Skip to content

Commit 92fc381

Browse files
authored
Update Litellm dependencies to avoid supply chain attacks (#47)
* feat: add uv tool configuration to manage dependency cooldowns and constraints for litellm * fix: update litellm dependency to exclude vulnerable versions and update google-adk version
1 parent 57ca933 commit 92fc381

1 file changed

Lines changed: 7 additions & 2 deletions

File tree

pyproject.toml

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@ dependencies = [
1212
"cachetools>=5.3.2",
1313
"jinja2>=3.1.6",
1414
"python-dotenv>=1.1.1",
15-
"litellm>=1.79.1", # 1.72.6+ required for langfuse_otel callback
15+
"litellm>=1.79.1,!=1.82.7,!=1.82.8", # 1.72.6+ required for langfuse_otel callback, excluded 1.82.(7|8) to avoid supply chain attack
1616
"pydantic>=2.10.0",
1717
"pyyaml>=6.0.3",
1818
]
@@ -66,7 +66,7 @@ visualization = [
6666
"pygraphviz>=1.14",
6767
]
6868
adk = [
69-
"google-adk>=1.17.0",
69+
"google-adk>=v1.28.0", # see https://github.com/google/adk-python/commit/77f1c41be61eed017b008d7ab311923e30b46643
7070
"nest-asyncio>=1.6.0", # required by google-adk for nested event loops
7171
"wrapt>=1.17.3", # required for ADK monkey patches
7272
"openinference-instrumentation-google-adk>=0.1.0",
@@ -103,6 +103,11 @@ all = [
103103
]
104104

105105

106+
[tool.uv]
107+
# https://docs.astral.sh/uv/concepts/resolution/#dependency-cooldowns
108+
exclude-newer = "1 week"
109+
exclude-newer-package = { setuptools = "30 days" }
110+
106111
[build-system]
107112
requires = ["hatchling"]
108113
build-backend = "hatchling.build"

0 commit comments

Comments
 (0)