LCORE-0000: Bump-up LiteLLM

[tisnik]

Description

Bump-up LiteLLM

Type of change

• Refactor
• New feature
• Bug fix
• CVE fix
• Optimization
• Documentation Update
• Configuration Update
• Bump-up service version
• Bump-up dependent library
• Bump-up library or tool used for development (does not change the final image)
• CI configuration change
• Konflux configuration change
• Unit tests improvement
• Integration tests improvement
• End to end tests improvement
• Benchmarks improvement

Tools used to create PR

• Assisted-by: N/A
• Generated by: N/A

Related Tickets & Documents

• Related Issue #LCORE-
• Closes #

Checklist before requesting a review

• I have performed a self-review of my code.
• PR has passed all pre-merge test jobs.
• If it is a core feature, I have added thorough tests.

Testing

• Please provide detailed steps to perform tests related to this code change.
• How were the fix/results from this change verified? Please provide relevant screenshots or results.

Summary by CodeRabbit

• Chores
  • Updated dependencies to the latest versions.

[coderabbitai]

Walkthrough

The pinned litellm dependency in .konflux/requirements.hashes.source.txt is updated from version 1.83.7 to 1.84.0, replacing the two associated sha256 hashes with those matching the new version.

Changes

litellm version bump

Layer / File(s)	Summary
litellm pin update .konflux/requirements.hashes.source.txt	Version string and both sha256 hashes for litellm changed from 1.83.7 to 1.84.0.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically identifies the main change: bumping the LiteLLM dependency version from 1.83.7 to 1.84.0, which is the primary modification in the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

✨ Simplify code

• Create PR with simplified code

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.konflux/requirements.hashes.source.txt:
- Around line 545-547: The litellm dependency upgrade from 1.83.7 to 1.84.0 in
the requirements.hashes.source.txt file lacks necessary testing and verification
documentation for this security-critical CVE fix. Before merging, add
comprehensive testing results documenting validation across all seven affected
inference providers (anthropic, gemini, groq, openai, sambanova, watsonx, and
llama-openai-compat), document the changelog and release notes for version
1.84.0 compared to 1.83.7 to identify any breaking changes or API modifications,
verify that the LITELLM_DROP_PARAMS behavior remains unchanged or is explicitly
handled in the codebase, and complete all pre-merge checklist items. This
documentation should be added to the pull request description or a linked
verification document to ensure traceability and enable proper review of the
migration impact.
- Around line 545-547: The PR updates litellm to version 1.84.0 as a CVE
security fix but lacks critical security documentation required for proper risk
assessment and deployment planning. Add comprehensive documentation to the PR
description or a dedicated security document that includes: the specific CVE
identifier(s) and CVSS score, which LiteLLM components and versions are affected
by the vulnerability, confirmation of whether this codebase's usage of LiteLLM
is vulnerable and what the actual risk is, a clear list of any breaking changes
or required code updates in version 1.84.0, and testing results confirming that
the bump does not break the inference providers in use (anthropic, gemini, groq,
openai, sambanova, watsonx, llama-openai-compat). This documentation is
essential given the security classification and scope of the update.
- Around line 545-547: The litellm 1.84.0 upgrade in the
requirements.hashes.source.txt file patches CVE-2026-49468 (authentication
bypass via Host header injection) and includes breaking changes to Redis
spend/budget counter behavior, but these critical details are not documented.
Add documentation to upgrade notes or a relevant CHANGELOG file that includes
the CVE-2026-49468 context, explains that no configuration changes are required
for the security patch, and clearly outlines the breaking changes related to
multi-pod budget enforcement accuracy such as the new refresh_ttl opt-in
parameter for async_increment and the behavior change where stale in-memory
counters are skipped on clean Redis miss. Additionally, verify the provided
SHA256 hashes locally against PyPI metadata to ensure they match before merging
the changes.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 498ae3df-85b0-4457-b964-fef7c02a793a

📥 Commits

Reviewing files that changed from the base of the PR and between 07d9849 and 5448293.

📒 Files selected for processing (1)

• .konflux/requirements.hashes.source.txt

📜 Review details

⏰ Context from checks skipped due to timeout. (4)

• GitHub Check: E2E Tests for Lightspeed Evaluation job
• GitHub Check: E2E: library mode / ci / group 3
• GitHub Check: Konflux kflux-prd-rh02 / lightspeed-stack-on-pull-request
• GitHub Check: Konflux kflux-prd-rh02 / lightspeed-stack-0-6-on-pull-request

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Missing testing and verification for dependency upgrade.

