Skip to content

chore: pin aiohttp>=3.14.0 security floor for transitive CVE fix#14

Open
Anai-Guo wants to merge 1 commit into
mainfrom
chore/auto-maint-2026-06-05
Open

chore: pin aiohttp>=3.14.0 security floor for transitive CVE fix#14
Anai-Guo wants to merge 1 commit into
mainfrom
chore/auto-maint-2026-06-05

Conversation

@Anai-Guo

@Anai-Guo Anai-Guo commented Jun 5, 2026

Copy link
Copy Markdown
Owner

自动维护改动

类型:更新(依赖安全)
改动:为 litellm 的传递依赖 aiohttp 增加安全下限 >=3.14.0,修复 CVE-2026-34993 / CVE-2026-47265(3.13.x 受影响,3.14.0 已修)。
测试:通过(pip-audit 升级后无已知漏洞;全套 270 passed, 1 skipped 在 aiohttp 3.14.0 下全绿)
参考:无 — 依据本地 pip-audit 输出,未引用外部资料

本 PR 由每日维护任务生成,请人工 review 后再合并。

🤖 Generated with Claude Code

@claude
chore: pin aiohttp>=3.14.0 security floor for transitive CVE fix
34d884c 
litellm pulls aiohttp in transitively; 3.13.x is affected by
CVE-2026-34993 and CVE-2026-47265, both fixed in 3.14.0. Add an
explicit security floor so dependency resolution cannot select an
affected version.

Verified: pip-audit reports no known vulnerabilities after the bump,
and the full test suite (270 passed, 1 skipped) is green under
aiohttp 3.14.0.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Anai-Guo