From a1f8aeb95bc507243a7b7d7690b17db71d250b30 Mon Sep 17 00:00:00 2001
From: Casey West <caseywest@google.com>
Date: Sat, 25 Apr 2026 20:06:02 -0400
Subject: [PATCH 1/2] fix(deps): bump litellm cap to >=1.83.7 to admit CVE
 patches

The current cap of <=1.82.6 was added in 77f1c41 to exclude the
supply-chain compromise of litellm 1.82.7/8. Five CVEs have since
been disclosed against litellm <=1.82.6 (2 critical: GHSA-r75f-
5x8p-qvmc, GHSA-jjhc-v7c2-5hh6; 3 high: GHSA-xqmj-j6mv-4862,
GHSA-69x8-hrgq-fjj8, GHSA-53mr-6c8q-9789), with fixes in 1.83.0
and 1.83.7. The new lower bound (1.83.7) still excludes the
originally compromised 1.82.7/8.

Tested: tests/unittests/models/test_litellm.py and
tests/unittests/models/test_litellm_import.py pass (259 passed,
0 failed) against litellm 1.83.13 with the new constraint.

Refs #5488
---
 pyproject.toml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pyproject.toml b/pyproject.toml
index d30edfc3a6..d75f8a23ce 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -123,7 +123,7 @@ optional-dependencies.extensions = [
   "k8s-agent-sandbox>=0.1.1.post3",                                  # For GkeCodeExecutor sandbox mode
   "kubernetes>=29",                                                  # For GkeCodeExecutor
   "langgraph>=0.2.60,<0.4.8",                                        # For LangGraphAgent
-  "litellm>=1.75.5,<=1.82.6",                                        # For LiteLlm class. Upper bound pinned: versions 1.82.7+ compromised in supply chain attack.
+  "litellm>=1.83.7,<2",                                              # For LiteLlm class. Lower bound is the first release with patches for 5 CVEs disclosed 2026-04-11/24; supersedes earlier supply-chain pin against 1.82.7/8.
   "llama-index-embeddings-google-genai>=0.3",                        # For files retrieval using LlamaIndex.
   "llama-index-readers-file>=0.4",                                   # For retrieval using LlamaIndex.
   "lxml>=5.3",                                                       # For load_web_page tool.
@@ -142,7 +142,7 @@ optional-dependencies.test = [
   "kubernetes>=29",                                                  # For GkeCodeExecutor
   "langchain-community>=0.3.17",
   "langgraph>=0.2.60,<0.4.8",                                        # For LangGraphAgent
-  "litellm>=1.75.5,<=1.82.6",                                        # For LiteLLM tests. Upper bound pinned: versions 1.82.7+ compromised in supply chain attack.
+  "litellm>=1.83.7,<2",                                              # For LiteLLM tests. Lower bound is the first release with patches for 5 CVEs disclosed 2026-04-11/24; supersedes earlier supply-chain pin against 1.82.7/8.
   "llama-index-readers-file>=0.4",                                   # For retrieval tests
   "openai>=1.100.2",                                                 # For LiteLLM
   "opentelemetry-instrumentation-google-genai>=0.3b0,<1",

From d40ef4a6691ba258a312c4fa92ff9f2ad8a2ba2e Mon Sep 17 00:00:00 2001
From: Casey West <caseywest@google.com>
Date: Sun, 26 Apr 2026 20:15:45 -0400
Subject: [PATCH 2/2] fix(deps): pin litellm upper bound to 1.83.14

Re-apply the project's exact-version cap pattern (the original
was <=1.82.6) instead of the looser <2 I'd proposed. Pinning to
the current latest release means every future litellm version
needs an explicit ADK PR before it can resolve into user
environments. That is how the prior <=1.82.6 cap held the line
once 1.82.7/8 were known-bad.

Verified: 259 litellm tests pass against installed 1.83.13.
Addresses review feedback on #5489.
---
 pyproject.toml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pyproject.toml b/pyproject.toml
index d75f8a23ce..e5a4d00c9d 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -123,7 +123,7 @@ optional-dependencies.extensions = [
   "k8s-agent-sandbox>=0.1.1.post3",                                  # For GkeCodeExecutor sandbox mode
   "kubernetes>=29",                                                  # For GkeCodeExecutor
   "langgraph>=0.2.60,<0.4.8",                                        # For LangGraphAgent
-  "litellm>=1.83.7,<2",                                              # For LiteLlm class. Lower bound is the first release with patches for 5 CVEs disclosed 2026-04-11/24; supersedes earlier supply-chain pin against 1.82.7/8.
+  "litellm>=1.83.7,<=1.83.14",                                       # For LiteLlm class. Lower bound: 5 CVE patches (2026-04). Upper bound pinned to current latest; bump deliberately. See #5488.
   "llama-index-embeddings-google-genai>=0.3",                        # For files retrieval using LlamaIndex.
   "llama-index-readers-file>=0.4",                                   # For retrieval using LlamaIndex.
   "lxml>=5.3",                                                       # For load_web_page tool.
@@ -142,7 +142,7 @@ optional-dependencies.test = [
   "kubernetes>=29",                                                  # For GkeCodeExecutor
   "langchain-community>=0.3.17",
   "langgraph>=0.2.60,<0.4.8",                                        # For LangGraphAgent
-  "litellm>=1.83.7,<2",                                              # For LiteLLM tests. Lower bound is the first release with patches for 5 CVEs disclosed 2026-04-11/24; supersedes earlier supply-chain pin against 1.82.7/8.
+  "litellm>=1.83.7,<=1.83.14",                                       # For LiteLLM tests. Lower bound: 5 CVE patches (2026-04). Upper bound pinned to current latest; bump deliberately. See #5488.
   "llama-index-readers-file>=0.4",                                   # For retrieval tests
   "openai>=1.100.2",                                                 # For LiteLLM
   "opentelemetry-instrumentation-google-genai>=0.3b0,<1",