From f6be9057e6135deff7492669e9ccfa69316fae0f Mon Sep 17 00:00:00 2001 From: Cursor Agent Date: Tue, 2 Jun 2026 08:11:42 +0000 Subject: [PATCH] fix: tighten litellm cve floor Co-authored-by: sham --- pyproject.toml | 4 ++-- uv.lock | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index f68396944..5a9c7ab9d 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -36,7 +36,7 @@ dependencies = [ "langchain-core>=1.3.3", "langsmith>=0.8.0", "langgraph>=1.0.10", - "litellm>=1.83.10,<1.84.0", + "litellm>=1.83.11,<1.84.0", "neo4j>=5.28.2", "networkx>=3.4.2", "newrelic>=11.2.0", @@ -95,7 +95,7 @@ dependencies = [ ] [tool.uv] -# litellm>=1.83.10 clears CVE-2026-40217 (<1.83.10) but pins openai==2.24.0, which conflicts with +# litellm>=1.83.11 clears CVE-2026-40217 (<1.83.11) but pins openai==2.24.0, which conflicts with # pydantic-ai + context-engine; override to the root stack. litellm still declares python-dotenv==1.0.1. # Root uses pydantic-ai-slim without the mistral extra so mistralai is not pulled (fixes universal lock on 3.13). override-dependencies = ["python-dotenv>=1.2.2", "openai>=2.7.1", "idna>=3.15"] diff --git a/uv.lock b/uv.lock index b0e18b80e..ea5cfd70b 100644 --- a/uv.lock +++ b/uv.lock @@ -4405,7 +4405,7 @@ requires-dist = [ { name = "langchain-core", specifier = ">=1.3.3" }, { name = "langgraph", specifier = ">=1.0.10" }, { name = "langsmith", specifier = ">=0.8.0" }, - { name = "litellm", specifier = ">=1.83.10,<1.84.0" }, + { name = "litellm", specifier = ">=1.83.11,<1.84.0" }, { name = "logfire", extras = ["litellm"], specifier = ">=3.2.0" }, { name = "lupa", specifier = ">=2.7" }, { name = "mako", specifier = ">=1.3.12" },