Skip to content

security: cap litellm<=1.82.6 (supply chain incident) #1151

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
MervinPraison merged 1 commit into from
Mar 26, 2026
Merged

security: cap litellm<=1.82.6 (supply chain incident) #1151

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions src/praisonai-agents/pyproject.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"

[project]
name = "praisonaiagents"
version = "1.5.83"
version = "1.5.84"
description = "Praison AI agents for completing complex tasks with Self Reflection Agents"
readme = "README.md"
requires-python = ">=3.10"
Expand All @@ -29,7 +29,7 @@ mcp = [

memory = [
"chromadb>=1.0.0",
"litellm>=1.81.0",
"litellm>=1.81.0,<=1.82.6",
]

knowledge = [
Expand All @@ -47,7 +47,7 @@ graph = [

# Add LLM dependencies
llm = [
"litellm>=1.81.0",
"litellm>=1.81.0,<=1.82.6",
"pydantic>=2.10.0"
]

Expand Down
6 changes: 3 additions & 3 deletions src/praisonai-agents/uv.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion src/praisonai/pyproject.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ dependencies = [
"pyparsing>=3.0.0",
"praisonaiagents>=1.5.83",
"python-dotenv>=0.19.0",
"litellm>=1.81.0",
"litellm>=1.81.0,<=1.82.6",
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist bot Mar 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

This change correctly caps the litellm version. However, the corresponding uv.lock file for the praisonai package seems to be missing from this pull request. Since src/praisonai-agents/uv.lock was updated, the lock file for praisonai should also be updated to reflect this dependency change and ensure that environments built using the lock file get the security fix. Please run uv lock in the src/praisonai directory and commit the updated lock file.

"PyYAML>=6.0",
Comment on lines 15 to 18
Copy link
Copy Markdown

@qodo-code-review qodo-code-review bot Mar 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Action required

1. Agents min version too low 🐞 Bug ⛨ Security

praisonaiagents was bumped to 1.5.84 (which contains the new litellm cap), but praisonai still
allows older agent versions (and praisonai[claw] allows praisonaiagents[all]>=1.5.40), so
dependency resolution can legitimately use an older agents release that doesn’t include the capped
litellm spec for its extras. This weakens the supply-chain mitigation because installs can remain on
an older agents version while still pulling litellm via agents extras.
Agent Prompt 
### Issue description
`praisonai` does not require the newly released `praisonaiagents==1.5.84` (which includes the litellm upper-bound cap in agents extras). As a result, dependency resolution can remain on older `praisonaiagents` versions (especially via `praisonai[claw]`), undermining the intent of the supply-chain defensive pin.

### Issue Context
- `praisonaiagents` is now `1.5.84`.
- `praisonai` still depends on `praisonaiagents>=1.5.83`.
- `praisonai[claw]` depends on `praisonaiagents[all]>=1.5.40`.

### Fix Focus Areas
- Update the base dependency minimum to `>=1.5.84` (optionally add a reasonable upper bound if your policy requires it).
- Update `claw` extra’s `praisonaiagents[all]` minimum to `>=1.5.84` so installs of `praisonai[claw]` can’t satisfy the requirement with older agents releases.

- src/praisonai/pyproject.toml[11-22]
- src/praisonai/pyproject.toml[144-149]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

"mcp>=1.20.0",
"typer>=0.9.0",
Expand Down
Loading