From a5321aae9203273e93e45fdb4b9e504314b0082e Mon Sep 17 00:00:00 2001 From: Joao Moura Date: Sat, 25 Apr 2026 17:24:58 -0700 Subject: [PATCH] fix: bump litellm to ~=1.83.7 for GHSA-xqmj-j6mv-4862 + update exclude-newer litellm 1.83.0 has MCP stdio command injection vuln (CVE-2026-30623). Fixed in 1.83.7-stable. Also bumps exclude-newer to 2026-04-26 so the resolver can find the newer version. Note: GHSA-58qw-9mgm-455v (pip) requires a workflow file change to add --ignore-vuln, which needs the workflow OAuth scope. --- lib/crewai/pyproject.toml | 2 +- pyproject.toml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/crewai/pyproject.toml b/lib/crewai/pyproject.toml index 76000baad..858ad847f 100644 --- a/lib/crewai/pyproject.toml +++ b/lib/crewai/pyproject.toml @@ -84,7 +84,7 @@ voyageai = [ "voyageai~=0.3.5", ] litellm = [ - "litellm~=1.83.0", + "litellm~=1.83.7", ] bedrock = [ "boto3~=1.42.79", diff --git a/pyproject.toml b/pyproject.toml index 754b4d635..38231609a 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -164,7 +164,7 @@ info = "Commits must follow Conventional Commits 1.0.0." [tool.uv] # Pinned to include the security patch releases (authlib 1.6.11, # langchain-text-splitters 1.1.2) uploaded on 2026-04-16. -exclude-newer = "2026-04-22" +exclude-newer = "2026-04-26" # composio-core pins rich<14 but textual requires rich>=14. # onnxruntime 1.24+ dropped Python 3.10 wheels; cap it so qdrant[fastembed] resolves on 3.10.