fix: bump litellm floor to 1.83.7 to clear SSTI advisory GHSA-xqmj-j6mv-4862

[scale-ballen]

Summary

Clears the HIGH advisory GHSA-xqmj-j6mv-4862 ("Server-Side Template Injection in litellm /prompts/test endpoint") flagged by trivy/Aqua on egp-mirror-int/agentex:*-fips. Vulnerable range >= 1.80.5, < 1.83.7, patched in >= 1.83.7.

The current pin litellm>=1.48.2,<2 resolves to 1.83.0 in the latest image, which falls in the vulnerable range.

Changes

• agentex/pyproject.toml: bump litellm floor >=1.48.2,<2 → >=1.83.7,<2. Inline comment notes the advisory.
• agentex/pyproject.toml: widen test extra httpx[http2] upper bound <0.28 → <0.29 because litellm 1.83.7 transitively requires httpx==0.28.1.
• pyproject.toml (workspace root): add an override-dependencies entry for httpx[http2]>=0.28.1,<0.29 to override the pinned httpx<0.28 constraint inherited from agentex-sdk.
• uv.lock: regenerated to reflect the bumps.

Reachability

agentex uses litellm as an SDK (litellm.acompletion, litellm.types.*, etc.). The vulnerable SSTI is in litellm.proxy.* (proxy server route handler /prompts/test) which is not invoked here. The bump is required because Aqua flags by package version regardless of reachable code.

Relationship to PR #195

PR #195 (fix: pin litellm <1.82.7 due to security vulnerability) has been open since 2026-04-09. It targets a different vulnerability — the 1.82.7/1.82.8 supply-chain compromise (credential-stealing malware, both versions removed from PyPI).

This PR supersedes #195 because the new floor (>=1.83.7) is above 1.82.7/1.82.8, so any resolution under this constraint will skip the compromised versions automatically. The <2 upper bound is preserved.

@danielmillerp — feel free to close #195 once this is reviewed; no functional gap.

Verification

• uv lock resolves cleanly with the new constraints
• Resolved litellm version: 1.83.7+ (will be the latest 1.83.x at install time)
• CI passes
• Post-merge image build clears the Aqua finding (auto-sync bot updates the FIPS wrapper repo's submodule pointer; next image build picks up the new pin)

🤖 Generated with Claude Code

Greptile Summary

This PR bumps the litellm floor from >=1.48.2 to >=1.83.7 to clear advisory GHSA-xqmj-j6mv-4862 (SSTI in the /prompts/test proxy endpoint), and widens the httpx bounds to satisfy litellm's transitive requirement for httpx==0.28.1. Test assertions are correctly updated to reflect httpx 0.28's compact JSON serialization.

The lock file regeneration also produces some unexpected version downgrades — click (8.2.1→8.1.8), importlib-metadata (8.7.0→8.5.0), and jsonschema (4.25.1→4.23.0) — which appear to be caused by litellm 1.83.7's transitive constraints. These are worth a quick sanity-check but are unlikely to cause regressions.

Confidence Score: 5/5

Safe to merge — all changes are well-scoped dependency version bumps with correct test updates; only remaining finding is a P2 observation about transitive lock downgrades.

The litellm floor bump is correctly motivated by the advisory, the httpx override chain is correctly threaded through pyproject.toml and uv.lock, and the test assertion changes accurately reflect httpx 0.28's compact JSON serialization. The only open item (unexpected transitive downgrades) is P2 and conditional on CI results already being checked.

uv.lock — review the transitive downgrades of click, importlib-metadata, and jsonschema to confirm CI coverage.

Important Files Changed

Filename	Overview
agentex/pyproject.toml	Bumps litellm floor to >=1.83.7 to clear SSTI advisory; widens httpx test upper-bound to <0.29 with inline explanation.
pyproject.toml	Adds httpx[http2]>=0.28.1,<0.29 override-dependency to allow litellm 1.83.7's httpx requirement to override agentex-sdk's older pin.
agentex/tests/integration/api/agent_api_keys/test_agent_api_keys_api.py	Updates two byte-string assertions from spaced JSON (httpx <0.28) to compact JSON (httpx >=0.28), with explanatory inline comments.
uv.lock	Regenerated; correctly pins httpx to 0.28.1 and litellm to 1.83.7, but also downgrades click (8.2.1→8.1.8), importlib-metadata (8.7.0→8.5.0), and jsonschema (4.25.1→4.23.0) as transitive side-effects of litellm's constraints.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A["agentex/pyproject.toml\nlitellm >=1.83.7,<2"] -->|"requires"| B["httpx ==0.28.1"]
    C["agentex-sdk\nhttpx <0.28 pin"] -->|"conflicts"| B
    D["pyproject.toml (workspace root)\noverride-dependencies:\nhttpx[http2]>=0.28.1,<0.29"] -->|"overrides"| C
    D --> E["uv.lock\nhttpx 0.28.1 resolved"]
    A --> E
    E --> F["GHSA-xqmj-j6mv-4862 cleared\n(SSTI in /prompts/test)"]
    style F fill:#2d8a4e,color:#fff
    style C fill:#c0392b,color:#fff

Loading

Prompt To Fix All With AI

This is a comment left during a code review.
Path: uv.lock
Line: 172

Comment:
**Unexpected transitive downgrades worth a quick check**

The lock regeneration also downgrades three packages as side-effects of litellm 1.83.7's transitive constraints:

- `click` 8.2.1 → 8.1.8
- `importlib-metadata` 8.7.0 → 8.5.0
- `jsonschema` 4.25.1 → 4.23.0

All three are stable, widely-used packages and the downgrades are unlikely to cause regressions, but it's worth confirming CI passes across the test suite (especially any code paths that call `click` CLI entry-points or use `jsonschema` validators) before merging.

How can I resolve this? If you propose a fix, please make it concise.

_{Reviews (2): Last reviewed commit: "test(agent_api_keys): adapt assertions t..." | Re-trigger Greptile}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	pypi/​litellm@​1.83.0 ⏵ 1.83.7		+16
	pypi/​aiohttp@​3.13.4 ⏵ 3.13.5	+1
	pypi/​python-dotenv@​1.1.1 ⏵ 1.0.1
	pypi/​httpx@​0.27.2 ⏵ 0.28.1

View full report