Copybara import of the project:

cwest · copybara-github · commit 3bd0b256395d · 2026-04-27T11:16:06.000-07:00
-- 68eaca8 by Casey West <caseywest@google.com>: fix(deps): bump litellm cap to >=1.83.7 for additional CVE remediation The current cap of <1.83.7 (set in #6617) clears CVE-2026-35030 in litellm 1.83.0 but excludes four additional CVEs patched in 1.83.7: GHSA-r75f-5x8p-qvmc, GHSA-jjhc-v7c2-5hh6, GHSA-xqmj-j6mv-4862, GHSA-69x8-hrgq-fjj8 (disclosed 2026-04-11/24). Required by google/adk-python#5489, which pins litellm>=1.83.7,<=1.83.14 in its own dependencies and currently fails to install alongside google-cloud-aiplatform[evaluation] because of this cap. Requested by @sasha-gitg in the ADK PR review. The code adaptation for litellm 1.83.x already shipped in #6599 (vertexai/_genai/_evals_common.py via get_llm_provider), so this is purely a version-pin change. Verified: nox -s lint and nox -s lint_setup_py pass; the litellm-touching tests in tests/unit/vertexai/genai/test_evals.py pass against installed litellm at both 1.83.7 (lower bound) and 1.83.14 (upper bound). COPYBARA_INTEGRATE_REVIEW=#6645 from cwest:topic/bump-litellm-cap 638e6fa PiperOrigin-RevId: 906452948
diff --git a/setup.py b/setup.py
@@ -183,9 +183,10 @@
     "jsonschema",
     "ruamel.yaml",
     "pyyaml",
-    "litellm>=1.75.5, <1.83.7, !=1.82.7, !=1.82.8",
-    # For LiteLLM tests. Upper bound pinned below latest version.
-    # Exclude 1.82.7 and 1.82.8 due to supply chain attack.
+    "litellm>=1.83.7, <1.83.15",
+    # For LiteLLM tests. Lower bound: CVE-2026-35030 plus 4 follow-on
+    # advisories patched in 1.83.7. Upper bound <1.83.15 admits current
+    # latest (1.83.14).
 ]
 
 langchain_extra_require = [
