[Security] - Pin `axios=1.13.6` by ishaan-berri · Pull Request #24829 · BerriAI/litellm

ishaan-berri · 2026-03-31T03:21:21Z

[Security] - Pin `axios=1.13.6`

Pins axios to 1.13.6 across all 6 package.json files in the repo. Malicious versions [email protected] and [email protected] were published to npm https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan

Our previous override of >=0.30.2 could have resolved to a compromised version on a fresh install without a lock file.

We are not impacted -- the lock file already resolved to 1.13.6 -- but this pin prevents future accidental upgrades to a malicious release.

Pre-Submission checklist

Please complete all items before asking a LiteLLM maintainer to review your PR

I have Added testing in the tests/test_litellm/ directory, Adding at least 1 test is a hard requirement - see details
My PR passes all unit tests on make test-unit
My PR's scope is as isolated as possible, it only solves 1 specific problem
I have requested a Greptile review by commenting @greptileai and received a Confidence Score of at least 4/5 before requesting a maintainer review

Delays in PR merge?

If you're seeing a delay in your PR being merged, ping the LiteLLM Team on Slack (#pr-review).

CI (LiteLLM team)

CI status guideline:

50-55 passing tests: main is stable with minor issues.

45-49 passing tests: acceptable but needs attention

<= 40 passing tests: unstable; be careful with your merges and assess the risk.

Branch creation CI run
Link:
CI run for the last commit
Link:
Merge / cherry-pick CI run
Links:

Type

🚄 Infrastructure
✅ Test

Changes

vercel · 2026-03-31T03:21:27Z

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
litellm	Ready	Preview, Comment	Mar 31, 2026 3:23am

codspeed-hq · 2026-03-31T03:22:59Z

Merging this PR will not alter performance

✅ 16 untouched benchmarks

_{Comparing litellm_pin_axios (f636c3b) with main (81028b9)}

greptile-apps · 2026-03-31T03:23:46Z

Greptile Summary

This PR is a targeted security patch that pins axios to 1.13.6 (from >=0.30.2) in the npm overrides section of all six package.json files across the repo. The pin addresses the prototype-pollution vulnerability in axios (fixed in >=1.13.5) and CVE-2026-25639 (a DoS via mergeConfig). [email protected] has no known direct vulnerabilities in Snyk's database.

Key observations:

Changes are isolated to the overrides field — no production source code is modified.
All six files are updated consistently, so no stale entry is left behind.
The exact pin \"1.13.6\" diverges from the >= pattern used for every other security override in these files. This means a future axios patch release will not be picked up automatically, requiring another manual update PR. Using \">=1.13.6\" would stay consistent with the project's own convention while still enforcing the security floor.
The PR pre-submission checklist notes that adding at least one test is a hard requirement, though for a pure dependency-version override there is no meaningful unit test to add — the fix is entirely in npm's dependency resolution.

Confidence Score: 5/5

Safe to merge — changes are limited to npm overrides and address known axios security vulnerabilities with no production code impact.

All six package.json files are updated consistently in the overrides section only. No source code is modified, no tests are altered, and [email protected] has no known vulnerabilities. The only finding is a P2 style suggestion to use >= instead of an exact pin, which does not block merge.

No files require special attention.

Important Files Changed

Filename	Overview
package.json	Pins axios override from >=0.30.2 to exactly 1.13.6 to address security vulnerabilities (prototype pollution, DoS via mergeConfig)
ui/litellm-dashboard/package.json	Pins axios override to exactly 1.13.6; all other security overrides in this file continue to use >= ranges, so future axios patches will require a manual pin update
docs/my-website/package.json	Pins axios override to exactly 1.13.6 in the documentation site's package.json
litellm-js/spend-logs/package.json	Pins axios override to exactly 1.13.6 in the spend-logs JS package
tests/proxy_admin_ui_tests/package.json	Pins axios override to exactly 1.13.6 in the proxy admin UI tests package
tests/proxy_admin_ui_tests/ui_unit_tests/package.json	Pins axios override to exactly 1.13.6 in the UI unit tests package

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A["npm install / npm ci"] --> B["npm resolves overrides"]
    B --> C{"axios version\nrequested by\ntransitive dep"}
    C -->|"any version"| D["Override: axios = 1.13.6"]
    D --> E["[email protected] installed\n✅ No known CVEs"]

    subgraph "Before this PR"
        F["Override: axios ≥ 0.30.2"]
        F --> G["Could resolve to\nvulnerable version\n❌ Prototype Pollution\n❌ CVE-2026-25639"]
    end

_{Reviews (1): Last reviewed commit: "pin axios" | Re-trigger Greptile}

greptile-apps · 2026-03-31T03:23:50Z

ui/litellm-dashboard/package.json

    "webpack-dev-middleware": ">=5.3.4",
    "braces": ">=3.0.3",
-    "axios": ">=0.30.2",
+    "axios": "1.13.6",


Exact pin diverges from >= pattern used for all other overrides

Every other security override in all six package.json files uses a >= lower-bound (e.g. "webpack": ">=5.94.0"), so a future security patch is picked up automatically. Pinning axios to an exact version means that when 1.13.7 or later ships with another fix, these overrides must each be manually updated again.

Consider using >=1.13.6 to stay consistent with the project's pattern and to allow future patch releases to flow through automatically:

Suggested change

"axios": "1.13.6",

"axios": ">=1.13.6",

This same suggestion applies to the equivalent line in package.json, docs/my-website/package.json, litellm-js/spend-logs/package.json, tests/proxy_admin_ui_tests/package.json, and tests/proxy_admin_ui_tests/ui_unit_tests/package.json.

_{Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!}

pin axios

f636c3b

vercel bot deployed to Preview March 31, 2026 03:23 View deployment

greptile-apps bot reviewed Mar 31, 2026

View reviewed changes

ishaan-berri merged commit 360c4f4 into main Mar 31, 2026
64 of 100 checks passed

ishaan-berri deleted the litellm_pin_axios branch March 31, 2026 03:28

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[Security] - Pin `axios=1.13.6`#24829

[Security] - Pin `axios=1.13.6`#24829
ishaan-berri merged 1 commit intomainfrom
litellm_pin_axios

ishaan-berri commented Mar 31, 2026 •

edited

Loading

Uh oh!

vercel bot commented Mar 31, 2026 •

edited

Loading

Uh oh!

codspeed-hq bot commented Mar 31, 2026

Uh oh!

greptile-apps bot commented Mar 31, 2026

Important Files Changed

Uh oh!

greptile-apps bot Mar 31, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Uh oh!

Conversation

ishaan-berri commented Mar 31, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!