A long weekend's backlog, and two threads worth a pass over your version pins. The first is dependency hygiene: a new advisory (June 26) flags that semantic-router shipped an unbounded litellm requirement, and the fix it points to — litellm 1.83.7 — is the same build that closes CVE-2026-42208, the pre-auth proxy SQL injection that's sat on CISA's exploited list since May. So this morning's real question for anyone running an LLM gateway: are you actually on 1.83.7? The second thread is pnpm, which pushed a sixteen-advisory coordinated security release across the same window — all of it about what a hostile or repository-controlled lockfile can do during a routine install.

Worth your morning

semantic-router → litellm 1.83.7. Versions 0.1.8–0.1.14 of semantic-router declared litellm>=1.61.3 with no upper bound, so a fresh install could resolve to a vulnerable litellm — and, during a brief window in March, to one of the compromised wheels PyPI later quarantined. Version 0.1.15 fixes the pin to litellm>=1.83.7 and is the upgrade to take. The reason 1.83.7 is the floor: it's also the release that patches CVE-2026-42208 (CVSS 9.8), a pre-auth SQL injection in the litellm proxy's API-key verification path that lets an unauthenticated request reach the proxy's database. That one isn't new — it landed in April and CISA added it to the Known Exploited Vulnerabilities catalog in May — but the dependency-chain advisory is a good prompt to confirm you ever actually moved. If you run the litellm proxy and you're below 1.83.7, treat it as the priority of the morning; if you pull semantic-router, upgrade to 0.1.15 and rotate any credentials that were reachable from an install during the March window.

pnpm — one upgrade, sixteen advisories. pnpm published a coordinated batch of fixes (June 26–27) sharing one theme: a pnpm-lock.yaml you didn't author. The highest-scored (8.8) cover transitive-dependency alias path traversal that writes outside the project and a lockfile that can short-circuit package-manager resolution; the rest range down through arbitrary file write/delete via patch files, environment-secret expansion into registry config, and several integrity-check bypasses. The common precondition is installing a lockfile from a source you don't fully trust — a fork, a contributor PR, an unvetted CI input — and at least one path traversal triggers on a plain pnpm install even with --ignore-scripts. A single upgrade to 10.34.4 (10.x) or 11.8.0 (11.x) closes the whole set. Relevant on both sides of the house: it's this project's package manager and it underpins the Venicecom npm and Angular builds.

Two more on the AI side. pydantic-ai (CVE-2026-48782, 6.8) is an SSRF blocklist bypass — an incomplete fix of the earlier CVE-2026-46678 — where certain IPv6 address forms slip past the guard meant to keep untrusted URLs away from internal and cloud-metadata endpoints; fixed in 1.102.0 (and 2.0.0b3 on the beta line). line-desktop-mcp (CVE-2026-49357, 8.8) is the familiar shape from recent mornings: run in HTTP mode it binds 0.0.0.0 and exposes its read/send tools with no MCP-layer auth, so anyone who can reach the port can read and send on the logged-in account. Fixed in 1.1.2 — or don't expose the HTTP transport. Niche package, but the pattern is the one to internalize.

Quiet on the .NET, Azure, and Angular side over the window — nothing cleared the bar for the secondary stack since the June 9 Patch Tuesday set.