From e5e63464320ca072ae5baa31d9aacfc0a45bff79 Mon Sep 17 00:00:00 2001
From: Ayush Agrawal <ayushagra@google.com>
Date: Mon, 20 Apr 2026 21:44:43 -0700
Subject: [PATCH] fix: Unpin litellm upper bound to allow CVE-2026-35030
 remediation

PiperOrigin-RevId: 902982302
---
 setup.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/setup.py b/setup.py
index 549092e8df..a1108e7181 100644
--- a/setup.py
+++ b/setup.py
@@ -181,8 +181,9 @@
     "jsonschema",
     "ruamel.yaml",
     "pyyaml",
-    "litellm>=1.75.5, <=1.82.6",
-    # For LiteLLM tests. Upper bound pinned: versions 1.82.7+ compromised in supply chain attack.
+    "litellm>=1.75.5, <1.83.7, !=1.82.7, !=1.82.8",
+    # For LiteLLM tests. Upper bound pinned below latest version.
+    # Exclude 1.82.7 and 1.82.8 due to supply chain attack.
 ]
 
 langchain_extra_require = [