LCORE-2468: CVE fix: AIOHTTP

[tisnik]

Description

LCORE-2468: CVE fix: AIOHTTP

Type of change

• Refactor
• New feature
• Bug fix
• CVE fix
• Optimization
• Documentation Update
• Configuration Update
• Bump-up service version
• Bump-up dependent library
• Bump-up library or tool used for development (does not change the final image)
• CI configuration change
• Konflux configuration change
• Unit tests improvement
• Integration tests improvement
• End to end tests improvement
• Benchmarks improvement

Tools used to create PR

• Assisted-by: N/A
• Generated by: N/A

Related Tickets & Documents

• Related Issue #LCORE-2468

Summary by CodeRabbit

• Chores
  • Updated third-party dependencies: aiohttp upgraded to 3.14.1 and litellm upgraded to 1.88.1 for improved stability and fixes.
  • Promoted uv-build to main dependencies (v0.11.8) to support build tooling.
  • Refreshed dependency metadata and integrity hashes to match the new versions.

[coderabbitai]

Warning

Review limit reached

@tisnik, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 9 minutes and 44 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 3e186c63-2143-4e1b-a54f-c6465dcbd092

📥 Commits

Reviewing files that changed from the base of the PR and between 227b745 and e8a2205.

📒 Files selected for processing (1)

• .konflux/requirements.hashes.source.txt

Walkthrough

Updates pinned dependency hashes in .konflux/requirements.hashes.source.txt (including aiohttp and litellm; adds uv-build hashes) and moves uv-build==0.11.8 from the dev dependency group into top-level [project].dependencies in pyproject.toml.

Changes

Dependency Updates

Layer / File(s)	Summary
Pinned hashes refresh .konflux/requirements.hashes.source.txt	Refreshed pinned versions and SHA256 --hash= lists: aiohttp -> 3.14.1, litellm -> 1.88.1, and added uv-build hashes for 0.11.8.
uv-build relocated to project dependencies pyproject.toml	Adds uv-build==0.11.8 to top-level [project].dependencies (near pydantic-ai) and removes the same entry from the dependency-groups dev list.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• lightspeed-core/lightspeed-stack#1811: Both PRs modify .konflux/requirements.hashes.source.txt by bumping pinned dependency versions and replacing their associated SHA256 --hash= entries.
• lightspeed-core/lightspeed-stack#1455: Both PRs modify dependency pin/hash data for aiohttp in requirements lock files.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title mentions AIOHTTP and CVE fix, which aligns with the primary change (aiohttp update from 3.13.5 to 3.14.1), though it doesn't fully capture the broader scope of dependency updates including litellm and uv-build additions.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

✨ Simplify code

• Create PR with simplified code

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.konflux/requirements.hashes.source.txt:
- Around line 11-130: The comment says the aiohttp==3.14.1 entry in
.konflux/requirements.hashes.source.txt is correct and the 119 SHA256 hashes
match PyPI, so change the PR/CVE-fix wording to reference the upstream GHSA
advisories instead of claiming an unspecified CVE: update any text that mentions
“CVE fix” to mention aiohttp 3.14.1 and the relevant GHSA IDs
(GHSA-9x8q-7h8h-wcw9 and GHSA-63hw-fmq6-xxg2) or say “security fixes addressing
GHSA-…”, keeping the package identifier aiohttp==3.14.1 as the authoritative
reference.
- Around line 544-546: The bump of litellm to 1.88.1 in the pinned hashes (the
entry "litellm==1.88.1" and its two --hash lines) needs an explicit
justification in the PR: state whether this bump was made specifically to obtain
an aiohttp CVE fix (and cite the CVE ID and the minimum aiohttp version
resolved), or if it was a broader dependency update; if it is not directly tied
to the AIOHTTP CVE, split this litellm upgrade into its own PR (or separate
commit) and update the PR description to explain the rationale and impact on the
declared aiohttp constraint (aiohttp<4.0,>=3.10).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 3a353162-5ffa-4023-b9f8-288310159ae8

📥 Commits

Reviewing files that changed from the base of the PR and between ccebaff and c4bc6d4.

