fix(deps): patch 11 Dependabot alerts (litellm/pyo3/js-yaml/protobufjs/babel)#95
Merged
Merged
Conversation
…llm, pyo3, js-yaml, protobufjs, babel)
pyo3 0.29.0 (bumped in this PR to clear RUSTSEC-2026-0176/0177, both patched only at >=0.29.0) removed the old GIL API: Python::with_gil -> Python::attach, Python::allow_threads -> Python::detach. Update the three call sites in the bridge and document the fork patch with its removal condition.
# Conflicts: # .github/fork-patches.txt
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Resolves 11 open Dependabot alerts by bumping vulnerable dependencies to patched
versions. All npm lockfiles were regenerated under Node 20 (matching CI) via
npm install --package-lock-only(usingoverrideswhere the vulnerable packageis a transitive dependency, not a direct one).
litellm-rust/Cargo.lockwasupdated with
cargo update -p pyo3 --precise 0.29.0after raising thepyo3/pyo3-async-runtimesversion constraints inCargo.toml.Alerts fixed
litellm==1.83.14>=1.84.0cookbook/litellm-ollama-docker-image/requirements.txtpyo30.23.50.29.0litellm-rust/Cargo.toml,litellm-rust/Cargo.lockpyo30.23.50.29.0litellm-rust/Cargo.toml,litellm-rust/Cargo.lockpyo30.23.50.29.0litellm-rust/Cargo.toml,litellm-rust/Cargo.lockjs-yaml3.14.23.15.0package.json+package-lock.json(root)js-yaml3.14.23.15.0tests/pass_through_tests/package.json+ lockjs-yaml3.14.23.15.0tests/proxy_admin_ui_tests/ui_unit_tests/package.json+ lockprotobufjs7.6.17.6.3tests/pass_through_tests/package.json+ lock@babel/core7.28.57.29.6package.json+package-lock.json(root)@babel/core7.29.07.29.6tests/pass_through_tests/package.json+ lock@babel/core7.28.57.29.6tests/proxy_admin_ui_tests/ui_unit_tests/package.json+ lockpyo3-async-runtimes(a direct sibling dependency ofpyo3in the sameworkspace
Cargo.toml) was also bumped from0.23.0to0.29.0to keep itAPI-compatible with the new
pyo3version — required for the workspace toresolve, not a separate alert.
All three npm-flagged packages (
js-yaml,protobufjs,@babel/core) aretransitive dependencies in every affected project (not listed directly in any
dependencies/devDependencies), so each was pinned via anoverridesentry inthe relevant
package.json, thennpm install --package-lock-onlyregeneratedthe lock. Each project has only one major version of the flagged package present
in its dependency tree, so the override does not fork behavior across incompatible
majors.
Verification
nvm use 20) used for every npm operation.npm ci --ignore-scriptspassed in all three npm dirs (root,tests/pass_through_tests,tests/proxy_admin_ui_tests/ui_unit_tests) after the bump.cargo update -p pyo3 --precise 0.29.0completed cleanly;cargo metadata(via toolchain 1.93.0, since the pinned localstable/default toolchain 1.84.1 fails to fetch an unrelated transitive dep requiringedition2024) resolves the full dependency graph withpyo3 0.29.0.git diff --statconfirms only the 9 intended manifest/lock files changed (see below).npm auditfinding (ws/jsdom, high) intests/proxy_admin_ui_tests/ui_unit_testswas confirmed present onlitellm_internal_stagingbefore this change (verified viagit stash) — out of scope for this PR's 11 alerts.Not merging — leaving open for review per instructions.