Skip to content

fix(security): hard-disable litellm integrations#937

Merged
chenjw merged 1 commit intomainfrom
fix/disable-litellm-integrations
Mar 24, 2026
Merged

fix(security): hard-disable litellm integrations#937
chenjw merged 1 commit intomainfrom
fix/disable-litellm-integrations

Conversation

@qin-ctx
Copy link
Collaborator

@qin-ctx qin-ctx commented Mar 24, 2026

Description

Temporarily hard-disable LiteLLM across the runtime, config, and dependency surface in response to the public supply-chain compromise report for recent LiteLLM releases.

Related Issue

External security incident: BerriAI/litellm#24512

Type of Change

  • Bug fix (non-breaking change that fixes an issue)
  • New feature (non-breaking change that adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Documentation update
  • Refactoring (no functional changes)
  • Performance improvement
  • Test update

Changes Made

  • Remove LiteLLM from the root dependency and lockfile, and stop advertising it as a supported VLM or embedding provider.
  • Fail fast when provider=litellm is configured for VLM, embedding, or rerank instead of falling through to runtime import errors.
  • Disable LiteLLM-backed bot provider and image generation entry points, and replace old LiteLLM tests with hard-disable regression coverage.

Testing

  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes
  • I have tested this on the following platforms:
    • Linux
    • macOS
    • Windows

Checklist

  • My code follows the project's coding style
  • I have performed a self-review of my code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings
  • Any dependent changes have been merged and published

Screenshots (if applicable)

N/A

Additional Notes

Validated with:

  • python -m pytest -o addopts='' tests/unit/test_litellm_embedder.py -q
  • python -m pytest -o addopts='' tests/unit/test_extra_headers_vlm.py -k LiteLLMDisabled -q

I did not mark the full unit test suite as passing. An existing subset in tests/unit/test_extra_headers_vlm.py still has unrelated mock target failures outside the new LiteLLM-disable coverage.

@qin-ctx
fix(security): hard-disable litellm integrations
d52c12f 
Disable LiteLLM-backed providers, config entry points, and image tooling so
new installs and runtime config cannot route through a compromised dependency.

Co-Authored-By: Claude Opus 4.6
@github-actions
Copy link

github-actions bot commented Mar 24, 2026

Failed to generate code suggestions for PR

@chenjw chenjw merged commit 9eb6a5a into main Mar 24, 2026
11 checks passed
@chenjw chenjw deleted the fix/disable-litellm-integrations branch March 24, 2026 15:12
@github-project-automation github-project-automation bot moved this from Backlog to Done in OpenViking project Mar 24, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chenjw chenjw chenjw approved these changes

Assignees

No one assigned

Labels

None yet

Projects

OpenViking project
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@qin-ctx @chenjw