litellm_fix(security): allowlist Next.js CVEs for 7 days #20169
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| # LiteLLM Trivy Ignore File | ||
| # CVEs listed here are temporarily allowlisted pending fixes | ||
|
|
||
| # Next.js vulnerabilities in UI dashboard (next@14.2.35) | ||
| # Allowlisted: 2026-01-31, 7-day fix timeline | ||
| # Fix: Upgrade to Next.js 15.5.10+ or 16.1.5+ | ||
|
|
||
| # HIGH: DoS via request deserialization | ||
| GHSA-h25m-26qc-wcjf | ||
|
|
||
| # MEDIUM: Image Optimizer DoS | ||
| CVE-2025-59471 | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -81,10 +81,10 @@ run_trivy_scans() { | |
| echo "Running Trivy scans..." | ||
|
|
||
| echo "Scanning LiteLLM Docs..." | ||
| trivy fs --ignorefile .trivyignore --scanners vuln --dependency-tree --exit-code 1 --severity HIGH,CRITICAL,MEDIUM ./docs/ | ||
|
|
||
| echo "Scanning LiteLLM UI..." | ||
| trivy fs --ignorefile .trivyignore --scanners vuln --dependency-tree --exit-code 1 --severity HIGH,CRITICAL,MEDIUM ./ui/ | ||
|
Comment on lines
+84
to
+87
Contributor
There was a problem hiding this comment. The Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time! Prompt To Fix With AIThis is a comment left during a code review.
Path: ci_cd/security_scans.sh
Line: 84:87
Comment:
The `.trivyignore` file is applied to both `./docs/` and `./ui/` scans, but the allowlisted CVEs (GHSA-h25m-26qc-wcjf, CVE-2025-59471) are specific to Next.js in the UI directory. If these CVE IDs appear in docs for unrelated packages, they'll be incorrectly ignored. Consider scoping the ignorefile to only the UI scan.
<sub>Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!</sub>
How can I resolve this? If you propose a fix, please make it concise. |
||
|
|
||
| echo "Trivy scans completed successfully" | ||
| } | ||
|
|
||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The 7-day expiration date (2026-01-31) is documented but not automatically enforced. Consider adding a reminder mechanism (GitHub issue, calendar reminder, or CI check) to ensure this allowlist is removed after the deadline.
Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!
Prompt To Fix With AI