Skip to content

security: supply chain package guard#1

Open
Bazza-X wants to merge 1 commit into
developfrom
security/supply-chain-guard
Open

security: supply chain package guard#1
Bazza-X wants to merge 1 commit into
developfrom
security/supply-chain-guard

Conversation

@Bazza-X

@Bazza-X Bazza-X commented Mar 27, 2026

Copy link
Copy Markdown
Owner

Adds GitHub Actions workflow blocking compromised litellm versions (1.82.7/1.82.8 — TeamPCP, Mar 2026). Pins safe version ==1.78.2.


Note

Low Risk
Low risk: adds a new GitHub Actions workflow that only gates PRs touching dependency files and fails the check when unsafe litellm pins are detected.

Overview
Adds a new GitHub Actions workflow (.github/workflows/supply-chain-guard.yml) that runs on PRs changing Python dependency/config files and blocks the PR if litellm is present but not pinned to litellm==1.78.2.

The job diffs changed dependency files against the PR base SHA, reports offending litellm lines, and exits non-zero to prevent merging when a non-approved version is introduced.

Written by Cursor Bugbot for commit e1a6e19. Configure here.

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 4 potential issues.

Fix All in Cursor

Bugbot Autofix prepared fixes for all 4 issues found in the latest run.

  • ✅ Fixed: Bare litellm dependency bypasses the security guard
    • Reworked detection to scan active lines and treat any litellm not pinned to ==1.78.2 as unsafe, covering bare names, '<', and spaced operators.
  • ✅ Fixed: Comment containing safe version defeats the guard check
    • Now strips comments and only validates non-comment dependency lines are pinned to the safe version.
  • ✅ Fixed: Git diff failure silently bypasses entire security guard
    • Removed the '|| true' and stderr redirection so diff failures cause the step to fail closed.
  • ✅ Fixed: Python extras syntax bypasses litellm dependency detection
    • Detection regex now accepts extras syntax via '([[^]]+])?' when checking for an exact safe pin.

Create PR

Or push these changes by commenting:

@cursor push 96c30f42e2
Preview (96c30f42e2)
diff --git a/.github/workflows/supply-chain-guard.yml b/.github/workflows/supply-chain-guard.yml
--- a/.github/workflows/supply-chain-guard.yml
+++ b/.github/workflows/supply-chain-guard.yml
@@ -29,20 +29,26 @@
 
           CHANGED_FILES=$(git diff --name-only "$BASE_SHA"..HEAD -- \
             '**requirements*.txt' '**pyproject.toml' '**poetry.lock' \
-            '**Pipfile.lock' '**uv.lock' '**setup.py' '**setup.cfg' 2>/dev/null || true)
+            '**Pipfile.lock' '**uv.lock' '**setup.py' '**setup.cfg' 2>/dev/null)
 
           for f in $CHANGED_FILES; do
             [ -f "$f" ] || continue
 
-            if grep -qiE 'litellm[>=!~]' "$f"; then
-              if grep -qE 'litellm==1\.78\.2' "$f"; then
-                echo "OK: $f has litellm pinned to safe version 1.78.2"
-              else
+            # Find non-comment lines containing 'litellm', strip inline comments
+            LIT_LINES=$(grep -iE 'litellm' "$f" | grep -viE '^[[:space:]]*#' || true)
+            if [ -n "$LIT_LINES" ]; then
+              ACTIVE_LIT_LINES=$(printf "%s\n" "$LIT_LINES" | sed 's/#.*$//')
+              # Any active litellm line not pinned to the safe version is unsafe.
+              # Supports extras (e.g., litellm[proxy]) and whitespace variations.
+              UNSAFE_LINES=$(printf "%s\n" "$ACTIVE_LIT_LINES" | grep -viE '(^|[^[:alnum:]_])litellm(\[[^]]+\])?[[:space:]]*==[[:space:]]*1[.]78[.]2([^[:alnum:]_.]|$)' || true)
+              if [ -n "$UNSAFE_LINES" ]; then
                 echo "BLOCKED: $f contains litellm dependency NOT pinned to ==1.78.2"
                 echo "  litellm 1.82.7/1.82.8 are compromised (TeamPCP, Mar 2026)"
                 echo "  Pin to litellm==1.78.2 or remove the dependency"
-                grep -n 'litellm' "$f" || true
+                grep -n '[Ll]itellm' "$f" || true
                 BLOCKED=1
+              else
+                echo "OK: $f has litellm pinned to safe version 1.78.2"
               fi
             fi
           done

This Bugbot Autofix run was free. To enable autofix for future PRs, go to the Cursor dashboard.

Comment @cursor review or bugbot run to trigger another review on this PR

for f in $CHANGED_FILES; do
[ -f "$f" ] || continue

if grep -qiE 'litellm[>=!~]' "$f"; then

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bare litellm dependency bypasses the security guard

High Severity

The regex litellm[>=!~] on the first grep requires a version operator character immediately after litellm. A bare litellm entry in requirements.txt (no version specifier) silently passes the guard, yet pip install litellm would resolve to the latest—potentially compromised—version. The character class also omits < and doesn't account for whitespace before operators, so specs like litellm<2.0 or litellm >=1.80 also bypass detection entirely.

Fix in Cursor Fix in Web

[ -f "$f" ] || continue

if grep -qiE 'litellm[>=!~]' "$f"; then
if grep -qE 'litellm==1\.78\.2' "$f"; then

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Comment containing safe version defeats the guard check

Medium Severity

The safe-version check grep -qE 'litellm==1\.78\.2' searches the entire file, not just active dependency lines. A file containing a comment like # pin litellm==1.78.2 later alongside an actual unsafe dependency like litellm>=1.82.0 would pass the guard, since the grep finds the safe version string in the comment and reports "OK" without verifying the actual dependency line.

Fix in Cursor Fix in Web


CHANGED_FILES=$(git diff --name-only "$BASE_SHA"..HEAD -- \
'**requirements*.txt' '**pyproject.toml' '**poetry.lock' \
'**Pipfile.lock' '**uv.lock' '**setup.py' '**setup.cfg' 2>/dev/null || true)

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Git diff failure silently bypasses entire security guard

High Severity

The 2>/dev/null || true on the git diff command means any failure (invalid BASE_SHA, corrupt ref, race condition) is silently swallowed. Since GitHub Actions runs with bash -e by default, the || true prevents the step from exiting — but CHANGED_FILES ends up empty, no files are scanned, and the workflow reports "All dependency files clean." This is a fail-open design in a security guard, allowing compromised packages through whenever the diff command fails.

Fix in Cursor Fix in Web

for f in $CHANGED_FILES; do
[ -f "$f" ] || continue

if grep -qiE 'litellm[>=!~]' "$f"; then

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Python extras syntax bypasses litellm dependency detection

High Severity

The regex litellm[>=!~] doesn't match Python extras syntax like litellm[proxy]>=1.82.0, because the [ character after litellm isn't in the character class [>=!~]. Since litellm officially supports pip install litellm[proxy], this is a realistic and common dependency format that completely bypasses the security guard while still installing the compromised package version.

Fix in Cursor Fix in Web

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant