Commit Graph
1860 Commits
Author SHA1 Message Date
Yuneng Jiang f8bb29aebf bump: version 1.83.14 → 1.84.0 2026-04-28 17:43:17 -07:00
Yuneng Jiang 4ec3ac28a6 bump: version 1.83.13 → 1.83.14 2026-04-25 19:32:21 -07:00
Yuneng Jiang 92c1e9b63c bump: version 0.1.38 → 0.1.39 2026-04-25 19:31:49 -07:00
Yuneng Jiang 67628a60c3 bump: version 0.4.68 → 0.4.69 2026-04-25 19:30:33 -07:00
user 4d74a30412 chore(deps): fix brace-expansion pin and revert risky dev bumps
- Dockerfile: pin the unscoped `brace-expansion@5.0.5` alongside
  `@isaacs/brace-expansion@5.0.1`. The scoped package only has 5.0.0
  and 5.0.1 published; CVE-2026-33750's fix (5.0.5) is on the unscoped
  package which npm also vendors. The override loop now swaps both.
- Revert `black` 26.3.1 -> 24.10.0, `pytest` 9.0.3 -> 8.3.5, and
  `pytest-asyncio` 1.3.0 -> 1.2.0. The major-version bumps cause CI
  lint (black reformats hundreds of files) and code-quality
  (liccheck.ini has no entry for the new versions) failures. Both
  CVEs are dev-only; skipping leaves no runtime exposure.
2026-04-24 00:37:07 +00:00
user fed1a14646 chore(deps): bump vulnerable dependencies
Closes Nexus IQ policy violations and open Dependabot alerts for
shipped Python deps and runtime-stage npm pins in the Docker image.
2026-04-24 00:36:59 +00:00
Yuneng Jiang 29e30d9ddb bump: version 1.83.12 → 1.83.13 2026-04-23 16:58:17 -07:00
Yuneng Jiang 9f46d838fd bump: version 1.83.11 → 1.83.12 2026-04-22 18:21:47 -07:00
Yuneng Jiang 3ddb3cbdf6 bump: version 0.4.67 → 0.4.68 2026-04-22 18:20:21 -07:00
yuneng-jiangandGitHub e3ed136f52 Merge pull request #26209 from BerriAI/yj_bump_apr21_2
[Infra] Bump version
2026-04-21 18:29:41 -07:00
Yuneng Jiang 5837d4a9ac bump: version 1.83.10 → 1.83.11 2026-04-21 18:10:31 -07:00
SwiftWinds 11b776935d chore: make uv newer than 0.10 allowable 2026-04-21 11:39:11 -07:00
ishaan-berriandGitHub 2f22a1293e bump litellm-proxy-extras to 0.4.67 (#26043)
* bump litellm-proxy-extras version to 0.4.67

