auto-generated by GitHub Actions and is automatically kept up to date as you push.
If you push custom code to the preview branch, re-run this workflow to update the comment.
Last updated: 2026-06-10 13:56:16 UTC

cdoern
cdoern reviewed Jun 8, 2026
View reviewed changes

@cdoern cdoern left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why are the SDK yml files modified? is litellm in the pyproject? If so, please use pre-commit to regenerate the uv lock.

@mfleader

mfleader commented Jun 8, 2026

Copy link
Copy Markdown
Contributor Author

why are the SDK yml files modified? is litellm in the pyproject? If so, please use pre-commit to regenerate the uv lock.

I added them back

@mfleader mfleader marked this pull request as ready for review June 8, 2026 16:54
devin-ai-integration[bot]
devin-ai-integration Bot reviewed Jun 8, 2026
View reviewed changes

@devin-ai-integration devin-ai-integration Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Devin Review found 1 potential issue.

View 1 additional finding in Devin Review.

Open in Devin Review

Comment thread docs/static/llama-stack-spec.yaml Outdated
@mfleader mfleader requested a review from cdoern June 8, 2026 18:56
@cdoern

cdoern commented Jun 9, 2026

Copy link
Copy Markdown
Collaborator

this is all failing because of build issues with ogx-client, lgtm

cdoern
cdoern reviewed Jun 9, 2026
View reviewed changes
Comment thread docs/static/deprecated-llama-stack-spec.yaml Outdated
file:
type: string
format: binary
contentMediaType: application/octet-stream

@cdoern cdoern Jun 9, 2026

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

wait why are these modified still?

@mfleader mfleader Jun 9, 2026
edited
Loading

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The spec changes in my PR are from the FastAPI 0.121 -> 0.136 bump in the starlette PR #5988. I think the spec codegen hook failed on that run for the same schema change, but the files weren't regenerated. should I include the regen in my PR or should we skip it like 5988 did?

@mfleader mfleader force-pushed the fix/CVE-2026-35029-litellm branch 2 times, most recently from 6c081f1 to 0d06746 Compare June 11, 2026 13:43
@mfleader
fix(deps): bump litellm to >=1.83.7 (CVE-2026-35029, CVE-2026-35030, C…
cd9ef80 
…VE-2026-40217, CVE-2026-42271)

GHSA-53mr-6c8q-9789
GHSA-jjhc-v7c2-5hh6
GHSA-wxxx-gvqv-xp7p
GHSA-v4p8-mg3p-g94g

Only applies to release-0.4.x; litellm removed on main and release-0.7.x.

Signed-off-by: Matthew F Leader <mleader@redhat.com>
@mfleader mfleader force-pushed the fix/CVE-2026-35029-litellm branch from 0d06746 to cd9ef80 Compare June 12, 2026 17:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cdoern cdoern cdoern left review comments

@devin-ai-integration devin-ai-integration[bot] devin-ai-integration[bot] left review comments

@raghotham raghotham Awaiting requested review from raghotham raghotham is a code owner

@leseb leseb Awaiting requested review from leseb leseb is a code owner

@bbrowning bbrowning Awaiting requested review from bbrowning bbrowning is a code owner

@mattf mattf Awaiting requested review from mattf mattf is a code owner

@franciscojavierarceo franciscojavierarceo Awaiting requested review from franciscojavierarceo franciscojavierarceo is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mfleader @cdoern