fix(deps): bump litellm cap to >=1.83.7 to admit CVE patches

[cwest]

Closes #5488

Summary

Bumps the litellm constraint from <=1.82.6 to >=1.83.7,<=1.83.14
in both the base project dependencies and the [test] extras.

The current cap was added in
77f1c41 to
exclude the March 2026 supply-chain compromise of litellm 1.82.7
and 1.82.8. Since then, five CVEs have been disclosed against
litellm <=1.82.6 (2 critical, 3 high), with patches in 1.83.0
and 1.83.7. The new lower bound (1.83.7) is strictly above the
originally compromised versions, so the original concern is still
respected.

The upper bound is pinned to the current latest release on PyPI
(1.83.14) per reviewer request, mirroring the project's prior
exact-version cap pattern. New litellm releases will require an
explicit ADK PR to admit, the same way <=1.82.6 did.

Full CVE list and rationale in the linked issue (#5488).

Diff

Two identical edits, one in project deps (line 126) and one in
[test] extras (line 145):

- "litellm>=1.75.5,<=1.82.6",                                        # ... supply chain attack ...
+ "litellm>=1.83.7,<=1.83.14",                                       # For LiteLlm class. Lower bound: 5 CVE patches (2026-04). Upper bound pinned to current latest; bump deliberately. See #5488.

Testing plan

1. Re-installed google-adk (editable) against the updated
   constraint; pip resolved litellm to 1.83.13 (latest stable
   compatible with the rest of the lockfile, inside the new
   [1.83.7, 1.83.14] window).
2. Ran tests/unittests/models/test_litellm.py and
   tests/unittests/models/test_litellm_import.py; all 259
   tests pass. Output below.
3. Verified pyproject.toml is parseable as TOML.

Upstream litellm test output

collected 259 items

tests/unittests/models/test_litellm.py ................................. [ 12%]
........................................................................ [ 40%]
........................................................................ [ 68%]
........................................................................ [ 96%]
.......                                                                  [ 98%]
tests/unittests/models/test_litellm_import.py ...                        [100%]

============================= 259 passed in 6.57s ==============================

Heads up: litellm hard-pins python-dotenv

While verifying, we discovered that litellm 1.83.7 (and every
subsequent version through 1.83.14) hard-pins
python-dotenv==1.0.1 as an unconditional core dependency. By
contrast, litellm 1.82.6 declared python-dotenv>=0.2.0 (loose).

This does not affect adk-python itself -- ADK declares
python-dotenv>=1,<2, which admits 1.0.1 cleanly. But any
downstream project that has tightened python-dotenv (e.g.
>=1.2.x) will hit a resolver conflict after this bump and may
need to either relax its python-dotenv constraint or apply a
package-manager override. This is a litellm anti-pattern, not an
ADK problem; included here so reviewers know to expect downstream
issues of that shape.

Out of scope

langgraph has a similar dep cap (<0.4.8) and one
medium-severity CVE
(GHSA-g48c-2wqr-h844),
but bumping past 0.4.x requires porting ADK's use of the removed
graph.graph API (per
#1687). That is
real engineering work, not a dep cap bump, and is left as a
separate effort.

[sasha-gitg]

Tests are failing because this needs to be bumped as well and released: https://github.com/googleapis/python-aiplatform/blob/main/setup.py#L186

[cwest]

Filed the upstream bump in googleapis/python-aiplatform#6645 (drops the <1.83.7 cap on the evaluation extra to match this PR's >=1.83.7 lower bound). Verified nox -s lint, nox -s lint_setup_py, and the litellm-touching tests in tests/unit/vertexai/genai/test_evals.py against installed litellm at both 1.83.7 and 1.83.14.

ADK CI here will stay red until that PR lands and a google-cloud-aiplatform release ships with it (release-please PR for 1.149.0 is googleapis/python-aiplatform#6618). Happy to coordinate release timing with @sasha-gitg if useful.

[cwest]

Refreshed the branch off main (559f0c2). The upstream blocker is resolved: googleapis/python-aiplatform#6645 merged via Copybara as 3bd0b256, and google-cloud-aiplatform 1.149.0 is on PyPI with the corresponding litellm<1.83.15,>=1.83.7 pin. CI re-running now and should resolve the dependency graph cleanly.

[cwest]

Heads up @sasha-gitg: the new commits on this branch need workflow approval (action_required on the three test workflows). When you have a moment, the "Approve and run" button should be on the Checks tab — that'll let CI verify the resolver picks up google-cloud-aiplatform 1.149.0 cleanly.