* bump litellm-proxy-extras pin to 0.4.67 in litellm pyproject

* regenerate uv.lock for litellm-proxy-extras 0.4.67

* bump litellm-enterprise version to 0.1.38

* bump litellm-enterprise pin to 0.1.38 in litellm pyproject

* regenerate uv.lock for litellm-enterprise 0.1.38
2026-04-18 19:03:56 -07:00
Yuneng Jiang 4d63a1367e bump: version 1.83.9 → 1.83.10 2026-04-18 18:31:24 -07:00
Yuneng Jiang 9bdb3b1772 chore: lower python floor from 3.11 to 3.10
All three dependency bumps in this PR resolve on Python 3.10, so there
is no need to jump the floor all the way to 3.11. Also restore the
py3.10-specific lunary==1.4.36 pin that was collapsed when the floor
was temporarily at 3.11.
2026-04-18 12:50:04 -07:00
Yuneng Jiang d1e665742b chore: drop stale python_version markers after floor raise
Now that requires-python starts at 3.11, the "python_version >= '3.9'"
and ">= '3.10'" markers are unconditionally true, and the "< '3.10'"
entries for psycopg, Pillow, pyarrow, langchain, lunary, and pylint can
never resolve. Drop the dead markers and remove the unreachable pins so
the dependency list reflects what actually gets installed.
2026-04-18 12:31:53 -07:00
Yuneng Jiang 1c29c5e903 chore: bump proxy deps and raise python floor to 3.11
Bumps orjson, fastapi-sso, and python-multipart to their latest releases
in the proxy extra, and raises the project python floor to 3.11 so the
updated pins can resolve. CI already runs on 3.11 / 3.12 / 3.13 and the
Docker images ship python 3.13, so the floor change aligns the declared
support range with what is actually tested and shipped.
2026-04-18 12:16:35 -07:00
yuneng-jiangandGitHub bf7b7f7f60 Merge pull request #25872 from BerriAI/yj_bump_apr16_2
bump: version 1.83.8 → 1.83.9
2026-04-16 17:56:44 -07:00
yuneng-jiangandGitHub f07aadc3f9 Merge pull request #25873 from BerriAI/yj_extras_bump_apr16
bump: proxy extras version 0.4.65 → 0.4.66
2026-04-16 17:56:33 -07:00
Yuneng Jiang 073685136d bump: version 0.4.65 → 0.4.66 2026-04-16 09:54:56 -07:00
Yuneng Jiang b80bd9d523 bump: version 1.83.8 → 1.83.9 2026-04-16 09:48:26 -07:00
Yuneng Jiang c294bbe4f0 fix(deps): pin langgraph-prebuilt==1.0.8 to avoid broken 1.0.9
langgraph-prebuilt 1.0.9 imports ExecutionInfo and ServerInfo from
langgraph.runtime, but those symbols are not exported until
langgraph 1.1.0. Our pin of langgraph==1.0.10 allows
langgraph-prebuilt<1.1.0,>=1.0.8, and uv resolves to 1.0.9 (the
latest in range), which breaks at import time in every test that
touches langgraph.prebuilt (e.g. tests/pass_through_tests/test_mcp_routes.py):

  ImportError: cannot import name 'ExecutionInfo' from 'langgraph.runtime'

Pinning langgraph-prebuilt to 1.0.8 pairs correctly with
langgraph==1.0.10 and restores the import path.
2026-04-16 09:36:05 -07:00
jayden 0a1b4427a6 fix(guardrails): replace custom_code sandbox with RestrictedPython 2026-04-15 15:13:52 -07:00
Yuneng Jiang 045d32a242 bump: version 1.83.7 → 1.83.8 2026-04-14 17:47:24 -07:00
yuneng-jiangandGitHub a306092d47 Merge pull request #25463 from BerriAI/litellm_oss_staging_04_09_2026
Litellm oss staging 04 09 2026
2026-04-13 17:25:53 -07:00
Yuneng Jiang e162c6d502 bump: version 1.83.6 → 1.83.7 2026-04-11 17:00:33 -07:00
Yuneng Jiang 83c459225c [Fix] CI: fix GHA timeouts and uv lock --check failures
1. exclude-newer: change from absolute "2026-04-10" to relative "3 days".
   All pinned deps were published before the 3-day cutoff. Re-locked so
   uv lock --check passes in test-mcp.yml and test-linting.yml.

2. test_eager_tiktoken_load: run all 10 env var values in a single
   subprocess instead of spawning 10 separate processes. Each cold
   import litellm takes ~78s on CI, so the old loop took ~13 min on a
   single xdist worker. Now takes ~78s total.

3. proxy-db remaining timeout: increase from 20 to 30 minutes. The
   remaining group has 51 test files and was consistently timing out at
   71% across all branches (pre-existing issue, not migration-related).
2026-04-11 09:04:49 -07:00
Yuneng Jiang d9a460277a [Fix] CI: fix uv lock resolution and tiktoken test timeout
1. Cap requires-python to <3.14 — no deps ship 3.14 wheels yet, and
   uv's cross-version resolver fails on the Python 3.14 split.
2. Change exclude-newer from relative "30 days" to absolute "2026-04-10"
   so the lockfile stays reproducible. The relative date caused
   cryptography==46.0.7 (published April 8) to fall outside the window.
3. Parametrize test_eager_loading_env_var_values instead of looping —
   with xdist the 6 subprocess cases can run in parallel instead of all
   running sequentially on one worker (~13 min → ~2 min).
   Also removed redundant case variants (Yes/YES/On/ON) that test the
   same str_to_bool code path.
2026-04-10 22:21:15 -07:00
Yuneng Jiang 9a0487553d Merge remote-tracking branch 'origin' into litellm_oss_staging_04_09_2026 2026-04-10 16:41:27 -07:00
Yuneng Jiang 1f148ea6a1 bump: version 1.83.5 → 1.83.6 2026-04-10 13:20:58 -07:00
userandClaude Opus 4.6 8d1493ed08 fix(security): bump vulnerable dependencies
pip:
- cryptography 43.0.3 → 46.0.7 (5 CVEs including CVSS 8.2 ECDH key leak)

