fix(security): pin litellm and add supply chain advisory note

2026-05-02 15:55:50 +00:00 · 2026-03-24 15:55:43 +00:00 · 2026-03-24 15:55:43 +00:00 · 38ce054b31
commit 38ce054b31
parent 72acba5d27
2 changed files with 4 additions and 1 deletions
--- a/README.md
+++ b/README.md
@ -20,6 +20,9 @@
 ## 📢 News
 > [!IMPORTANT]
 > **Security note:** Due to `litellm` supply chain poisoning, **please check your Python environment ASAP** and refer to this [advisory](https://github.com/HKUDS/nanobot/discussions/2445) for details. We are also urgently replacing `litellm` and preparing mitigations.
 - **2026-03-16** 🚀 Released **v0.1.4.post5** — a refinement-focused release with stronger reliability and channel support, and a more dependable day-to-day experience. Please see [release notes](https://github.com/HKUDS/nanobot/releases/tag/v0.1.4.post5) for details.
 - **2026-03-15** 🧩 DingTalk rich media, smarter built-in skills, and cleaner model compatibility.
 - **2026-03-14** 💬 Channel plugins, Feishu replies, and steadier MCP, QQ, and media handling.
--- a/pyproject.toml
+++ b/pyproject.toml
@ -19,7 +19,7 @@ classifiers = [
 dependencies = [
    "typer>=0.20.0,<1.0.0",
-    "litellm>=1.82.1,<2.0.0",
+    "litellm>=1.82.1,<=1.82.6",
    "pydantic>=2.12.0,<3.0.0",
    "pydantic-settings>=2.12.0,<3.0.0",
    "websockets>=16.0,<17.0",