fix(deps): bump litellm cap to >=1.83.7 to admit CVE patches

[cwest]

Closes #5488

Summary

Bumps the upper-bound on litellm from <=1.82.6 to >=1.83.7,<2
in both the base project dependencies and the [test] extras.

The current cap was added in
77f1c41 to
exclude the March 2026 supply-chain compromise of litellm 1.82.7
and 1.82.8. Since then, five CVEs have been disclosed against
litellm <=1.82.6 (2 critical, 3 high), with patches in 1.83.0
and 1.83.7. The new lower bound (1.83.7) is strictly above the
originally compromised versions, so the original concern is still
respected.

Full CVE list and rationale in the linked issue (#5488).

Diff

Two identical edits, one in project deps (line 126) and one in
[test] extras (line 145):

- "litellm>=1.75.5,<=1.82.6",                                        # ... supply chain attack ...
+ "litellm>=1.83.7,<2",                                              # For LiteLlm class. Lower bound is the first release with patches for 5 CVEs disclosed 2026-04-11/24; supersedes earlier supply-chain pin against 1.82.7/8.

Testing plan

1. Re-installed google-adk (editable) against the updated
   constraint; pip resolved litellm to 1.83.13 (latest stable, well
   past the new minimum of 1.83.7).
2. Ran tests/unittests/models/test_litellm.py and
   tests/unittests/models/test_litellm_import.py; all 259
   tests pass in 7.28s. Output below.
3. Verified pyproject.toml is parseable as TOML.

Upstream litellm test output

collected 259 items

tests/unittests/models/test_litellm.py ................................. [ 12%]
........................................................................ [ 40%]
........................................................................ [ 68%]
........................................................................ [ 96%]
.......                                                                  [ 98%]
tests/unittests/models/test_litellm_import.py ...                        [100%]

============================= 259 passed in 7.28s ==============================

Heads up: litellm hard-pins python-dotenv

While verifying, we discovered that litellm 1.83.7 (and every
subsequent version through 1.83.13) hard-pins
python-dotenv==1.0.1 as an unconditional core dependency. By
contrast, litellm 1.82.6 declared python-dotenv>=0.2.0 (loose).

This does not affect adk-python itself -- ADK declares
python-dotenv>=1,<2, which admits 1.0.1 cleanly. But any
downstream project that has tightened python-dotenv (e.g.
>=1.2.x) will hit a resolver conflict after this bump and may
need to either relax its python-dotenv constraint or apply a
package-manager override. This is a litellm anti-pattern, not an
ADK problem; included here so reviewers know to expect downstream
issues of that shape.

Out of scope

langgraph has a similar dep cap (<0.4.8) and one
medium-severity CVE
(GHSA-g48c-2wqr-h844),
but bumping past 0.4.x requires porting ADK's use of the removed
graph.graph API (per
#1687). That is
real engineering work, not a dep cap bump, and is left as a
separate effort.