- Move `import inspect` to stdlib import group
- Change _OPENAI_INIT_PARAMS and _AZURE_OPENAI_INIT_PARAMS from
mutable lists to immutable tuples to prevent accidental mutation
- Update return type and helper to use Tuple[str, ...]
- fix(mypy): suppress [misc] type error in common_utils.py for cls.__init__ access
- fix(mypy): move type: ignore comment to correct line in test_eval.py (line 232 not 231)
- fix(mypy): suppress [misc] and pre-existing pyright errors in vertex_ai_non_gemini.py
- fix(check_licenses): strip inline comments before parsing requirements.txt lines so CVE comments don't break packaging.requirements.Requirement()
- fix(router_coverage): add _merge_tools_from_deployment and _invalidate_access_groups_cache to ignored list (private helpers tested indirectly)
* fix(tests): add app.dependency_overrides for auth in spend logs tests
test_ui_view_spend_logs_with_status, test_ui_view_spend_logs_with_model,
test_ui_view_spend_logs_with_model_id, and test_view_spend_logs_summarize_parameter
all send Bearer sk-test without mocking user_api_key_auth. When a prior test
in the same xdist worker sets master_key, the auth check fails for sk-test
and the test fails intermittently.
Fix: use app.dependency_overrides[ps.user_api_key_auth] to bypass auth,
same pattern as other tests in the same file.
* fix(tests): mock user_api_key_auth in test_vertex_passthrough_with_no_default_credentials
vertex_proxy_route calls user_api_key_auth internally. When a prior test in the
same xdist worker sets master_key, the auth check fails for the test request
and create_pass_through_route is never called, causing assert_called_once_with to fail.
Fix: patch user_api_key_auth as an AsyncMock in the with mock.patch() block.
Previously made a real Vertex AI call with a Wikimedia URL that intermittently
failed with URL_REJECTED-REJECTED_FC_TIMEOUT.
Now mocks HTTPHandler.post and VertexBase._ensure_access_token so the test
verifies the translation (OGG -> file_data with audio/ogg mime_type) without
any real network calls. Runs in ~0.36s instead of ~60s.
* check should_run_guardrail in sync logging hook path
* Add tests for CustomGuardrail logging behavior
Added tests to ensure CustomGuardrail logging behavior based on the guardrail execution state.
---------
Co-authored-by: Miguel Armenta <ma826r@att.com>
* fix(migrations): add ensure_project_id_verification_token migration
Ensures project_id column exists on LiteLLM_VerificationToken. The original
migration (20251113000000_add_project_table) adds this column, but may have
been skipped if LiteLLM_ProjectTable already existed and the migration was
resolved as idempotent. Uses IF NOT EXISTS for safety.
* bump: litellm-proxy-extras 0.4.45 → 0.4.46
Pre-resolve CallTypes enum values into module-level frozensets to avoid
repeated .value attribute access in the elif chain. Inline the hot-path
_store_cost_breakdown_in_logging_obj as a direct dict literal. Remove
unnecessary cast(CallTypesLiteral, call_type) call. Guard
_get_additional_costs() with azure_ai-only check since no other provider
implements additional costs.
Line profile shows 20.5% reduction in completion_cost() total time
(7.14s → 5.68s across 6,006 calls). The four targeted bottlenecks
dropped from 2.82s to 0.28s combined.
BaseHTTPMiddleware creates a new asyncio task, wraps the response in a
StreamingResponse, and coordinates via events on every request — even for
non-/metrics paths where this middleware is a pure passthrough. This added
~3.8s of overhead in profiled benchmarks (15.3s total attributed time).
The pure ASGI implementation checks scope["path"] directly and passes
through to the inner app with zero object construction for non-/metrics
requests. A Request object is only created when auth is actually needed.
* fix(test): remove deprecated Click mix_stderr param in test_use_prisma_db_push_flag_behavior
Click 8.2+ removed the mix_stderr parameter from CliRunner. Use CliRunner() without it.
* fix(test): use app.dependency_overrides for auth mock in test_role_mappings_stored_and_retrieved
monkeypatch.setattr doesn't affect FastAPI's Depends() resolution in parallel
test execution. Use app.dependency_overrides which is the proper FastAPI pattern.
Any PrismaError should be treated as a DB connection error for the
allow_requests_on_db_unavailable feature and 503 responses. The narrow
keyword-based check is now in is_database_transport_error, which is
what the reconnect logic in auth_checks.py should use.
Fixes test_delete_access_group_503_on_db_connection_error and
test_handle_authentication_error_db_unavailable failures caused by
PR #21706 narrowing is_database_connection_error.
