From 34d884c2caae1da74941c3691a34a317c8739c7e Mon Sep 17 00:00:00 2001
From: labagent-maint-bot <labagent-maint-bot@users.noreply.github.com>
Date: Fri, 5 Jun 2026 03:27:03 -0700
Subject: [PATCH 1/2] chore: pin aiohttp>=3.14.0 security floor for transitive
 CVE fix

litellm pulls aiohttp in transitively; 3.13.x is affected by
CVE-2026-34993 and CVE-2026-47265, both fixed in 3.14.0. Add an
explicit security floor so dependency resolution cannot select an
affected version.

Verified: pip-audit reports no known vulnerabilities after the bump,
and the full test suite (270 passed, 1 skipped) is green under
aiohttp 3.14.0.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 pyproject.toml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/pyproject.toml b/pyproject.toml
index 3ad50a8..99f1249 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -44,6 +44,9 @@ dependencies = [
     "pyvisa>=1.14.0,<2",
     "pyyaml>=6.0,<7",
     "pydantic>=2.0,<3",
+    # Security floor for litellm's transitive aiohttp dependency:
+    # 3.13.x is affected by CVE-2026-34993 and CVE-2026-47265 (fixed in 3.14.0).
+    "aiohttp>=3.14.0",
 ]
 
 [project.optional-dependencies]

From 4ff9bf892de38046b529987f4cdcd085793030e8 Mon Sep 17 00:00:00 2001
From: labagent-maint-bot <labagent-maint-bot@users.noreply.github.com>
Date: Tue, 16 Jun 2026 03:28:44 -0700
Subject: [PATCH 2/2] chore: bump aiohttp security floor to >=3.14.1

The previous floor (>=3.14.0) is no longer sufficient: aiohttp 3.14.0
is affected by CVE-2026-54273 through CVE-2026-54280, fixed in 3.14.1.
Raising the floor clears these from pip-audit while staying within
litellm's transitive dependency range.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 pyproject.toml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/pyproject.toml b/pyproject.toml
index 99f1249..6df0c0c 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -45,8 +45,9 @@ dependencies = [
     "pyyaml>=6.0,<7",
     "pydantic>=2.0,<3",
     # Security floor for litellm's transitive aiohttp dependency:
-    # 3.13.x is affected by CVE-2026-34993 and CVE-2026-47265 (fixed in 3.14.0).
-    "aiohttp>=3.14.0",
+    # 3.13.x is affected by CVE-2026-34993 / CVE-2026-47265 (fixed in 3.14.0), and
+    # 3.14.0 by CVE-2026-54273..54280 (fixed in 3.14.1).
+    "aiohttp>=3.14.1",
 ]
 
 [project.optional-dependencies]