Skip to content

fix(deps): bump litellm cap to >=1.83.7 to admit CVE patches #5489

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
cwest wants to merge 4 commits into from
+2 −2
Closed

fix(deps): bump litellm cap to >=1.83.7 to admit CVE patches #5489

Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
a1f8aeb
fix(deps): bump litellm cap to >=1.83.7 to admit CVE patches
cwest Apr 26, 2026
d40ef4a
fix(deps): pin litellm upper bound to 1.83.14
cwest Apr 27, 2026
5cfa649
Merge branch 'main' into topic/bump-litellm-cap
sasha-gitg Apr 27, 2026
559f0c2
Merge remote-tracking branch 'upstream/main' into topic/bump-litellm-cap
cwest Apr 28, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions pyproject.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -123,7 +123,7 @@ optional-dependencies.extensions = [
"k8s-agent-sandbox>=0.1.1.post3", # For GkeCodeExecutor sandbox mode
"kubernetes>=29", # For GkeCodeExecutor
"langgraph>=0.2.60,<0.4.8", # For LangGraphAgent
"litellm>=1.75.5,<=1.82.6", # For LiteLlm class. Upper bound pinned: versions 1.82.7+ compromised in supply chain attack.
"litellm>=1.83.7,<2", # For LiteLlm class. Lower bound is the first release with patches for 5 CVEs disclosed 2026-04-11/24; supersedes earlier supply-chain pin against 1.82.7/8.
Comment thread
sasha-gitg marked this conversation as resolved.
Outdated
"llama-index-embeddings-google-genai>=0.3", # For files retrieval using LlamaIndex.
"llama-index-readers-file>=0.4", # For retrieval using LlamaIndex.
"lxml>=5.3", # For load_web_page tool.
Expand All @@ -142,7 +142,7 @@ optional-dependencies.test = [
"kubernetes>=29", # For GkeCodeExecutor
"langchain-community>=0.3.17",
"langgraph>=0.2.60,<0.4.8", # For LangGraphAgent
"litellm>=1.75.5,<=1.82.6", # For LiteLLM tests. Upper bound pinned: versions 1.82.7+ compromised in supply chain attack.
"litellm>=1.83.7,<2", # For LiteLLM tests. Lower bound is the first release with patches for 5 CVEs disclosed 2026-04-11/24; supersedes earlier supply-chain pin against 1.82.7/8.
"llama-index-readers-file>=0.4", # For retrieval tests
"openai>=1.100.2", # For LiteLLM
"opentelemetry-instrumentation-google-genai>=0.3b0,<1",
Expand Down