Skip to content

fix(deps): patch 11 Dependabot alerts (litellm/pyo3/js-yaml/protobufjs/babel)#95

Merged
shudonglin merged 3 commits into
litellm_internal_stagingfrom
fix/dependabot-deps
Jul 5, 2026
Merged

fix(deps): patch 11 Dependabot alerts (litellm/pyo3/js-yaml/protobufjs/babel)#95
shudonglin merged 3 commits into
litellm_internal_stagingfrom
fix/dependabot-deps

Conversation

@shudonglin

Copy link
Copy Markdown

Summary

Resolves 11 open Dependabot alerts by bumping vulnerable dependencies to patched
versions. All npm lockfiles were regenerated under Node 20 (matching CI) via
npm install --package-lock-only (using overrides where the vulnerable package
is a transitive dependency, not a direct one). litellm-rust/Cargo.lock was
updated with cargo update -p pyo3 --precise 0.29.0 after raising the
pyo3/pyo3-async-runtimes version constraints in Cargo.toml.

Alerts fixed

# Alert Package Old constraint New version File(s)/lock(s) touched
1 CRITICAL pip:litellm < 1.84.0 litellm ==1.83.14 >=1.84.0 cookbook/litellm-ollama-docker-image/requirements.txt
2 rust:pyo3 < 0.29.0 (high) pyo3 0.23.5 0.29.0 litellm-rust/Cargo.toml, litellm-rust/Cargo.lock
3 rust:pyo3 < 0.29.0 (medium) pyo3 0.23.5 0.29.0 litellm-rust/Cargo.toml, litellm-rust/Cargo.lock
4 rust:pyo3 < 0.29.0 (low) pyo3 0.23.5 0.29.0 litellm-rust/Cargo.toml, litellm-rust/Cargo.lock
5 npm:js-yaml < 3.15.0 js-yaml 3.14.2 3.15.0 package.json + package-lock.json (root)
6 npm:js-yaml < 3.15.0 js-yaml 3.14.2 3.15.0 tests/pass_through_tests/package.json + lock
7 npm:js-yaml < 3.15.0 js-yaml 3.14.2 3.15.0 tests/proxy_admin_ui_tests/ui_unit_tests/package.json + lock
8 npm:protobufjs <= 7.6.2 protobufjs 7.6.1 7.6.3 tests/pass_through_tests/package.json + lock
9 npm:@babel/core <= 7.29.0 @babel/core 7.28.5 7.29.6 package.json + package-lock.json (root)
10 npm:@babel/core <= 7.29.0 @babel/core 7.29.0 7.29.6 tests/pass_through_tests/package.json + lock
11 npm:@babel/core <= 7.29.0 @babel/core 7.28.5 7.29.6 tests/proxy_admin_ui_tests/ui_unit_tests/package.json + lock

pyo3-async-runtimes (a direct sibling dependency of pyo3 in the same
workspace Cargo.toml) was also bumped from 0.23.0 to 0.29.0 to keep it
API-compatible with the new pyo3 version — required for the workspace to
resolve, not a separate alert.

All three npm-flagged packages (js-yaml, protobufjs, @babel/core) are
transitive dependencies in every affected project (not listed directly in any
dependencies/devDependencies), so each was pinned via an overrides entry in
the relevant package.json, then npm install --package-lock-only regenerated
the lock. Each project has only one major version of the flagged package present
in its dependency tree, so the override does not fork behavior across incompatible
majors.

Verification

  • Node 20.20.2 (nvm use 20) used for every npm operation.
  • npm ci --ignore-scripts passed in all three npm dirs (root, tests/pass_through_tests, tests/proxy_admin_ui_tests/ui_unit_tests) after the bump.
  • cargo update -p pyo3 --precise 0.29.0 completed cleanly; cargo metadata (via toolchain 1.93.0, since the pinned local stable/default toolchain 1.84.1 fails to fetch an unrelated transitive dep requiring edition2024) resolves the full dependency graph with pyo3 0.29.0.
  • git diff --stat confirms only the 9 intended manifest/lock files changed (see below).
  • A pre-existing npm audit finding (ws/jsdom, high) in tests/proxy_admin_ui_tests/ui_unit_tests was confirmed present on litellm_internal_staging before this change (verified via git stash) — out of scope for this PR's 11 alerts.
 .../litellm-ollama-docker-image/requirements.txt   |   2 +-
 litellm-rust/Cargo.lock                            |  94 ++--------
 litellm-rust/Cargo.toml                            |   4 +-
 package-lock.json                                  | 206 +++++++++++----------
 package.json                                       |   4 +-
 tests/pass_through_tests/package-lock.json         |  64 +++----
 tests/pass_through_tests/package.json              |   5 +-
 .../ui_unit_tests/package-lock.json                | 206 +++++++++++----------
 .../ui_unit_tests/package.json                     |   4 +-
 9 files changed, 273 insertions(+), 316 deletions(-)

Not merging — leaving open for review per instructions.

pyo3 0.29.0 (bumped in this PR to clear RUSTSEC-2026-0176/0177, both
patched only at >=0.29.0) removed the old GIL API: Python::with_gil ->
Python::attach, Python::allow_threads -> Python::detach. Update the
three call sites in the bridge and document the fork patch with its
removal condition.
# Conflicts:
#	.github/fork-patches.txt
@shudonglin shudonglin merged commit e3c880c into litellm_internal_staging Jul 5, 2026
77 checks passed
@shudonglin shudonglin deleted the fix/dependabot-deps branch July 5, 2026 15:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant