fix: Exclude compromised LiteLLM versions from dependencies pin to 1.82.6

yinghsienwu · copybara-github · commit 78966dac863b · 2026-03-25T09:52:25.000-07:00
Versions 1.82.7 and 1.82.8 of LiteLLM were affected by a supply chain attack and are now explicitly excluded from the dependency constraints for both project and dev dependencies.

PiperOrigin-RevId: 889295996
diff --git a/setup.py b/setup.py
@@ -181,7 +181,8 @@
     "jsonschema",
     "ruamel.yaml",
     "pyyaml",
-    "litellm >= 1.72.4, != 1.77.2, != 1.77.3, != 1.77.4",
+    "litellm>=1.75.5, <=1.82.6",
+    # For LiteLLM tests. Upper bound pinned: versions 1.82.7+ compromised in supply chain attack.
 ]
 
 langchain_extra_require = [

Original file line number	Diff line number	Diff line change
`@@ -181,7 +181,8 @@`
`181`	`181`	`"jsonschema",`
`182`	`182`	`"ruamel.yaml",`
`183`	`183`	`"pyyaml",`
`184`		`- "litellm >= 1.72.4, != 1.77.2, != 1.77.3, != 1.77.4",`
	`184`	`+ "litellm>=1.75.5, <=1.82.6",`
	`185`	`+ # For LiteLLM tests. Upper bound pinned: versions 1.82.7+ compromised in supply chain attack.`
`185`	`186`	`]`
`186`	`187`
`187`	`188`	`langchain_extra_require = [`