You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I noticed that google-adk v2.2.0 pins LiteLLM in optional dependencies to litellm>=1.83.7,<=1.83.14. This appears in the extensions and test extras, and the same pin also seems to be present on main. https://github.com/google/adk-python/blob/v2.2.0/pyproject.toml
LiteLLM recently published a security advisory: GHSA-4xpc-pv4p-pm3w (Critical)
The advisory says versions <1.84.0 are affected, and the patched version is >=1.84.0.
I understand this vulnerability is described as affecting the LiteLLM proxy, so it may not impact all ADK users who install LiteLLM only as a model integration dependency. Still, dependency scanners will likely flag google-adk[extensions] because the current version constraint prevents installing the patched LiteLLM release.
Would it be possible to confirm whether ADK is affected, and if appropriate, relax/update the LiteLLM version constraint to allow >=1.84.0?
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
Hi ADK team,
I noticed that google-adk v2.2.0 pins LiteLLM in optional dependencies to litellm>=1.83.7,<=1.83.14. This appears in the extensions and test extras, and the same pin also seems to be present on main.
https://github.com/google/adk-python/blob/v2.2.0/pyproject.toml
LiteLLM recently published a security advisory: GHSA-4xpc-pv4p-pm3w (Critical)
The advisory says versions <1.84.0 are affected, and the patched version is >=1.84.0.
I understand this vulnerability is described as affecting the LiteLLM proxy, so it may not impact all ADK users who install LiteLLM only as a model integration dependency. Still, dependency scanners will likely flag google-adk[extensions] because the current version constraint prevents installing the patched LiteLLM release.
Would it be possible to confirm whether ADK is affected, and if appropriate, relax/update the LiteLLM version constraint to allow >=1.84.0?
Thanks!
Beta Was this translation helpful? Give feedback.
All reactions