From 68eaca8e53bba2045e44aa417b2deb1f6b81aa4b Mon Sep 17 00:00:00 2001 From: Casey West Date: Mon, 27 Apr 2026 09:53:40 -0400 Subject: [PATCH] fix(deps): bump litellm cap to >=1.83.7 for additional CVE remediation The current cap of <1.83.7 (set in #6617) clears CVE-2026-35030 in litellm 1.83.0 but excludes four additional CVEs patched in 1.83.7: GHSA-r75f-5x8p-qvmc, GHSA-jjhc-v7c2-5hh6, GHSA-xqmj-j6mv-4862, GHSA-69x8-hrgq-fjj8 (disclosed 2026-04-11/24). Required by google/adk-python#5489, which pins litellm>=1.83.7,<=1.83.14 in its own dependencies and currently fails to install alongside google-cloud-aiplatform[evaluation] because of this cap. Requested by @sasha-gitg in the ADK PR review. The code adaptation for litellm 1.83.x already shipped in #6599 (vertexai/_genai/_evals_common.py via get_llm_provider), so this is purely a version-pin change. Verified: nox -s lint and nox -s lint_setup_py pass; the litellm-touching tests in tests/unit/vertexai/genai/test_evals.py pass against installed litellm at both 1.83.7 (lower bound) and 1.83.14 (upper bound). --- setup.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/setup.py b/setup.py index 5af9ccb0a4..aa0ab40092 100644 --- a/setup.py +++ b/setup.py @@ -183,9 +183,10 @@ "jsonschema", "ruamel.yaml", "pyyaml", - "litellm>=1.75.5, <1.83.7, !=1.82.7, !=1.82.8", - # For LiteLLM tests. Upper bound pinned below latest version. - # Exclude 1.82.7 and 1.82.8 due to supply chain attack. + "litellm>=1.83.7, <1.83.15", + # For LiteLLM tests. Lower bound: CVE-2026-35030 plus 4 follow-on + # advisories patched in 1.83.7. Upper bound <1.83.15 admits current + # latest (1.83.14). ] langchain_extra_require = [