No testing steps, verification results, or migration notes are documented. Given that:

• This is a CVE fix (security-critical)
• Six inference providers depend on litellm
• The version bump is categorized as a service version bump (suggests potential breaking changes)
• Pre-merge checklist items were not completed

Please document:

• Test results for each affected provider (anthropic, gemini, groq, openai, sambanova, watsonx, llama-openai-compat)
• Validation that LITELLM_DROP_PARAMS behavior is unchanged or explicitly handled
• Changelog/release notes for 1.84.0 vs 1.83.7
• Any breaking changes or API modifications

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.konflux/requirements.hashes.source.txt around lines 545 - 547, The litellm
dependency upgrade from 1.83.7 to 1.84.0 in the requirements.hashes.source.txt
file lacks necessary testing and verification documentation for this
security-critical CVE fix. Before merging, add comprehensive testing results
documenting validation across all seven affected inference providers (anthropic,
gemini, groq, openai, sambanova, watsonx, and llama-openai-compat), document the
changelog and release notes for version 1.84.0 compared to 1.83.7 to identify
any breaking changes or API modifications, verify that the LITELLM_DROP_PARAMS
behavior remains unchanged or is explicitly handled in the codebase, and
complete all pre-merge checklist items. This documentation should be added to
the pull request description or a linked verification document to ensure
traceability and enable proper review of the migration impact.

---

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Missing CVE details for a security-categorized version bump.

This PR is marked as a CVE fix but provides no information about which CVE, vulnerability severity, impact scope, or whether there are breaking changes. For a security update touching 6+ inference providers (anthropic, gemini, groq, openai, sambanova, watsonx, llama-openai-compat), this is a critical gap.

Please document:

• CVE identifier(s) and CVSS score
• Which LiteLLM components/versions are affected
• Whether this codebase's usage of LiteLLM is vulnerable
• Any breaking changes or required code updates in 1.84.0
• Testing results for affected providers

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.konflux/requirements.hashes.source.txt around lines 545 - 547, The PR
updates litellm to version 1.84.0 as a CVE security fix but lacks critical
security documentation required for proper risk assessment and deployment
planning. Add comprehensive documentation to the PR description or a dedicated
security document that includes: the specific CVE identifier(s) and CVSS score,
which LiteLLM components and versions are affected by the vulnerability,
confirmation of whether this codebase's usage of LiteLLM is vulnerable and what
the actual risk is, a clear list of any breaking changes or required code
updates in version 1.84.0, and testing results confirming that the bump does not
break the inference providers in use (anthropic, gemini, groq, openai,
sambanova, watsonx, llama-openai-compat). This documentation is essential given
the security classification and scope of the update.

---

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🌐 Web query:

LiteLLM 1.84.0 release notes and CVE details

💡 Result:

LiteLLM v1.84.0 release notes (published 2026-05-14) - The v1.84.0 release includes “Reliability hardening + multi-pod budget accuracy”.[1] - It introduces/changes multi-pod budget enforcement accuracy and related Redis spend/budget counter behavior (e.g., async_increment gains a refresh_ttl opt-in; stale in-memory counters are skipped on a clean Redis miss; ResetBudgetJob invalidates Redis counters alongside DB resets).[1] - It also includes other changes such as Azure Entra discovery support and “Routing Groups” (per-model routing strategies) in the router configuration/dashboard.[1] LiteLLM v1.84.0 CVE / security details - I did not find any official CVE “in v1.84.0” from the vendor/NVD sources returned in this research. - However, GitHub Advisory Database entry for CVE-2026-49468 states that it is patched in 1.84.0 (affected: versions < 1.84.0; fixed: 1.84.0; “No configuration change is required”).[2] Key CVEs most relevant to the 1.84.0 boundary (affected before 1.84.0, fixed at/near 1.84.0) - CVE-2026-49468 (Authentication bypass via Host header injection): affected versions < 1.84.0; patched in 1.84.0; No configuration change required.[2] Additional CVEs for context (patched earlier than 1.84.0) - CVE-2026-42208 (SQL injection in proxy API key checks): affected versions >= 1.81.16 and < 1.83.7; patched in 1.83.7.[3] If you want, tell me whether you care about: (a) only issues specifically fixed by 1.84.0, or (b) the full “security advisories/CVEs affecting 1.84.0 deployments” (which depends on your exact upgrade baseline/version).

