From a0d0f2244a68714c11f8509f38248262af4ba58d Mon Sep 17 00:00:00 2001
From: Makoto Yui <myui@apache.org>
Date: Thu, 16 Apr 2026 13:22:00 +0900
Subject: [PATCH 1/2] feat: add uv tool configuration to manage dependency
 cooldowns and constraints for litellm

---
 pyproject.toml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/pyproject.toml b/pyproject.toml
index c3c6f97..5239e4c 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -103,6 +103,16 @@ all = [
 ]
 
 
+[tool.uv]
+# https://docs.astral.sh/uv/concepts/resolution/#dependency-cooldowns
+exclude-newer = "1 week"
+exclude-newer-package = { setuptools = "30 days" }
+# Preventive constraint: if litellm ever enters the dependency tree (e.g., via ADK),
+# ensure we don't get compromised versions until BerriAI publishes a verified safe release
+# https://github.com/BerriAI/litellm/issues/24518
+# https://docs.astral.sh/uv/reference/settings/#constraint-dependencies
+constraint-dependencies = ["litellm<=1.82.6"]
+
 [build-system]
 requires = ["hatchling"]
 build-backend = "hatchling.build"

From a1fdf8bdc4490cc3e857f7d0cbe1f2bfa817f95a Mon Sep 17 00:00:00 2001
From: Makoto Yui <myui@apache.org>
Date: Thu, 16 Apr 2026 14:33:12 +0900
Subject: [PATCH 2/2] fix: update litellm dependency to exclude vulnerable
 versions and update google-adk version

---
 pyproject.toml | 9 ++-------
 1 file changed, 2 insertions(+), 7 deletions(-)

diff --git a/pyproject.toml b/pyproject.toml
index 5239e4c..d40240d 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -12,7 +12,7 @@ dependencies = [
     "cachetools>=5.3.2",
     "jinja2>=3.1.6",
     "python-dotenv>=1.1.1",
-    "litellm>=1.79.1", # 1.72.6+ required for langfuse_otel callback
+    "litellm>=1.79.1,!=1.82.7,!=1.82.8", # 1.72.6+ required for langfuse_otel callback, excluded 1.82.(7|8) to avoid supply chain attack
     "pydantic>=2.10.0",
     "pyyaml>=6.0.3",
 ]
@@ -66,7 +66,7 @@ visualization = [
     "pygraphviz>=1.14",
 ]
 adk = [
-    "google-adk>=1.17.0",
+    "google-adk>=v1.28.0",  # see https://github.com/google/adk-python/commit/77f1c41be61eed017b008d7ab311923e30b46643
     "nest-asyncio>=1.6.0",  # required by google-adk for nested event loops
     "wrapt>=1.17.3",        # required for ADK monkey patches
     "openinference-instrumentation-google-adk>=0.1.0",
@@ -107,11 +107,6 @@ all = [
 # https://docs.astral.sh/uv/concepts/resolution/#dependency-cooldowns
 exclude-newer = "1 week"
 exclude-newer-package = { setuptools = "30 days" }
-# Preventive constraint: if litellm ever enters the dependency tree (e.g., via ADK),
-# ensure we don't get compromised versions until BerriAI publishes a verified safe release
-# https://github.com/BerriAI/litellm/issues/24518
-# https://docs.astral.sh/uv/reference/settings/#constraint-dependencies
-constraint-dependencies = ["litellm<=1.82.6"]
 
 [build-system]
 requires = ["hatchling"]