Skip to content

fix(security): bump tar to 7.5.11 and tornado to 6.5.5 #23602

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
krrishdholakia merged 3 commits into from
Mar 14, 2026
Merged

fix(security): bump tar to 7.5.11 and tornado to 6.5.5 #23602

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
e1fa6c9
fix(security): bump tar to 7.5.11 and tornado to 6.5.5
joereyna Mar 14, 2026
52a00f5
fix: document tar override is enforced via Dockerfile, not npm
joereyna Mar 14, 2026
93c7a7b
fix: revert invalid JSON comment in package.json tar override
joereyna Mar 14, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion requirements.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
# LITELLM PROXY DEPENDENCIES #
# Security: explicit pins for transitive deps (CVE fixes)
urllib3>=2.6.0 # CVE-2025-66471, CVE-2025-66418, CVE-2026-21441
tornado>=6.5.3 # CVE-2025-67725, CVE-2025-67726, CVE-2025-67724
tornado>=6.5.5 # CVE-2025-67725, CVE-2025-67726, CVE-2025-67724, CVE-2026-31958, GHSA-78cv-mqj4-43f7
filelock>=3.20.1 # CVE-2025-68146
h11>=0.16.0 # CVE-2025-43859, GHSA-vqfr-h8mv-ghfj — HTTP request smuggling
wheel>=0.46.2 # CVE-2026-24049 — path traversal
Expand Down
2 changes: 1 addition & 1 deletion ui/litellm-dashboard/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -88,7 +88,7 @@
"mermaid": ">=11.10.0",
"js-yaml": ">=4.1.1",
"glob": ">=11.1.0",
"tar": ">=7.5.10",
"tar": ">=7.5.11",
Copy link
Contributor

@greptile-apps greptile-apps bot Mar 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tar override has no effect — not a transitive dependency

tar does not appear anywhere in package-lock.json as a resolved package, meaning it is not a transitive dependency of any package declared in this project. The overrides entry therefore does not constrain any actual installed version and provides no security guarantee from the npm side.

The real enforcement of tar@7.5.11 happens in Dockerfile line 52 (npm install -g ... tar@7.5.11) and the subsequent find … cp -rL patching steps. If that Dockerfile logic is ever changed or the overrides entry is relied upon to stand alone, the fix will silently become a no-op. It may be worth adding a comment here to that effect:

Suggested change
"tar": ">=7.5.11",
"tar": ">=7.5.11", // enforced via Dockerfile; tar is not a direct transitive dep of this project

This is a low-severity observation — the current Docker build is safe — but it is worth documenting so future maintainers understand where the actual protection lives.

"minimatch": ">=10.2.4",
"@isaacs/brace-expansion": ">=5.0.1",
"node-forge": ">=1.3.2",
Expand Down
Loading