Citations:

• 1: https://docs.litellm.ai/release_notes/v1.84.0/v1-84-0
• 2: GHSA-4xpc-pv4p-pm3w
• 3: https://nvd.nist.gov/vuln/detail/cve-2026-42208

---

🏁 Script executed:

#!/bin/bash
# Description: Verify litellm 1.84.0 SHA256 hashes and gather release notes

# Fetch the litellm 1.84.0 package info from PyPI
echo "=== Fetching PyPI metadata for litellm 1.84.0 ==="
curl -s https://pypi.org/pypi/litellm/1.84.0/json | jq '.releases["1.84.0"][] | select(.filename | contains(".tar.gz") or contains(".whl")) | {filename, hash_type: .hash_digest | split(":")[0], hash_digest}'

# Try to fetch and display release notes if available
echo ""
echo "=== Checking GitHub releases for litellm 1.84.0 ==="
gh api repos/BerriAI/litellm/releases --jq '.[] | select(.tag_name | contains("1.84")) | {tag_name, published_at, body}' 2>/dev/null || echo "GitHub CLI not available or no release found"

Repository: lightspeed-core/lightspeed-stack

Length of output: 6440

---

🏁 Script executed:

#!/bin/bash
# Attempt to fetch litellm 1.84.0 SHA256 hashes using alternative methods

echo "=== Method 1: Direct PyPI JSON (with error handling) ==="
pypi_response=$(curl -s https://pypi.org/pypi/litellm/1.84.0/json 2>&1)
if [[ -n "$pypi_response" && "$pypi_response" != "null" ]]; then
  echo "$pypi_response" | python3 - <<'PY'
import sys, json
try:
    data = json.load(sys.stdin)
    if '1.84.0' in data.get('releases', {}):
        for file_info in data['releases']['1.84.0']:
            print(f"File: {file_info.get('filename', 'N/A')}")
            print(f"  Hash: {file_info.get('digests', {}).get('sha256', 'N/A')}")
            print()
    else:
        print("Version 1.84.0 not found in releases")
except json.JSONDecodeError as e:
    print(f"JSON error: {e}")
PY
else
  echo "Failed to fetch PyPI response"
fi

echo ""
echo "=== Method 2: GitHub releases for v1.84.0 specifically ==="
curl -s https://api.github.com/repos/BerriAI/litellm/releases/tags/v1.84.0 2>&1 | python3 - <<'PY'
import sys, json
try:
    data = json.load(sys.stdin)
    if 'tag_name' in data:
        print(f"Release: {data.get('tag_name', 'N/A')}")
        print(f"Published: {data.get('published_at', 'N/A')}")
        print(f"Body: {data.get('body', 'N/A')[:500]}...")
    elif 'message' in data:
        print(f"GitHub API response: {data['message']}")
    else:
        print("Unexpected response format")
except Exception as e:
    print(f"Error: {e}")
PY

Repository: lightspeed-core/lightspeed-stack

Length of output: 296

---

Include CVE-2026-49468 context and document breaking changes in upgrade notes.

LiteLLM 1.84.0 patches CVE-2026-49468 (authentication bypass via Host header injection); no configuration change is required. The release includes breaking changes related to multi-pod budget enforcement accuracy—Redis spend/budget counter behavior changes (e.g., async_increment gains a refresh_ttl opt-in parameter; stale in-memory counters are skipped on clean Redis miss). Verify the SHA256 hashes locally against PyPI metadata before merging.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.konflux/requirements.hashes.source.txt around lines 545 - 547, The litellm
1.84.0 upgrade in the requirements.hashes.source.txt file patches CVE-2026-49468
(authentication bypass via Host header injection) and includes breaking changes
to Redis spend/budget counter behavior, but these critical details are not
documented. Add documentation to upgrade notes or a relevant CHANGELOG file that
includes the CVE-2026-49468 context, explains that no configuration changes are
required for the security patch, and clearly outlines the breaking changes
related to multi-pod budget enforcement accuracy such as the new refresh_ttl
opt-in parameter for async_increment and the behavior change where stale
in-memory counters are skipped on clean Redis miss. Additionally, verify the
provided SHA256 hashes locally against PyPI metadata to ensure they match before
merging the changes.