Nearly a month ago, I decided to add Gemini support to Feeds Fun and did some research on top LLM frameworks — I didn't want to write my own bicycle.
As a result, I found an embarrassing bug (in my opinion, of course) in the integration with Gemini in LLamaIndex. Judging by the code, it is also present in Haystack and in the plugin for LangChain. And the root of the problem is in the Google SDK for Python.
When initializing a new client for Gemini, the framework code overwrites/replaces API keys in all clients created before. Because the API key, by default, is stored in a singleton.
It is death-like, if you have a multi-tenant application, and unnoticeable in all other cases. Multi-tenant means that your application works with multiple users.
For example, in my case, in Feeds Fun, a user can enter their API key to improve the quality of the service. Imagine what a funny situation could happen: a user entered an API key to process their news but spent tokens (paid for) for all service users.
I reported this bug only in LLamaIndex as a security issue, and there has been no reaction for 3 weeks. I'm too lazy to reproduce and report for Haystack and LangChain. So this is your chance to report a bug to a top repository. All the info will be below, reproducing is not difficult.
This error is notable for many reasons:
Ultimately, I gave up on these frameworks and implemented my own client over HTTP API.
My conclusion from this mess is: you can't trust the code under the hood of modern LLM frameworks. You need to double-check and proofread it. Just because they state that they are "production-ready" doesn't mean they are really production-ready.
Let me tell you more about the bug.
As a hobby, I write concept documents for games. This is first in English. I have a few more in Russian and will eventually translate them.
One more concept for The Tale 2.0.
Lords Captains MMO
Yep, it's a rip-off from Warhammer 40k and Rogue Trader, but it will do for the concept.
Explore the infinite universe on a starship with millions of souls on board, unite and develop abandoned worlds.
Browsers, mobile.
Exploration-driven trade-political MMO PVE sandbox.
EVE, Sim City, Crusader Kings, 4X games, Rogue Trader.
Slightly more than two years ago, I became a Lead/Engineering Manager for Palta's payment team. I left the company at the end of 2023 for another sabbatical [ru].
It is time to sum up. I will start with my favorite initiative.
From the first month, I promoted the idea of preceding major changes with text documents — RFC — Request for Comments.
In this post, I will analyze two years of applying this practice to share the experience, summarize the results, and have convincing arguments for my next job.