* fix(security): fix CVE-2025-69873 and CVE-2026-26996 in docs dependencies
Use npm overrides to pin patched versions:
- ajv@6.12.6 → 6.14.0 (fixes ReDoS CVE-2025-69873)
- ajv@8.17.1 → 8.18.0 (fixes ReDoS CVE-2025-69873)
- minimatch@3.1.2 → 10.2.1 (fixes DoS CVE-2026-26996)
serve-handler only calls minimatch(path, pattern) so the 3.x→10.x
upgrade is safe.
* fix(ruff): add missing Set and Dict imports to fix F821 errors
* fix(security): scope ajv overrides to avoid top-level version conflict
Replacing global 'ajv: 8.18.0' override with scoped 'schema-utils@4'
override. The global override conflicted with the nested file-loader/
null-loader/url-loader overrides, causing npm to install ajv@6 at the
top level where ajv-keywords@5.x requires ajv@8 (ajv/dist/compile/codegen).
Now:
- schema-utils@3 + loaders → ajv@6.14.0 (safe minor bump)
- schema-utils@4 → ajv@8.18.0 (safe minor bump)
- top-level ajv unmodified (stays at 8.x for ajv-keywords@5)
* fix(security): allowlist minimatch and tar CVEs from nodejs_wheel, bump tar override to >=7.5.8
Temporarily allowlist Next.js vulnerabilities in UI dashboard:
- GHSA-h25m-26qc-wcjf (HIGH: DoS via request deserialization)
- CVE-2025-59471 (MEDIUM: Image Optimizer DoS)
Fix: Upgrade to Next.js 15.5.10+ or 16.1.5+ (7-day timeline)
Changes:
- Added .trivyignore with Next.js CVEs
- Updated security_scans.sh to use --ignorefile flag
* build(README.md): initial commit adding a separate folder for additional proxy files. Meant to reduce size of core package
* build(litellm-proxy-extras/): new pip package for storing migration files
allows litellm proxy to use migration files, without adding them to core repo
* build(litellm-proxy-extras/): cleanup pyproject.toml
* build: move prisma migration files inside new proxy extras package
* build(run_migration.py): update script to write to correct folder
* build(proxy_cli.py): load in migration files from litellm-proxy-extras
Closes https://github.com/BerriAI/litellm/issues/9558
* build: add MIT license to litellm-proxy-extras
* test: update test
* fix: fix schema
* bump: version 0.1.0 → 0.1.1
* build(publish-proxy-extras.sh): add script for publishing new proxy-extras version
* build(liccheck.ini): add litellm-proxy-extras to authorized packages
* fix(litellm-proxy-extras/utils.py): move prisma migrate logic inside extra proxy pkg
easier since migrations folder already there
* build(pre-commit-config.yaml): add litellm_proxy_extras to ci tests
* docs(config_settings.md): document new env var
* build(pyproject.toml): bump relevant files when litellm-proxy-extras version changed
* build(pre-commit-config.yaml): run poetry check on litellm-proxy-extras as well
* feat(spend_management_endpoints.py): expose new endpoint for querying user's usage at 1m+ spend logs
Allows user to view their spend at 1m+ spend logs
* build(schema.prisma): add api_requests to dailyuserspend table
* build(migration.sql): add migration file for new column to daily user spend table
* build(prisma_client.py): add logic for copying over migration folder, if deploy/migrations present in expected location
enables easier testing of prisma migration flow
* build(ui/): initial commit successfully using the dailyuserspend table on the UI
* refactor(internal_user_endpoints.py): refactor `/user/daily/activity` to give breakdowns by provider/model/key
* feat: feature parity (cost page) with existing 'usage' page
* build(ui/): add activity tab to new_usage.tsx
gets to feature parity on 'All Up' page of 'usage.tsx'
* fix(proxy/utils.py): count number of api requests in daily user spend table
allows us to see activity by model on new usage tab
* style(new_usage.tsx): fix y-axis to be in ascending order of date
* fix: fix linting errors
* fix: fix ruff check errors