From e1fa6c9d7e88d7ff861a0cbd80157ff0e74dfc59 Mon Sep 17 00:00:00 2001
From: joereyna <joseph.reyna@gmail.com>
Date: Fri, 13 Mar 2026 19:20:37 -0700
Subject: [PATCH 1/3] fix(security): bump tar to 7.5.11 and tornado to 6.5.5

- tar >=7.5.11: fixes CVE-2026-31802 (HIGH) in node-pkg
- tornado >=6.5.5: fixes CVE-2026-31958 (HIGH) and GHSA-78cv-mqj4-43f7 (MEDIUM) in python-pkg

Addresses vulnerabilities found in ghcr.io/berriai/litellm:main-v1.82.0-stable Trivy scan.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 requirements.txt                  | 2 +-
 ui/litellm-dashboard/package.json | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/requirements.txt b/requirements.txt
index f7b72b6f0c3..bf2bf2c47a0 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,7 +1,7 @@
 # LITELLM PROXY DEPENDENCIES #
 # Security: explicit pins for transitive deps (CVE fixes)
 urllib3>=2.6.0  # CVE-2025-66471, CVE-2025-66418, CVE-2026-21441
-tornado>=6.5.3  # CVE-2025-67725, CVE-2025-67726, CVE-2025-67724
+tornado>=6.5.5  # CVE-2025-67725, CVE-2025-67726, CVE-2025-67724, CVE-2026-31958, GHSA-78cv-mqj4-43f7
 filelock>=3.20.1  # CVE-2025-68146
 h11>=0.16.0    # CVE-2025-43859, GHSA-vqfr-h8mv-ghfj — HTTP request smuggling
 wheel>=0.46.2  # CVE-2026-24049 — path traversal
diff --git a/ui/litellm-dashboard/package.json b/ui/litellm-dashboard/package.json
index 5cbe1ead886..2a9bb3e5e20 100644
--- a/ui/litellm-dashboard/package.json
+++ b/ui/litellm-dashboard/package.json
@@ -88,7 +88,7 @@
     "mermaid": ">=11.10.0",
     "js-yaml": ">=4.1.1",
     "glob": ">=11.1.0",
-    "tar": ">=7.5.10",
+    "tar": ">=7.5.11",
     "minimatch": ">=10.2.4",
     "@isaacs/brace-expansion": ">=5.0.1",
     "node-forge": ">=1.3.2",

From 52a00f52031831c0cdac592b11aaf1034d926717 Mon Sep 17 00:00:00 2001
From: joereyna <joseph.reyna@gmail.com>
Date: Fri, 13 Mar 2026 20:19:24 -0700
Subject: [PATCH 2/3] fix: document tar override is enforced via Dockerfile,
 not npm

---
 package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package.json b/package.json
index 70fcb01afc7..8afbf50205c 100644
--- a/package.json
+++ b/package.json
@@ -12,7 +12,7 @@
   },
   "overrides": {
     "glob": ">=11.1.0",
-    "tar": ">=7.5.11",
+    "tar": ">=7.5.11",  // enforced via Dockerfile; tar is not a direct transitive dep of this project
     "minimatch": ">=10.2.4",
     "diff": ">=8.0.3",
     "@isaacs/brace-expansion": ">=5.0.1",

From 93c7a7b7791716f6138702b7ebbabb29696eb5c7 Mon Sep 17 00:00:00 2001
From: joereyna <joseph.reyna@gmail.com>
Date: Fri, 13 Mar 2026 21:12:24 -0700
Subject: [PATCH 3/3] fix: revert invalid JSON comment in package.json tar
 override

---
 package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package.json b/package.json
index 8afbf50205c..70fcb01afc7 100644
--- a/package.json
+++ b/package.json
@@ -12,7 +12,7 @@
   },
   "overrides": {
     "glob": ">=11.1.0",
-    "tar": ">=7.5.11",  // enforced via Dockerfile; tar is not a direct transitive dep of this project
+    "tar": ">=7.5.11",
     "minimatch": ">=10.2.4",
     "diff": ">=8.0.3",
     "@isaacs/brace-expansion": ">=5.0.1",