fix: Unpin litellm upper bound to allow CVE-2026-35030 remediation#6617
Merged
copybara-service[bot] merged 1 commit intomainfrom Apr 21, 2026
Merged
fix: Unpin litellm upper bound to allow CVE-2026-35030 remediation#6617copybara-service[bot] merged 1 commit intomainfrom
copybara-service[bot] merged 1 commit intomainfrom
Conversation
product-auto-label
Bot
added
size: xs
copybara-service
Bot
force-pushed
the
copybara_902906101
branch
from
11bd38b to
4c2a3aa
Compare
copybara-service
Bot
force-pushed
the
copybara_902906101
branch
5 times, most recently
from
9e94124 to
00aabbf
Compare
PiperOrigin-RevId: 902982302
copybara-service
Bot
force-pushed
the
copybara_902906101
branch
from
00aabbf to
e5e6346
Compare
copybara-service Bot
pushed a commit
that referenced
this pull request
Apr 27, 2026
-- 68eaca8 by Casey West <caseywest@google.com>: fix(deps): bump litellm cap to >=1.83.7 for additional CVE remediation The current cap of <1.83.7 (set in #6617) clears CVE-2026-35030 in litellm 1.83.0 but excludes four additional CVEs patched in 1.83.7: GHSA-r75f-5x8p-qvmc, GHSA-jjhc-v7c2-5hh6, GHSA-xqmj-j6mv-4862, GHSA-69x8-hrgq-fjj8 (disclosed 2026-04-11/24). Required by google/adk-python#5489, which pins litellm>=1.83.7,<=1.83.14 in its own dependencies and currently fails to install alongside google-cloud-aiplatform[evaluation] because of this cap. Requested by @sasha-gitg in the ADK PR review. The code adaptation for litellm 1.83.x already shipped in #6599 (vertexai/_genai/_evals_common.py via get_llm_provider), so this is purely a version-pin change. Verified: nox -s lint and nox -s lint_setup_py pass; the litellm-touching tests in tests/unit/vertexai/genai/test_evals.py pass against installed litellm at both 1.83.7 (lower bound) and 1.83.14 (upper bound). COPYBARA_INTEGRATE_REVIEW=#6645 from cwest:topic/bump-litellm-cap 638e6fa PiperOrigin-RevId: 906452948
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
fix: Unpin litellm upper bound to allow CVE-2026-35030 remediation
FUTURE_COPYBARA_INTEGRATE_REVIEW=#6596 from googleapis:release-please--branches--main b82c8bd