fix(deps): bump ws override to 8.21.0 and add dependabot.yml#97
Merged
shudonglin merged 2 commits intoJul 6, 2026
Merged
Conversation
ui_unit_tests pinned ws 8.20.1 via an override, which is vulnerable to GHSA-96hv-2xvq-fx4p (memory exhaustion DoS from tiny WebSocket fragments); 8.21.0 is patched and is currently the latest release. Also adds .github/dependabot.yml, which the fork was missing, covering every ecosystem the fork's dependency scan checks: uv for the main project, pip for each cookbook example, npm for all four lockfile directories, and cargo for litellm-rust.
zizmor's dependabot-cooldown audit flagged every update entry for missing a cooldown window, which is a real supply-chain hardening gap: without it, dependabot can open a PR bumping to a package version that was published moments earlier, giving typosquatted or compromised releases no time to get caught before landing.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Relevant issues
Linear ticket
Pre-Submission checklist
@greptileaiand received a Confidence Score of at least 4/5 before requesting a maintainer reviewDelays in PR merge?
If you're seeing a delay in your PR being merged, ping the LiteLLM Team on Slack (#pr-review).
Screenshots / Proof of Fix
This is a dependency bump plus a new CI config file; there's no proxy-facing behavior to demo. Proof is the scanner output before/after:
npm cisucceeds under node 20 with the updated lockfile, and the pre-existinghandle_add_model_submit_test.tsxjest failure reproduces identically on the base branch, so it's unrelated to this change.Ran the daily security sweep across every ecosystem the fork tracks:
npm auditon all 4 lockfile directories (root,tests/pass_through_tests,tests/proxy_admin_ui_tests/ui_unit_tests,ui/litellm-dashboard) under node 20, a PyPI-vulnerability-DB check against every pinned package in the main project's exporteduv.lock, andcargo auditagainstlitellm-rust. This PR is the only fixable finding; see the sweep summary for the one no-patch-available residual (diskcache5.6.3).A follow-up commit adds a
cooldownwindow to everydependabot.ymlupdate entry after zizmor'sdependabot-cooldownaudit flagged the initial version; verified clean with a localzizmorrun against the file.Type
🐛 Bug Fix
🚄 Infrastructure
Changes
wsoverride intests/proxy_admin_ui_tests/ui_unit_tests/package.jsonfrom8.20.1to8.21.0, closing GHSA-96hv-2xvq-fx4p (ws memory exhaustion DoS from tiny WebSocket fragments), and regenerate the lockfile under node 20..github/dependabot.yml(previously missing from the fork), with oneupdatesentry per ecosystem the fork's security sweep scans:uvfor the main project,pipfor eachcookbook/example,npmfor all four lockfile directories, andcargoforlitellm-rust. Each entry sets a 7-daycooldownwindow..github/fork-patches.txtwith removal conditions.