fix: pin liteLLM upper bound to 1.82.6 to mitigate supply chain attack

gn00295120 · gn00295120 · commit fae4ca446788 · 2026-03-25T17:23:44.000+08:00
liteLLM versions 1.82.7 and 1.82.8 were compromised by the TeamPCP group via a supply chain attack. This pins the upper bound to the last known safe version. References: - BerriAI/litellm#24512 - https://osv.dev/vulnerability/MAL-2026-2144
diff --git a/nemo/Evaluator/Custom LLM-as-a-Judge/pyproject.toml b/nemo/Evaluator/Custom LLM-as-a-Judge/pyproject.toml
@@ -10,7 +10,7 @@ dependencies = [
     "jinja2>=3.1.0",
     "jsonschema>=4.23.0",
     "jupyterlab>=4.4.1",
-    "litellm>=1.67.1",
+    "litellm>=1.67.1, <=1.82.6",
     "openai>=1.76.0",
     "peft>=0.15.2",
     "torch>=2.0.0",
