From 2521f06f8cd99c1063f3f252236378946cb72675 Mon Sep 17 00:00:00 2001 From: Lucas Wang Date: Wed, 25 Mar 2026 17:35:57 +0800 Subject: [PATCH] fix: pin liteLLM upper bound to 1.82.6 to mitigate supply chain attack liteLLM versions 1.82.7 and 1.82.8 were compromised by the TeamPCP group via a supply chain attack through Trivy. Pin to <=1.82.6 which is the last known safe version. References: - https://github.com/BerriAI/litellm/issues/24512 - https://www.wiz.io/blog/threes-a-crowd-teampcp-trojanizes-litellm-in-continuation-of-campaign - https://osv.dev/vulnerability/MAL-2026-2144 --- pyproject.toml | 2 +- setup.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index 0d4f813..c554d60 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -19,7 +19,7 @@ classifiers = [ ] dependencies = [ "absl-py", - "litellm", + "litellm<=1.82.6", "pandas", "plotly", "kaleido", diff --git a/setup.py b/setup.py index 15c0784..f9f46c9 100644 --- a/setup.py +++ b/setup.py @@ -29,7 +29,7 @@ py_modules=["anthro_eval_cli"], install_requires=[ "absl-py", - "litellm", + "litellm<=1.82.6", "pandas", "plotly", "kaleido",