From ff7484343a6ca82064e42d6c83579a6e68b73bd1 Mon Sep 17 00:00:00 2001
From: Lucas Wang <lucas_wang@lucas-futures.com>
Date: Wed, 25 Mar 2026 16:57:58 +0800
Subject: [PATCH] fix: pin liteLLM upper bound to <=1.82.6 to mitigate supply
 chain attack

liteLLM versions 1.82.7 and 1.82.8 were compromised via a supply chain
attack. This pins the upper bound to 1.82.6, the last known safe version.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 pyproject.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pyproject.toml b/pyproject.toml
index fe08cae8d7..6d3347264c 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -36,7 +36,7 @@ Repository = "https://github.com/openai/openai-agents-python"
 [project.optional-dependencies]
 voice = ["numpy>=2.2.0, <3; python_version>='3.10'", "websockets>=15.0, <16"]
 viz = ["graphviz>=0.17"]
-litellm = ["litellm>=1.81.0, <2"]
+litellm = ["litellm>=1.81.0, <=1.82.6"]
 any-llm = ["any-llm-sdk>=1.11.0, <2; python_version >= '3.11'"]
 realtime = ["websockets>=15.0, <16"]
 sqlalchemy = ["SQLAlchemy>=2.0", "asyncpg>=0.29.0"]