📒 Files selected for processing (1)

• .konflux/requirements.hashes.source.txt

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (13)

• GitHub Check: spectral
• GitHub Check: build-pr
• GitHub Check: Pylinter
• GitHub Check: unit_tests (3.12)
• GitHub Check: unit_tests (3.13)
• GitHub Check: E2E: library mode / ci / group 2
• GitHub Check: E2E: library mode / ci / group 1
• GitHub Check: E2E: server mode / ci / group 3
• GitHub Check: E2E: server mode / ci / group 1
• GitHub Check: E2E: server mode / ci / group 2
• GitHub Check: E2E: library mode / ci / group 3
• GitHub Check: E2E Tests for Lightspeed Evaluation job
• GitHub Check: Konflux kflux-prd-rh02 / lightspeed-stack-on-pull-request

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Check litellm 1.88.1 dependencies and verify it exists

echo "=== Checking litellm 1.88.1 on PyPI ==="
curl -s https://pypi.org/pypi/litellm/1.88.1/json | jq -r '.info | "Version: \(.version)\nExists: true"' || echo "Version 1.88.1 not found"

echo -e "\n=== Checking litellm dependencies for aiohttp ==="
curl -s https://pypi.org/pypi/litellm/1.88.1/json | jq -r '.info.requires_dist[] | select(. | contains("aiohttp"))' || echo "No aiohttp dependency found"

echo -e "\n=== Checking for litellm security advisories ==="
gh api graphql -f query='
{
  securityVulnerabilities(first: 5, ecosystem: PIP, package: "litellm") {
    nodes {
      advisory {
        summary
        severity
      }
      vulnerableVersionRange
      firstPatchedVersion {
        identifier
      }
    }
  }
}'

echo -e "\n=== Verifying hash (first distribution) ==="
curl -s https://pypi.org/pypi/litellm/1.88.1/json | jq -r '.urls[0] | "Filename: \(.filename)\nPyPI SHA256: \(.digests.sha256)"'
echo "Expected (first hash in file): 369b84e57d9426582ddc35e731956ddb6618cda97cc44e4e4d2dfa75982a6e3a"

Repository: lightspeed-core/lightspeed-stack

Length of output: 1593

---

🌐 Web query:

What changes were introduced in litellm version 1.88.1 compared to 1.83.7? Are there any breaking changes or new dependencies?

💡 Result:

Summary (litellm 1.88.1 vs 1.83.7): 1) What changed between 1.83.7 and 1.88.1 - Between these versions, liteLLM released a large set of changes (feature work, fixes, and reliability improvements) across many interim releases. The most concrete, explicitly stated deltas near the end of the range are in 1.88.0 and the 1.88.1 patch. - In 1.88.0 (released right before 1.88.1), several notable changes were: gating “team allowed_passthrough_routes” to proxy admins, Bedrock/Cohere embedding_types sent as a JSON array (not string), caching behavior for OpenAI responses bridge replayed as chat streams, and Prometheus metric additions for user_email/user_alias; plus other proxy/test fixes and general enhancements [1][2]. - In 1.88.1 specifically, the release notes indicate “build(deps)” dependency bumps: pyjwt to 2.13.0 and a ws override to 8.20.1 (1.88.x), along with a “chore(release)” bump to version 1.88.1 [3]. 2) Breaking changes? - For the overall 1.83.7 → 1.88.1 window: the only explicitly called-out breaking change I found in the sourced material is within the 1.83.7 stable release notes itself (not in the 1.88.1/1.88.0 notes): Prometheus latency histogram bucket boundaries reduced by default from 35 to 18; this can break dashboards/alerts that reference specific le= bucket values, and an env override LATENCY_BUCKETS is mentioned to restore previous boundaries [4]. - The 1.88.1 release item I found is described as a dependency bump (pyjwt and ws override) and does not mention any breaking API/config changes [3]. 3) New dependencies / dependency updates - New/updated dependencies called out for 1.88.1: pyjwt bumped to 2.13.0 and ws override to 8.20.1 (for 1.88.x) [3]. Practical upgrade notes - If you are upgrading from 1.83.7, review your Prometheus dashboards/alerts for latency bucket values (le=...) due to the known breaking change in 1.83.7 stable release notes [4]. - Separately, expect dependency-level changes in 1.88.1: pyjwt 2.13.0 and ws override 8.20.1 [3].

