fix: Lock LangGraph version to <= 0.4.10#1687
Merged
copybara-service[bot] merged 1 commit intomainfrom Jun 27, 2025
Merged
Conversation
copybara-service
Bot
force-pushed
the
copybara/776393629
branch
from
b0b9a85 to
cd7f016
Compare
New version removed graph.graph we rely on. temporarily fix the version before we fix the issue. PiperOrigin-RevId: 776619611
copybara-service
Bot
force-pushed
the
copybara/776393629
branch
from
cd7f016 to
9029b8a
Compare
This was referenced Apr 25, 2026
deps: pinned litellm <=1.82.6 has 5 active CVEs (2 critical) -- upstream fix in litellm 1.83.7
#5488
Closed
copybara-service Bot
pushed a commit
that referenced
this pull request
Apr 28, 2026
Merge #5489 Closes #5488 ## Summary Bumps the `litellm` constraint from `<=1.82.6` to `>=1.83.7,<=1.83.14` in both the base project dependencies and the `[test]` extras. The current cap was added in [`77f1c41`](77f1c41) to exclude the March 2026 supply-chain compromise of litellm 1.82.7 and 1.82.8. Since then, **five CVEs have been disclosed against litellm `<=1.82.6`** (2 critical, 3 high), with patches in 1.83.0 and 1.83.7. The new lower bound (1.83.7) is strictly above the originally compromised versions, so the original concern is still respected. The upper bound is pinned to the current latest release on PyPI (1.83.14) per reviewer request, mirroring the project's prior exact-version cap pattern. New litellm releases will require an explicit ADK PR to admit, the same way `<=1.82.6` did. Full CVE list and rationale in the linked issue (#5488). ## Diff Two identical edits, one in project deps (line 126) and one in `[test]` extras (line 145): ```diff - "litellm>=1.75.5,<=1.82.6", # ... supply chain attack ... + "litellm>=1.83.7,<=1.83.14", # For LiteLlm class. Lower bound: 5 CVE patches (2026-04). Upper bound pinned to current latest; bump deliberately. See #5488. ``` ## Testing plan 1. Re-installed `google-adk` (editable) against the updated constraint; pip resolved litellm to 1.83.13 (latest stable compatible with the rest of the lockfile, inside the new `[1.83.7, 1.83.14]` window). 2. Ran `tests/unittests/models/test_litellm.py` and `tests/unittests/models/test_litellm_import.py`; **all 259 tests pass**. Output below. 3. Verified `pyproject.toml` is parseable as TOML. ### Upstream litellm test output ``` collected 259 items tests/unittests/models/test_litellm.py ................................. [ 12%] ........................................................................ [ 40%] ........................................................................ [ 68%] ........................................................................ [ 96%] ....... [ 98%] tests/unittests/models/test_litellm_import.py ... [100%] ============================= 259 passed in 6.57s ============================== ``` ## Heads up: litellm hard-pins python-dotenv While verifying, we discovered that **litellm 1.83.7 (and every subsequent version through 1.83.14) hard-pins `python-dotenv==1.0.1`** as an unconditional core dependency. By contrast, litellm 1.82.6 declared `python-dotenv>=0.2.0` (loose). This does **not** affect adk-python itself -- ADK declares `python-dotenv>=1,<2`, which admits `1.0.1` cleanly. But any downstream project that has tightened `python-dotenv` (e.g. `>=1.2.x`) will hit a resolver conflict after this bump and may need to either relax its python-dotenv constraint or apply a package-manager override. This is a litellm anti-pattern, not an ADK problem; included here so reviewers know to expect downstream issues of that shape. ## Out of scope `langgraph` has a similar dep cap (`<0.4.8`) and one medium-severity CVE ([GHSA-g48c-2wqr-h844](GHSA-g48c-2wqr-h844)), but bumping past 0.4.x requires porting ADK's use of the removed `graph.graph` API (per [#1687](#1687)). That is real engineering work, not a dep cap bump, and is left as a separate effort. COPYBARA_INTEGRATE_REVIEW=#5489 from cwest:topic/bump-litellm-cap 559f0c2 PiperOrigin-RevId: 906979886
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
fix: Lock LangGraph version to <= 0.4.10
New version removed graph.graph we rely on.
temporarily fix the version before we fix the issue.