LCORE-2468: CVE fix: AIOHTTP#1893
Conversation
|
Warning Review limit reached
More reviews will be available in 9 minutes and 44 seconds. Learn how PR review limits work. Your organization has run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (1)
WalkthroughUpdates pinned dependency hashes in ChangesDependency Updates
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Possibly related PRs
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
✨ Simplify code
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.konflux/requirements.hashes.source.txt:
- Around line 11-130: The comment says the aiohttp==3.14.1 entry in
.konflux/requirements.hashes.source.txt is correct and the 119 SHA256 hashes
match PyPI, so change the PR/CVE-fix wording to reference the upstream GHSA
advisories instead of claiming an unspecified CVE: update any text that mentions
“CVE fix” to mention aiohttp 3.14.1 and the relevant GHSA IDs
(GHSA-9x8q-7h8h-wcw9 and GHSA-63hw-fmq6-xxg2) or say “security fixes addressing
GHSA-…”, keeping the package identifier aiohttp==3.14.1 as the authoritative
reference.
- Around line 544-546: The bump of litellm to 1.88.1 in the pinned hashes (the
entry "litellm==1.88.1" and its two --hash lines) needs an explicit
justification in the PR: state whether this bump was made specifically to obtain
an aiohttp CVE fix (and cite the CVE ID and the minimum aiohttp version
resolved), or if it was a broader dependency update; if it is not directly tied
to the AIOHTTP CVE, split this litellm upgrade into its own PR (or separate
commit) and update the PR description to explain the rationale and impact on the
declared aiohttp constraint (aiohttp<4.0,>=3.10).
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 3a353162-5ffa-4023-b9f8-288310159ae8
📒 Files selected for processing (1)
.konflux/requirements.hashes.source.txt
📜 Review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (13)
- GitHub Check: spectral
- GitHub Check: build-pr
- GitHub Check: Pylinter
- GitHub Check: unit_tests (3.12)
- GitHub Check: unit_tests (3.13)
- GitHub Check: E2E: library mode / ci / group 2
- GitHub Check: E2E: library mode / ci / group 1
- GitHub Check: E2E: server mode / ci / group 3
- GitHub Check: E2E: server mode / ci / group 1
- GitHub Check: E2E: server mode / ci / group 2
- GitHub Check: E2E: library mode / ci / group 3
- GitHub Check: E2E Tests for Lightspeed Evaluation job
- GitHub Check: Konflux kflux-prd-rh02 / lightspeed-stack-on-pull-request
| litellm==1.88.1 \ | ||
| --hash=sha256:369b84e57d9426582ddc35e731956ddb6618cda97cc44e4e4d2dfa75982a6e3a \ | ||
| --hash=sha256:89c6b74cc7912d6365793006ff951c0450fe847625008dfe49de8a7dc4529aa5 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Description: Check litellm 1.88.1 dependencies and verify it exists
echo "=== Checking litellm 1.88.1 on PyPI ==="
curl -s https://pypi.org/pypi/litellm/1.88.1/json | jq -r '.info | "Version: \(.version)\nExists: true"' || echo "Version 1.88.1 not found"
echo -e "\n=== Checking litellm dependencies for aiohttp ==="
curl -s https://pypi.org/pypi/litellm/1.88.1/json | jq -r '.info.requires_dist[] | select(. | contains("aiohttp"))' || echo "No aiohttp dependency found"
echo -e "\n=== Checking for litellm security advisories ==="
gh api graphql -f query='
{
securityVulnerabilities(first: 5, ecosystem: PIP, package: "litellm") {
nodes {
advisory {
summary
severity
}
vulnerableVersionRange
firstPatchedVersion {
identifier
}
}
}
}'
echo -e "\n=== Verifying hash (first distribution) ==="
curl -s https://pypi.org/pypi/litellm/1.88.1/json | jq -r '.urls[0] | "Filename: \(.filename)\nPyPI SHA256: \(.digests.sha256)"'
echo "Expected (first hash in file): 369b84e57d9426582ddc35e731956ddb6618cda97cc44e4e4d2dfa75982a6e3a"Repository: lightspeed-core/lightspeed-stack
Length of output: 1593
🌐 Web query:
What changes were introduced in litellm version 1.88.1 compared to 1.83.7? Are there any breaking changes or new dependencies?
💡 Result:
Summary (litellm 1.88.1 vs 1.83.7): 1) What changed between 1.83.7 and 1.88.1 - Between these versions, liteLLM released a large set of changes (feature work, fixes, and reliability improvements) across many interim releases. The most concrete, explicitly stated deltas near the end of the range are in 1.88.0 and the 1.88.1 patch. - In 1.88.0 (released right before 1.88.1), several notable changes were: gating “team allowed_passthrough_routes” to proxy admins, Bedrock/Cohere embedding_types sent as a JSON array (not string), caching behavior for OpenAI responses bridge replayed as chat streams, and Prometheus metric additions for user_email/user_alias; plus other proxy/test fixes and general enhancements [1][2]. - In 1.88.1 specifically, the release notes indicate “build(deps)” dependency bumps: pyjwt to 2.13.0 and a ws override to 8.20.1 (1.88.x), along with a “chore(release)” bump to version 1.88.1 [3]. 2) Breaking changes? - For the overall 1.83.7 → 1.88.1 window: the only explicitly called-out breaking change I found in the sourced material is within the 1.83.7 stable release notes itself (not in the 1.88.1/1.88.0 notes): Prometheus latency histogram bucket boundaries reduced by default from 35 to 18; this can break dashboards/alerts that reference specific le= bucket values, and an env override LATENCY_BUCKETS is mentioned to restore previous boundaries [4]. - The 1.88.1 release item I found is described as a dependency bump (pyjwt and ws override) and does not mention any breaking API/config changes [3]. 3) New dependencies / dependency updates - New/updated dependencies called out for 1.88.1: pyjwt bumped to 2.13.0 and ws override to 8.20.1 (for 1.88.x) [3]. Practical upgrade notes - If you are upgrading from 1.83.7, review your Prometheus dashboards/alerts for latency bucket values (le=...) due to the known breaking change in 1.83.7 stable release notes [4]. - Separately, expect dependency-level changes in 1.88.1: pyjwt 2.13.0 and ws override 8.20.1 [3].