Citations:

• 1: https://github.com/BerriAI/litellm/releases/tag/v1.88.0
• 2: https://newreleases.io/project/github/BerriAI/litellm/release/v1.88.0
• 3: https://github.com/BerriAI/litellm/releases
• 4: https://docs.litellm.ai/release_notes/v1.83.7/v1-83-7-stable

---

Clarify and justify the litellm bump (1.83.7 → 1.88.1) relative to the “CVE fix: AIOHTTP” goal

The pinned litellm==1.88.1 hashes in .konflux/requirements.hashes.source.txt (lines 544-546) match the PyPI distribution SHA256, and litellm==1.88.1 declares an aiohttp<4.0,>=3.10 dependency. The PR description still needs to explicitly explain whether/which aiohttp CVE fix this bump is intended to address (or otherwise justify bundling a broader dependency update). If not directly related to the AIOHTTP CVE, split the change for clearer tracking.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.konflux/requirements.hashes.source.txt around lines 544 - 546, The bump of
litellm to 1.88.1 in the pinned hashes (the entry "litellm==1.88.1" and its two
--hash lines) needs an explicit justification in the PR: state whether this bump
was made specifically to obtain an aiohttp CVE fix (and cite the CVE ID and the
minimum aiohttp version resolved), or if it was a broader dependency update; if
it is not directly tied to the AIOHTTP CVE, split this litellm upgrade into its
own PR (or separate commit) and update the PR description to explain the
rationale and impact on the declared aiohttp constraint (aiohttp<4.0,>=3.10).

[tisnik]

/retest

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pyproject.toml`:
- Around line 84-85: The dependency "uv-build==0.11.8" is likely a build-only
tool but is currently listed under [project].dependencies; either move
"uv-build==0.11.8" out of the top-level dependencies into the build/dev
dependency group (e.g., dependency-groups.dev or a dedicated build group) or, if
it truly is required at runtime, update the inline comment to explain the
runtime usage; locate the entry named "uv-build" in pyproject.toml and modify
its section accordingly, and ensure the comment next to "uv-build" reflects
whether it's a build-time or runtime dependency.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 204c629c-d41b-4062-a10e-3f761e50a827

📥 Commits

Reviewing files that changed from the base of the PR and between 2c1dc3e and 227b745.

⛔ Files ignored due to path filters (1)

• uv.lock is excluded by !**/*.lock

📒 Files selected for processing (2)

• .konflux/requirements.hashes.source.txt
• pyproject.toml

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (11)

• GitHub Check: unit_tests (3.12)
• GitHub Check: unit_tests (3.13)
• GitHub Check: Pylinter
• GitHub Check: build-pr
• GitHub Check: E2E: server mode / ci / group 2
• GitHub Check: E2E: library mode / ci / group 3
• GitHub Check: E2E: server mode / ci / group 3
• GitHub Check: E2E: server mode / ci / group 1
• GitHub Check: E2E: library mode / ci / group 1
• GitHub Check: E2E: library mode / ci / group 2
• GitHub Check: E2E Tests for Lightspeed Evaluation job

🔇 Additional comments (1)

.konflux/requirements.hashes.source.txt (1)

1102-1121: LGTM!

[coderabbitai]

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Clarify whether uv-build is truly a runtime dependency or only a build-time dependency.

The inline comment states "Needed to build LiteLLM," which suggests uv-build is a build-time tool rather than a runtime requirement. If uv-build is only needed during the build process of LiteLLM (or your project), it should remain in a dev or build dependency group, not in the top-level [project].dependencies. Including build tools in runtime dependencies can:

• Unnecessarily bloat production container images.
• Increase the attack surface by shipping unnecessary tooling.
• Violate the principle of least privilege in deployment artifacts.

Recommendation: If uv-build is required only to build LiteLLM (not to run it), revert this change and keep uv-build==0.11.8 in the dependency-groups.dev or a dedicated build group. If runtime usage is confirmed, update the comment to clarify the runtime use case.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pyproject.toml` around lines 84 - 85, The dependency "uv-build==0.11.8" is
likely a build-only tool but is currently listed under [project].dependencies;
either move "uv-build==0.11.8" out of the top-level dependencies into the
build/dev dependency group (e.g., dependency-groups.dev or a dedicated build
group) or, if it truly is required at runtime, update the inline comment to
explain the runtime usage; locate the entry named "uv-build" in pyproject.toml
and modify its section accordingly, and ensure the comment next to "uv-build"
reflects whether it's a build-time or runtime dependency.