Skip to content

Bump LiteLLM and urllib3#310

Merged
rajk04-scaleai merged 1 commit intomainfrom
rk/bump-packages
Apr 7, 2026
Merged

Bump LiteLLM and urllib3#310
rajk04-scaleai merged 1 commit intomainfrom
rk/bump-packages

Conversation

@rajk04-scaleai
Copy link
Copy Markdown
Contributor

@rajk04-scaleai rajk04-scaleai commented Apr 7, 2026
edited by greptile-apps Bot
Loading

  • Resolves 1 critical and 4 high alerts
  • Widen the dependency range for kubernetes to ensure we can support the patched version of urllib3

Greptile Summary

This PR resolves 1 critical and 4 high security alerts by bumping litellm to >=1.83.0 and widening the kubernetes upper bound to <36.0.0, which in turn allows urllib3 to upgrade from 1.26.20 to 2.6.3 (a major version jump). Transitive dependencies google-auth, rsa, pyasn1, and pyasn1-modules are removed as they are no longer required by the updated kubernetes package, while durationpy is added as a new transitive dependency.

Confidence Score: 5/5

Safe to merge — targeted security dependency bump with no breaking changes to application code

All changes are in dependency metadata. No direct urllib3 usage exists in the codebase, so the major 1.x→2.x bump carries no application-level risk. google-auth is not imported anywhere, so its removal as a transitive dep is also safe. No P0 or P1 findings.

No files require special attention

Important Files Changed

Filename Overview
pyproject.toml Bumps litellm minimum to 1.83.0 and widens kubernetes upper bound to 36.0.0 for urllib3 security fix
uv.lock Resolves locked urllib3 to 2.6.3, reflects updated litellm/kubernetes constraints, drops google-auth/rsa transitive deps, adds durationpy

Flowchart

 
%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Security Alerts] --> B[Bump litellm 1.66→1.83]
    A --> C[Widen kubernetes <29→<36]
    C --> D[urllib3 1.26.20→2.6.3]
    C --> E[Remove: google-auth, rsa, pyasn1, cachetools]
    C --> F[Add: durationpy]
    B --> G[openai 2.7.1→2.30.0 transitive]
    D --> H[Security alerts resolved]
Loading

Reviews (1): Last reviewed commit: "Bump LiteLLM and urllib3" | Re-trigger Greptile

@socket-security
Copy link
Copy Markdown

socket-security Bot commented Apr 7, 2026

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatedlitellm@​1.77.5 ⏵ 1.83.074 -1100 +75100100100
Updatedkubernetes@​28.1.0 ⏵ 35.0.088100100100100
Updatedopenai@​2.7.1 ⏵ 2.30.095 -1100100100100

View full report

@rajk04-scaleai rajk04-scaleai merged commit 18b18a7 into main Apr 7, 2026
32 checks passed
@rajk04-scaleai rajk04-scaleai deleted the rk/bump-packages branch April 7, 2026 18:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@smoreinis smoreinis smoreinis approved these changes

+1 more reviewer

@danielmiller98 danielmiller98 danielmiller98 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@rajk04-scaleai @smoreinis @danielmiller98