From 78966dac863b026db0b426f63dbff72271cdda10 Mon Sep 17 00:00:00 2001
From: Amy Wu <wuamy@google.com>
Date: Wed, 25 Mar 2026 09:48:50 -0700
Subject: [PATCH] fix: Exclude compromised LiteLLM versions from dependencies
 pin to 1.82.6

Versions 1.82.7 and 1.82.8 of LiteLLM were affected by a supply chain attack and are now explicitly excluded from the dependency constraints for both project and dev dependencies.

PiperOrigin-RevId: 889295996
---
 setup.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/setup.py b/setup.py
index 950a7a5d71..3bcb012369 100644
--- a/setup.py
+++ b/setup.py
@@ -181,7 +181,8 @@
     "jsonschema",
     "ruamel.yaml",
     "pyyaml",
-    "litellm >= 1.72.4, != 1.77.2, != 1.77.3, != 1.77.4",
+    "litellm>=1.75.5, <=1.82.6",
+    # For LiteLLM tests. Upper bound pinned: versions 1.82.7+ compromised in supply chain attack.
 ]
 
 langchain_extra_require = [