- Add early return in _get_assembled_streaming_response for non-streaming
requests, preventing duplicate standard_logging_object computation
- Move emit_standard_logging_payload into _process_hidden_params_and_response_cost
so non-streaming requests still emit the debug payload
- Add emit_standard_logging_payload for dict/list result edge cases
* fix(tests): isolate flaky files endpoint tests from global proxy state
* test(secret_managers): add mocked unit test for write/read JSON secret cycle
* fix(tests): mock httpx in rpm limit pass-through tests to avoid real Cohere API calls
- TeamMemberTab: pass canEditTeam=true so Add Member button renders
- UsagePageView: remove stale banner assertions (org/customer/agent banners were removed from source)
- LogDetailContent: scope '-' query to Provider description item using within() to avoid multiple-match error
* fix(tests): isolate flaky files endpoint tests from global proxy state
* test(secret_managers): add mocked unit test for write/read JSON secret cycle
* fix(tests): restore litellm.callbacks in TestSpendLogsPayload setup/teardown
* fix(tests): clear app.openapi_schema in TestSwaggerChatCompletions setup/teardown
* fix(tests): add flaky marker to test_async_increment_tokens_with_ttl_preservation
* fix(tests): isolate flaky files endpoint tests from global proxy state
* test(secret_managers): add mocked unit test for write/read JSON secret cycle
* fix(security): fix CVE-2025-69873 and CVE-2026-26996 in docs dependencies
Use npm overrides to pin patched versions:
- ajv@6.12.6 → 6.14.0 (fixes ReDoS CVE-2025-69873)
- ajv@8.17.1 → 8.18.0 (fixes ReDoS CVE-2025-69873)
- minimatch@3.1.2 → 10.2.1 (fixes DoS CVE-2026-26996)
serve-handler only calls minimatch(path, pattern) so the 3.x→10.x
upgrade is safe.
* fix(ruff): add missing Set and Dict imports to fix F821 errors
* fix(security): scope ajv overrides to avoid top-level version conflict
Replacing global 'ajv: 8.18.0' override with scoped 'schema-utils@4'
override. The global override conflicted with the nested file-loader/
null-loader/url-loader overrides, causing npm to install ajv@6 at the
top level where ajv-keywords@5.x requires ajv@8 (ajv/dist/compile/codegen).
Now:
- schema-utils@3 + loaders → ajv@6.14.0 (safe minor bump)
- schema-utils@4 → ajv@8.18.0 (safe minor bump)
- top-level ajv unmodified (stays at 8.x for ajv-keywords@5)
* fix(security): allowlist minimatch and tar CVEs from nodejs_wheel, bump tar override to >=7.5.8
* fix(ruff): add missing Set and Dict imports to fix F821 errors
* fix(ci): add semantic_router dep to guardrails_testing job
The test_build_routes_combined_templates test calls build_routes() which
imports from semantic_router, but the guardrails_testing CI job didn't
install it.
* fix(security): fix CVE-2025-69873 and CVE-2026-26996 in docs dependencies
Use npm overrides to pin patched versions:
- ajv@6.12.6 → 6.14.0 (fixes ReDoS CVE-2025-69873)
- ajv@8.17.1 → 8.18.0 (fixes ReDoS CVE-2025-69873)
- minimatch@3.1.2 → 10.2.1 (fixes DoS CVE-2026-26996)
serve-handler only calls minimatch(path, pattern) so the 3.x→10.x
upgrade is safe.
* fix(ruff): add missing Set and Dict imports to fix F821 errors
* fix(security): scope ajv overrides to avoid top-level version conflict
Replacing global 'ajv: 8.18.0' override with scoped 'schema-utils@4'
override. The global override conflicted with the nested file-loader/
null-loader/url-loader overrides, causing npm to install ajv@6 at the
top level where ajv-keywords@5.x requires ajv@8 (ajv/dist/compile/codegen).
Now:
- schema-utils@3 + loaders → ajv@6.14.0 (safe minor bump)
- schema-utils@4 → ajv@8.18.0 (safe minor bump)
- top-level ajv unmodified (stays at 8.x for ajv-keywords@5)
- Restore preserve_fields param for backward compatibility (deprecated)
- Use zip() instead of index-based iteration to prevent IndexError
- Add backward compatibility test
* fix(tests): read CI_CD_DEFAULT_ANTHROPIC_MODEL env var in bedrock KB tests
* fix(tests): read CI_CD_DEFAULT_ANTHROPIC_MODEL env var in test_router
* fix(tests): read CI_CD_DEFAULT_ANTHROPIC_MODEL env var in test_router_retries
* fix(tests): read CI_CD_DEFAULT_ANTHROPIC_MODEL env var in test_router_timeout
SpendLogsMetadata added new fields (user_api_key, status, error_information,
etc.) that weren't in the expected spend_logs_payload.json fixture, causing
test_async_gcs_pub_sub_v1 to fail.
* feat(ui): add forward_client_headers_to_llm_api toggle to general settings
* feat(ui): add forward_client_headers_to_llm_api toggle to UI Settings tab
- Add toggle to UISettings.tsx frontend (switch + label + description)
- Add field to UISettings model and ALLOWED_UI_SETTINGS_FIELDS
- Sync setting to general_settings on get/update so proxy picks it up at runtime
---------
Co-authored-by: shin-bot-litellm <shin-bot-litellm@users.noreply.github.com>