From 65a2f3d2635703ab441e39b171294a658f7f9817 Mon Sep 17 00:00:00 2001
From: Lucas Wang <lucas_wang@lucas-futures.com>
Date: Wed, 25 Mar 2026 17:36:08 +0800
Subject: [PATCH] fix: pin liteLLM upper bound to <=1.82.6 to mitigate supply
 chain attack

liteLLM versions 1.82.7 and 1.82.8 were compromised by the TeamPCP
group via a supply chain attack through Trivy. Pin the upper bound to
the last known safe version.

References:
- https://github.com/BerriAI/litellm/issues/24512
- https://osv.dev/vulnerability/MAL-2026-2144
---
 pyproject.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pyproject.toml b/pyproject.toml
index a13d8bb..262591b 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -10,7 +10,7 @@ dependencies = [
     "dash-bootstrap-components>=1.7.1",
     "immutabledict>=4.2.0",
     "ipykernel>=6.29.5",
-    "litellm>1.61.16",
+    "litellm>1.61.16, <=1.82.6",
     "matplotlib>=3.9.2",
     "nbformat>=5.10.4",
     "openai>=1.64.0",