fix: pin litellm and networkx versions to prevent supply chain attacks

litellm 1.82.7–1.82.8 were compromised in a supply chain attack
(Mar 2026) that could exfiltrate API keys and environment variables.

Changes:
- litellm>=1.0.0 → litellm~=1.83.10 (verified safe, post-incident)
- networkx>=3.2 → networkx~=3.6.1 (latest stable)

Uses ~= (compatible release) operator to allow patch-level updates
while preventing major/minor version jumps.

Closes #41
This commit is contained in:
watsonk1998 2026-04-22 19:51:22 +08:00
parent 607d604d0a
commit 0b413061cb

View file

@ -1,2 +1,4 @@
litellm>=1.0.0
networkx>=3.2
# litellm 1.82.71.82.8 were compromised in a supply chain attack (Mar 2026).
# Pin to a verified safe version. See: https://github.com/SamurAIGPT/llm-wiki-agent/issues/41
litellm~=1.83.10
networkx~=3.6.1