npm:
- hono 4.1.4/4.12.7 → 4.12.12 (prototype pollution, cookie injection,
  path traversal, middleware bypass, IP matching bypass)
- @hono/node-server 1.19.6 → 1.19.13 (serveStatic middleware bypass)
- vite 7.3.1 → 7.3.2 (file read via WebSocket, path traversal, fs.deny bypass)
- lodash override 4.17.23 → 4.18.1 (code injection via _.template,
  prototype pollution via _.unset/_.omit)

mlflow left at 3.9.0 — 2 of 3 alerts have no upstream fix, and
3.11.1 is blocked by exclude-newer (transitive dep chain).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-09 19:35:19 +00:00
a6c30b30bf build: migrate packaging, CI, and Docker from Poetry to uv (#25007)
* build: migrate packaging metadata to uv

* ci: move automation and local tooling to uv

* docker: migrate image builds and runtime setup to uv

* docs: update install and deployment guidance for uv

* chore: align auxiliary scripts and tests with uv

* test: harden test_litellm isolation

* fix: keep release and health check images self-contained

* build: pin uv tooling and health check deps

* test: isolate bedrock image request formatting from suite state

* test: cover sandbox executor requirements flow

* ci: fix circleci no-op command steps

* ci: fix circleci publish workflow parsing

* fix: stabilize remaining uv migration CI checks

* ci: increase matrix test timeout headroom

* fix: restore published docker and license coverage

* fix: restore proxy runtime build parity

* fix: restore proxy extras parity and venv migrations

* ci: persist uv path across circleci steps

* fix: keep psycopg binary in default test env

* docker: preserve prisma cache across stages

* test: run local proxy checks through uv python

* build: restore runtime deps moved into ci

* build: refresh uv lock after upstream merge

* fix: restore module import in test_check_migration after merge

The conflict resolution imported only the function but the test body
references check_migration as a module throughout.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: revert dependency promotions, remove nodejs-wheel-binaries, fix Docker layer caching

- Move google-generativeai, Pillow, tenacity back to ci group (they are
  lazily imported and bloat the base SDK install needlessly)
- Remove nodejs-wheel-binaries from extra_proxy and proxy-dev (redundant
  in Docker where system Node.js is already installed via apk)
- Remove all nodejs-wheel node replacement and venv npm patching blocks
  from Dockerfiles since the wheel is no longer installed
- Add --no-default-groups to CodSpeed benchmark workflow so the benchmark
  environment matches the old minimal pip install footprint
- Apply standard uv two-phase Docker pattern: copy metadata first, install
  deps (cached layer), then copy source and install project
- Replace CircleCI enterprise no-op with proper uv sync command

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore: regenerate uv.lock after removing nodejs-wheel-binaries

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix(ci): use cache/restore instead of cache to prevent cache poisoning

The old workflow used actions/cache/restore (read-only). The uv migration
changed it to actions/cache (read-write), which zizmor flags as a cache
poisoning risk. Restore the safer read-only variant.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix(ci): disable setup-uv built-in cache to silence cache-poisoning alert

The setup-uv action enables caching by default, which zizmor flags as a
cache poisoning risk. Disable it since we already use a read-only
cache/restore step.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix(ci): disable setup-uv cache in publish workflow

Silences zizmor cache-poisoning alert. Publishing workflow runs
infrequently on protected branches so caching adds no real benefit.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix(test): remove duplicate verbose_logger mock in test_check_migration

The logger was patched twice — first via mocker.patch() then via
mocker.patch.object(autospec=True). The second call fails because
autospec cannot inspect an already-mocked attribute. Remove the
redundant first patch.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix(ci): free disk space before Docker build in test-server-root-path

The Dockerfile.non_root build ran out of disk on the CI runner. Remove
Android SDK, .NET, Boost, and GHC toolchains (~12GB) to free space.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-09 11:46:23 -07:00
Yuneng Jiang bd327dbe54 bump: version 1.83.4 → 1.83.5 2026-04-07 18:37:29 -07:00
ishaan-berriandGitHub 03d9746815 bump litellm version to 1.83.4 (#25266)
* bump litellm version to 1.83.4

* regenerate poetry.lock
2026-04-06 21:30:20 -07:00
ishaan-berriandGitHub 4bcd4bef44 bump litellm-enterprise to 0.1.37 (#25265)
* bump litellm-enterprise to 0.1.37

