Skip to content

Sync main to dev#444

Merged
e06084 merged 5 commits into
devfrom
main
Jul 2, 2026
Merged

Sync main to dev#444
e06084 merged 5 commits into
devfrom
main

Conversation

@e06084

@e06084 e06084 commented Jul 2, 2026

Copy link
Copy Markdown
Collaborator

No description provided.

e06084 and others added 5 commits June 6, 2026 15:38
* feat: add LiteLLM as AI gateway provider

* chore: tighten litellm pin to >=1.80.0,<1.87.0

* fix: address review feedback on LiteLLM provider

- Add embedding client initialization in create_client() to match
  BaseOpenAI pattern, ensuring RAG evaluators work with BaseLiteLLM
- Add defensive checks for empty response.choices and None content
  in send_messages() to prevent IndexError and literal 'None' strings
- Skip litellm tests when litellm is not installed (fixes CI test job)
- Fix flake8 E302 blank line violation in test file
- Add tests for empty choices and None content edge cases

---------

Co-authored-by: Aarish Irani <rheagalfire@gmail.com>

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces BaseLiteLLM, a base class for LLM evaluators routing through LiteLLM, along with corresponding unit tests and setup requirements. Feedback highlights a critical security concern regarding the specified litellm version range in setup.py, which includes compromised and vulnerable versions; updating the constraint to >=1.84.0 is recommended. Additionally, removing the OpenAI-specific configuration validation in BaseLiteLLM is suggested to ensure compatibility and flexibility across different providers.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread setup.py

agent_requirements = _read_requirements("./requirements/agent.txt")
hhem_requirements = _read_requirements("./requirements/hhem_integration.txt")
litellm_requirements = ["litellm>=1.80.0,<1.87.0"]

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-critical critical

The specified LiteLLM version range includes versions with known critical security vulnerabilities and compromises. Specifically, CVE-2026-42208 is a critical SQL injection vulnerability affecting versions >=1.81.16 to <1.83.7, and versions 1.82.7 and 1.82.8 were compromised on PyPI with a malicious backdoor. To ensure security, please update the version constraint to exclude these vulnerable and compromised versions. It is highly recommended to require at least version 1.84.0.

Suggested change
litellm_requirements = ["litellm>=1.80.0,<1.87.0"]
litellm_requirements = ["litellm>=1.84.0,<1.90.0"]

Comment on lines +80 to +81
extra_params = cls.dynamic_config.model_extra or {}
cls.validate_config(extra_params)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

Calling cls.validate_config(extra_params) enforces OpenAI-specific parameter constraints (such as restricting temperature strictly between 0 and 2). Since BaseLiteLLM is designed to support 100+ different providers via LiteLLM, these strict OpenAI-specific limits may block valid configurations for other models/providers that use different parameter ranges. Since LiteLLM and the underlying provider APIs already validate parameters and return descriptive errors, consider removing the local cls.validate_config(extra_params) call to allow full provider flexibility.

Suggested change
extra_params = cls.dynamic_config.model_extra or {}
cls.validate_config(extra_params)
extra_params = cls.dynamic_config.model_extra or {}

@e06084 e06084 merged commit fd675a1 into dev Jul 2, 2026
4 of 5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants