fix(security): Add VLLM_MAX_N_SEQUENCES environment variable and enforce limit

[jperezdealgaba]

MR assissted with: claude-4.6-opus.max
This commit introduces a new environment variable, VLLM_MAX_N_SEQUENCES, which sets the maximum allowed number of output sequences per request to prevent excessive resource consumption. The SamplingParams class has been updated to validate the 'n' parameter against this new limit, raising an error if exceeded.

Purpose
The goal of this MR is to introduce the VLLM_MAX_N_SEQUENCES environment variable to prevent highly large n sequences blocking the main thread and causing denial of service attacks.

Test Plan
We added tests for making sure the upper limits works. To test it:

python -m pytest tests/test_envs.py::TestVllmMaxNSequences

Test Result
=============================== warnings summary ===============================
:488
:488: DeprecationWarning: builtin type SwigPyPacked has no module attribute

:488
:488: DeprecationWarning: builtin type SwigPyObject has no module attribute

-- Docs: https://docs.pytest.org/en/stable/how-to/capture-warnings.html
======================== 50 passed, 2 warnings in 4.92s ========================

[github-actions]

👋 Hi! Thank you for contributing to the vLLM project.

💬 Join our developer Slack at https://slack.vllm.ai to discuss your PR in #pr-reviews, coordinate on features in #feat- channels, or join special interest groups in #sig- channels.

Just a reminder: PRs would not trigger full CI run by default.

Once the PR is approved and ready to go, your PR reviewer(s) can run CI to test the changes comprehensively before merging.

To run CI, PR reviewers can either: Add ready label to the PR or enable auto-merge.

If you have any questions, please reach out to us on Slack at https://slack.vllm.ai.

🚀

[mergify]

Documentation preview: https://vllm--37952.org.readthedocs.build/en/37952/

[gemini-code-assist]

Code Review

This pull request introduces a security enhancement by adding the VLLM_MAX_N_SEQUENCES environment variable to limit the number of sequences per request, preventing potential resource exhaustion attacks. The changes include updates to SamplingParams to enforce this limit, corresponding documentation, and new tests.

My review found an issue in the newly added tests. The tests do not correctly handle the caching mechanism of vllm.envs, which could lead to flaky and unreliable test results. I've provided a suggestion to fix this to ensure test isolation and correctness.

[mergify]

Hi @jperezdealgaba, the pre-commit checks have failed. Please run:

uv pip install pre-commit>=4.5.1
pre-commit install
pre-commit run --all-files

Then, commit the changes and push to your branch.

For future commits, pre-commit will run automatically on changed files before each commit.

Tip

Is mypy failing?

mypy is run differently in CI. If the failure is related to this check, please use the following command to run it locally:

# For mypy (substitute "3.10" with the failing version if needed)
pre-commit run --hook-stage manual mypy-3.10

[jperezdealgaba]

Is the readthedocs error an error on our side?

ERROR - mkdocstrings: Couldn't load inventory https://psutil.readthedocs.io/en/stable/objects.inv through handler 'python': HTTP Error 404: Not Found

It really doesn't seem the case

[russellb]

lgtm, thank you!

[jperezdealgaba]

Thanks! Will wait for the merge!