Skip to content

build(packaging): raise jinja2 floor to 3.1.6 (rc2 backport of #27552)#27554

Merged
yuneng-berri merged 1 commit into
litellm_1.84.0rc2from
litellm_/charming-sammet-8d77c3
May 10, 2026
Merged

build(packaging): raise jinja2 floor to 3.1.6 (rc2 backport of #27552)#27554
yuneng-berri merged 1 commit into
litellm_1.84.0rc2from
litellm_/charming-sammet-8d77c3

Conversation

@yuneng-berri

@yuneng-berri yuneng-berri commented May 9, 2026

Copy link
Copy Markdown
Collaborator

Summary

Backport of #27552 onto litellm_1.84.0rc2.

Bumps the declared jinja2 floor in [project.dependencies] from >=3.1.0 to >=3.1.6.

uv.lock already resolves jinja2 to 3.1.6, so Docker images and CI installs already pick it up. The pyproject.toml floor was lagging at 3.1.0, which means downstream consumers using --resolution=lowest-direct or older constraint files can land on 3.1.03.1.5 instead of the version our test matrix exercises.

Scope

  • pyproject.toml: 1 line changed (jinja2>=3.1.0,<4.0jinja2>=3.1.6,<4.0)
  • uv.lock: 1 line changed (mirrored requires-dist entry; no resolved-version drift)

Test plan

  • Cherry-picked cleanly from staging — no conflicts
  • uv lock --check passes (392 packages, no resolved-version drift)
  • CI green

@yuneng-berri
build(packaging): raise jinja2 floor to 3.1.6
a5cc4ff 
Our `uv.lock` already resolves jinja2 to 3.1.6, so Docker / CI installs
get that version. The `pyproject.toml` floor was lagging at 3.1.0,
which means downstream consumers using `--resolution=lowest-direct` or
older constraint files can land on 3.1.0-3.1.5 instead of the version
we actually test against.

Aligns the declared floor with the resolved version so external
installers see the same baseline our test matrix exercises.

`uv lock` diff is metadata-only (no resolved-version drift).
@greptile-apps

greptile-apps Bot commented May 9, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This backport raises the declared jinja2 lower bound in pyproject.toml (and the mirrored uv.lock entry) from >=3.1.0 to >=3.1.6, ensuring downstream consumers cannot resolve to a version affected by CVE-2025-27516 — a sandbox bypass via the |attr filter fixed in the 3.1.6 security release.

  • pyproject.toml: Single-line change to the jinja2 specifier under [project.dependencies]; no resolved-version drift since uv.lock already pinned 3.1.6.
  • uv.lock: The matching requires-dist entry is updated to stay consistent; no package version changes elsewhere in the lockfile.

Confidence Score: 5/5

Safe to merge — two-line packaging change with no logic, API, or behavior impact.

The change is a minimal, well-motivated version floor bump that closes a known sandbox-bypass vulnerability for downstream consumers. The lockfile already resolved to 3.1.6 before this PR, so there is zero resolved-version drift and no risk of unexpected dependency changes.

No files require special attention.

Important Files Changed
Filename Overview
pyproject.toml Raises jinja2 minimum version from 3.1.0 to 3.1.6 to enforce the security-patched release (CVE-2025-27516) for downstream consumers
uv.lock Mirrors the pyproject.toml jinja2 constraint update in the requires-dist entry; resolved version is unchanged

Reviews (1): Last reviewed commit: "build(packaging): raise jinja2 floor to ..." | Re-trigger Greptile

@yuneng-berri yuneng-berri merged commit 188875b into litellm_1.84.0rc2 May 10, 2026
112 of 114 checks passed
@yuneng-berri yuneng-berri deleted the litellm_/charming-sammet-8d77c3 branch May 10, 2026 05:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@yuneng-berri @sridharc-ntap