* update poetry.lock for enterprise 0.1.37 bump
2026-04-06 21:23:25 -07:00
ishaan-berriandGitHub 1e66050423 bump litellm-enterprise to 0.1.36 (#25164)
* bump litellm-enterprise version to 0.1.36

* bump litellm-enterprise==0.1.36 in pyproject.toml

* bump litellm-enterprise==0.1.36 in requirements.txt
2026-04-04 17:14:31 -07:00
ishaan-berriandGitHub d2102e992a bump litellm-proxy-extras to 0.4.65 (#25163)
* bump litellm-proxy-extras version to 0.4.65

* bump litellm-proxy-extras==0.4.65 in pyproject.toml

* bump litellm-proxy-extras==0.4.65 in requirements.txt
2026-04-04 17:11:56 -07:00
yuneng-jiangandGitHub eed8a38eca bump: version 1.83.2 → 1.83.3 (#25162) 2026-04-04 17:11:04 -07:00
ishaan-berriandGitHub 127149c263 bump litellm-proxy-extras to 0.4.64 (#25121)
* bump litellm-proxy-extras version to 0.4.64

* bump litellm-proxy-extras==0.4.64 in requirements.txt

* bump litellm-proxy-extras==0.4.64 in pyproject.toml
2026-04-03 17:46:06 -07:00
Ishaan Jaffer a86f19f6da bump: version 1.83.1 → 1.83.2 2026-04-03 15:08:14 -07:00
yuneng-jiangandGitHub 50f4fdea3e bump: version 1.83.0 → 1.83.1 (#25054) 2026-04-02 21:43:42 -07:00
Yuneng Jiang 3ad953e75c bump: version 0.4.62 → 0.4.63 2026-04-02 16:10:32 -07:00
Yuneng JiangandClaude Opus 4.6 0fb5ab515d [Fix] Revert cryptography to 43.0.3 in pyproject.toml for Python 3.9.0/3.9.1 compat
cryptography 46.0.5 excludes Python 3.9.0 and 3.9.1, which conflicts
with pyproject.toml's python = ">=3.9,<4.0" range. Docker still uses
46.0.5 via requirements.txt.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-01 14:27:51 -07:00
Yuneng JiangandClaude Opus 4.6 85f72c9d24 [Fix] Remove unused aioboto3 dependency and botocore conflict workarounds
aioboto3 was listed as a dependency for async sagemaker calls but is not
imported anywhere in the codebase — async calls use httpx + botocore SigV4
instead. Removing it eliminates the unresolvable botocore version conflict
between boto3 and aiobotocore, along with all grep -v / --no-deps workarounds
across Dockerfiles and CI.

Also addresses Greptile review feedback: collapse redundant grpcio
python-version markers, bump pyproject.toml cryptography to 46.0.5 to
match Docker (GHSA-r6ph-v2qm-q3c2), and fix misleading .npmrc comment.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-01 14:25:44 -07:00
Yuneng JiangandClaude Opus 4.6 6a2b03a850 [Infra] Merge main and resolve dependency pin conflicts
Resolve conflicts between pinned versions and main's caret ranges,
keeping exact pins. Add pytest-cov==5.0.0 from main. Regenerate
poetry.lock.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-01 09:55:13 -07:00
Yuneng JiangandClaude Opus 4.6 296dd3e8a2 [Infra] Fix pyproject.toml pins for Poetry Python 3.9 compatibility
Pin pyproject.toml deps from PyPI resolution of `pip install litellm[proxy]==1.83.0`
instead of Docker freeze versions. Docker builds (requirements.txt) and PyPI installs
(pyproject.toml) are independent dependency paths. Some packages pinned to 3.9-compatible
versions where latest requires >=3.10.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-01 00:25:38 -07:00
Yuneng JiangandClaude Opus 4.6 5f63873dca [Infra] Pin all Docker build dependencies to exact versions
Pin every dependency across all Docker builds so upgrades are intentional.
Verified by building all 3 production images and diffing pip freeze against
known-good v1.83.0-nightly baselines — zero version drift.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-01 00:05:39 -07:00
joereyna 695d726352 Revert to --cov=litellm, add checkout and root_dir to upload job 2026-03-31 16:44:13 -07:00
joereyna b8eac3059a Measure coverage from repo root so filenames include litellm/ prefix 2026-03-31 16:44:13 -07:00
joereyna 0687ebb130 Fix coverage paths: use absolute->relative remapping for Codecov 2026-03-31 16:44:13 -07:00