Citations:
- 1: https://github.com/BerriAI/litellm/releases/tag/v1.88.0
- 2: https://newreleases.io/project/github/BerriAI/litellm/release/v1.88.0
- 3: https://github.com/BerriAI/litellm/releases
- 4: https://docs.litellm.ai/release_notes/v1.83.7/v1-83-7-stable
Clarify and justify the litellm bump (1.83.7 → 1.88.1) relative to the “CVE fix: AIOHTTP” goal
The pinned litellm==1.88.1 hashes in .konflux/requirements.hashes.source.txt (lines 544-546) match the PyPI distribution SHA256, and litellm==1.88.1 declares an aiohttp<4.0,>=3.10 dependency. The PR description still needs to explicitly explain whether/which aiohttp CVE fix this bump is intended to address (or otherwise justify bundling a broader dependency update). If not directly related to the AIOHTTP CVE, split the change for clearer tracking.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.konflux/requirements.hashes.source.txt around lines 544 - 546, The bump of
litellm to 1.88.1 in the pinned hashes (the entry "litellm==1.88.1" and its two
--hash lines) needs an explicit justification in the PR: state whether this bump
was made specifically to obtain an aiohttp CVE fix (and cite the CVE ID and the
minimum aiohttp version resolved), or if it was a broader dependency update; if
it is not directly tied to the AIOHTTP CVE, split this litellm upgrade into its
own PR (or separate commit) and update the PR description to explain the
rationale and impact on the declared aiohttp constraint (aiohttp<4.0,>=3.10).
|
/retest |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@pyproject.toml`:
- Around line 84-85: The dependency "uv-build==0.11.8" is likely a build-only
tool but is currently listed under [project].dependencies; either move
"uv-build==0.11.8" out of the top-level dependencies into the build/dev
dependency group (e.g., dependency-groups.dev or a dedicated build group) or, if
it truly is required at runtime, update the inline comment to explain the
runtime usage; locate the entry named "uv-build" in pyproject.toml and modify
its section accordingly, and ensure the comment next to "uv-build" reflects
whether it's a build-time or runtime dependency.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 204c629c-d41b-4062-a10e-3f761e50a827
⛔ Files ignored due to path filters (1)
uv.lockis excluded by!**/*.lock
📒 Files selected for processing (2)
.konflux/requirements.hashes.source.txtpyproject.toml
📜 Review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (11)
- GitHub Check: unit_tests (3.12)
- GitHub Check: unit_tests (3.13)
- GitHub Check: Pylinter
- GitHub Check: build-pr
- GitHub Check: E2E: server mode / ci / group 2
- GitHub Check: E2E: library mode / ci / group 3
- GitHub Check: E2E: server mode / ci / group 3
- GitHub Check: E2E: server mode / ci / group 1
- GitHub Check: E2E: library mode / ci / group 1
- GitHub Check: E2E: library mode / ci / group 2
- GitHub Check: E2E Tests for Lightspeed Evaluation job
🔇 Additional comments (1)
.konflux/requirements.hashes.source.txt (1)
1102-1121: LGTM!
| # Needed to build LiteLLM | ||
| "uv-build==0.11.8" |
There was a problem hiding this comment.
Clarify whether uv-build is truly a runtime dependency or only a build-time dependency.
The inline comment states "Needed to build LiteLLM," which suggests uv-build is a build-time tool rather than a runtime requirement. If uv-build is only needed during the build process of LiteLLM (or your project), it should remain in a dev or build dependency group, not in the top-level [project].dependencies. Including build tools in runtime dependencies can:
- Unnecessarily bloat production container images.
- Increase the attack surface by shipping unnecessary tooling.
- Violate the principle of least privilege in deployment artifacts.
Recommendation: If uv-build is required only to build LiteLLM (not to run it), revert this change and keep uv-build==0.11.8 in the dependency-groups.dev or a dedicated build group. If runtime usage is confirmed, update the comment to clarify the runtime use case.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@pyproject.toml` around lines 84 - 85, The dependency "uv-build==0.11.8" is
likely a build-only tool but is currently listed under [project].dependencies;
either move "uv-build==0.11.8" out of the top-level dependencies into the
build/dev dependency group (e.g., dependency-groups.dev or a dedicated build
group) or, if it truly is required at runtime, update the inline comment to
explain the runtime usage; locate the entry named "uv-build" in pyproject.toml
and modify its section accordingly, and ensure the comment next to "uv-build"
reflects whether it's a build-time or runtime dependency.
1 participant
Description
LCORE-2468: CVE fix: AIOHTTP
Type of change
Tools used to create PR
Related Tickets & Documents
Summary by CodeRabbit