fix: Unpin litellm upper bound to allow CVE-2026-35030 remediation

speedstorm1 · copybara-github · commit e5e63464320c · 2026-04-20T21:47:41.000-07:00
PiperOrigin-RevId: 902982302
diff --git a/setup.py b/setup.py
@@ -181,8 +181,9 @@
     "jsonschema",
     "ruamel.yaml",
     "pyyaml",
-    "litellm>=1.75.5, <=1.82.6",
-    # For LiteLLM tests. Upper bound pinned: versions 1.82.7+ compromised in supply chain attack.
+    "litellm>=1.75.5, <1.83.7, !=1.82.7, !=1.82.8",
+    # For LiteLLM tests. Upper bound pinned below latest version.
+    # Exclude 1.82.7 and 1.82.8 due to supply chain attack.
 ]
 
 langchain_extra_require = [
