mirror of
https://github.com/tiennm99/litellm.git
synced 2026-07-12 09:05:33 +00:00
4af58e1f97
- Narrow /root/.cache COPY in Dockerfile to /root/.cache/prisma{,-python}
only — drops ~660MB of uv build cache including a setuptools wheel
that surfaced as CVE-2024-6345 / CVE-2025-47273 even though it was
never on the runtime sys.path.
- DiskCache: switch to dc.JSONDisk to neutralize the pickle code path
(CVE-2025-69872, no upstream fix). Values must be JSON-serializable;
cleanup get_cache to skip the now-dead json.loads(dict) branch by
guarding on isinstance(str).
- pyproject.toml: drop diskcache pin from [caching] extra (no fixed
version exists). Stub kept so `pip install litellm[caching]` doesn't
warn; users who want disk caching install diskcache themselves.
- Bump black 24.10.0 → 26.3.1 (CVE-2026-32274) + apply 296-file mechanical
reformat. Black is dev-only (not in the runtime image), but bumping
clears the manifest-scan finding.
- Refresh ui/litellm-dashboard/package-lock.json to pick up next 16.2.4
(was 16.1.7, GHSA-q4gf-8mx6-v5v3), uuid 14.0.0, postcss 8.5.13.
- Refresh litellm-js/spend-logs/package-lock.json to pick up
hono 4.12.16 (GHSA-458j-xx4x-4375).
- uv lock: gitpython 3.1.46 → 3.1.49 (clears two High GHSAs),
langchain-text-splitters 1.1.1 → 1.1.2.
- Add tests/test_litellm/caching/test_disk_cache.py covering JSONDisk
enforcement, dict/string round-trip, TTL, increment, delete/flush.
Net delta on combined trivy + grype scans: 17 findings → 4 (all
remaining 4 are Wolfi system python-3.13 CVEs marked WONTFIX upstream
in CPython 3.14; CVE-2026-3298 is Windows-unreachable on Linux).
Existing on-disk caches written by the previous pickle-format Disk
will silently miss after upgrade — diskcache is intended to be
ephemeral so impact is recreate-on-next-write.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
87 lines
2.8 KiB
Python
87 lines
2.8 KiB
Python
import ast
|
|
import os
|
|
from typing import List, Dict, Any
|
|
|
|
ALLOWED_FILE = os.path.normpath("litellm/_uuid.py")
|
|
|
|
|
|
def _to_module_path(relative_path: str) -> str:
|
|
module = os.path.splitext(relative_path)[0].replace(os.sep, ".")
|
|
if module.endswith(".__init__"):
|
|
return module[: -len(".__init__")]
|
|
return module
|
|
|
|
|
|
def _find_fastuuid_imports_in_file(
|
|
file_path: str, base_dir: str
|
|
) -> List[Dict[str, Any]]:
|
|
results: List[Dict[str, Any]] = []
|
|
try:
|
|
with open(file_path, "r", encoding="utf-8") as f:
|
|
source = f.read()
|
|
tree = ast.parse(source, filename=file_path)
|
|
except Exception:
|
|
return results
|
|
|
|
relative = os.path.normpath(os.path.relpath(file_path, base_dir))
|
|
if relative == ALLOWED_FILE:
|
|
return results
|
|
|
|
module = _to_module_path(relative)
|
|
for node in ast.walk(tree):
|
|
if isinstance(node, ast.Import):
|
|
for alias in node.names:
|
|
if alias.name == "fastuuid":
|
|
results.append(
|
|
{
|
|
"file": relative,
|
|
"line": getattr(node, "lineno", 0),
|
|
"import": f"import {alias.name}",
|
|
"module": module,
|
|
}
|
|
)
|
|
elif isinstance(node, ast.ImportFrom) and node.module == "fastuuid":
|
|
names = ", ".join([a.name for a in node.names])
|
|
results.append(
|
|
{
|
|
"file": relative,
|
|
"line": getattr(node, "lineno", 0),
|
|
"import": f"from fastuuid import {names}",
|
|
"module": module,
|
|
}
|
|
)
|
|
|
|
return results
|
|
|
|
|
|
def scan_directory_for_fastuuid(base_dir: str) -> List[Dict[str, Any]]:
|
|
violations: List[Dict[str, Any]] = []
|
|
scan_root = os.path.join(base_dir, "litellm")
|
|
for root, _, files in os.walk(scan_root):
|
|
for filename in files:
|
|
if filename.endswith(".py"):
|
|
file_path = os.path.join(root, filename)
|
|
violations.extend(_find_fastuuid_imports_in_file(file_path, base_dir))
|
|
return violations
|
|
|
|
|
|
def main() -> None:
|
|
base_dir = "." # tests run from repo root in CI
|
|
violations = scan_directory_for_fastuuid(base_dir)
|
|
if violations:
|
|
print(
|
|
"\n🚨 fastuuid must only be imported inside litellm/_uuid.py. Found violations:"
|
|
)
|
|
for v in violations:
|
|
print(f"* {v['module']} ({v['file']}:{v['line']}) -> {v['import']}")
|
|
print("\n")
|
|
raise Exception(
|
|
"Found fastuuid imports outside litellm/_uuid.py. Use litellm._uuid.uuid or litellm._uuid.uuid4 instead."
|
|
)
|
|
else:
|
|
print("✅ No invalid fastuuid imports found.")
|
|
|
|
|
|
if __name__ == "__main__":
|
|
main()
|