Skip to content

fix(deps): bump ws override to 8.21.0 and add dependabot.yml#97

Merged
shudonglin merged 2 commits into
litellm_internal_stagingfrom
fix/security-sweep-2026-07-06
Jul 6, 2026
Merged

fix(deps): bump ws override to 8.21.0 and add dependabot.yml#97
shudonglin merged 2 commits into
litellm_internal_stagingfrom
fix/security-sweep-2026-07-06

Conversation

@shudonglin

@shudonglin shudonglin commented Jul 6, 2026

Copy link
Copy Markdown

Relevant issues

Linear ticket

Pre-Submission checklist

  • I have added meaningful tests
  • My PR passes all CI/CD checks (e.g., lint, format, unit tests)
  • My PR's scope is as isolated as possible; it only solves 1 specific problem
  • I have requested a Greptile review by commenting @greptileai and received a Confidence Score of at least 4/5 before requesting a maintainer review

Delays in PR merge?

If you're seeing a delay in your PR being merged, ping the LiteLLM Team on Slack (#pr-review).

Screenshots / Proof of Fix

This is a dependency bump plus a new CI config file; there's no proxy-facing behavior to demo. Proof is the scanner output before/after:

$ cd tests/proxy_admin_ui_tests/ui_unit_tests && npm audit --json | jq .metadata.vulnerabilities
# before
{ "info": 0, "low": 0, "moderate": 0, "high": 1, "critical": 0, "total": 1 }
# after (this PR)
{ "info": 0, "low": 0, "moderate": 0, "high": 0, "critical": 0, "total": 0 }

npm ci succeeds under node 20 with the updated lockfile, and the pre-existing handle_add_model_submit_test.tsx jest failure reproduces identically on the base branch, so it's unrelated to this change.

Ran the daily security sweep across every ecosystem the fork tracks: npm audit on all 4 lockfile directories (root, tests/pass_through_tests, tests/proxy_admin_ui_tests/ui_unit_tests, ui/litellm-dashboard) under node 20, a PyPI-vulnerability-DB check against every pinned package in the main project's exported uv.lock, and cargo audit against litellm-rust. This PR is the only fixable finding; see the sweep summary for the one no-patch-available residual (diskcache 5.6.3).

A follow-up commit adds a cooldown window to every dependabot.yml update entry after zizmor's dependabot-cooldown audit flagged the initial version; verified clean with a local zizmor run against the file.

Type

🐛 Bug Fix
🚄 Infrastructure

Changes

  • Bump the ws override in tests/proxy_admin_ui_tests/ui_unit_tests/package.json from 8.20.1 to 8.21.0, closing GHSA-96hv-2xvq-fx4p (ws memory exhaustion DoS from tiny WebSocket fragments), and regenerate the lockfile under node 20.
  • Add .github/dependabot.yml (previously missing from the fork), with one updates entry per ecosystem the fork's security sweep scans: uv for the main project, pip for each cookbook/ example, npm for all four lockfile directories, and cargo for litellm-rust. Each entry sets a 7-day cooldown window.
  • Document both changes in .github/fork-patches.txt with removal conditions.

claude added 2 commits July 6, 2026 07:23
ui_unit_tests pinned ws 8.20.1 via an override, which is vulnerable to
GHSA-96hv-2xvq-fx4p (memory exhaustion DoS from tiny WebSocket
fragments); 8.21.0 is patched and is currently the latest release.

Also adds .github/dependabot.yml, which the fork was missing, covering
every ecosystem the fork's dependency scan checks: uv for the main
project, pip for each cookbook example, npm for all four lockfile
directories, and cargo for litellm-rust.
zizmor's dependabot-cooldown audit flagged every update entry for
missing a cooldown window, which is a real supply-chain hardening gap:
without it, dependabot can open a PR bumping to a package version that
was published moments earlier, giving typosquatted or compromised
releases no time to get caught before landing.
@shudonglin shudonglin marked this pull request as ready for review July 6, 2026 07:45
@shudonglin shudonglin merged commit eb3a949 into litellm_internal_staging Jul 6, 2026
77 checks passed
@shudonglin shudonglin deleted the fix/security-sweep-2026-07-06 branch July 6, 2026 07:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants