From 2bccfcd2b85ccdba7fc237abbafc6b0f1404afd8 Mon Sep 17 00:00:00 2001
From: GangGreenTemperTatum
 <104169244+GangGreenTemperTatum@users.noreply.github.com>
Date: Tue, 24 Mar 2026 09:20:45 -0400
Subject: [PATCH 1/2] [security]: hard pin litellm version

---
 pyproject.toml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/pyproject.toml b/pyproject.toml
index d5b290e5..527cbaa2 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -90,6 +90,13 @@ Homepage = "https://github.com/dreadnode/sdk"
 Repository = "https://github.com/dreadnode/sdk"
 Documentation = "https://docs.dreadnode.io"
 
+# Dependency constraints (transitive pinning)
+
+[tool.uv]
+constraint-dependencies = [
+    "litellm<=1.82.6",  # Pin to mitigate supply chain attack (BerriAI/litellm#21971)
+]
+
 # Build
 
 [build-system]

From 570f50a3f7ad58de9c66205d773d68f1441e9ce5 Mon Sep 17 00:00:00 2001
From: GangGreenTemperTatum
 <104169244+GangGreenTemperTatum@users.noreply.github.com>
Date: Tue, 24 Mar 2026 09:29:47 -0400
Subject: [PATCH 2/2] fix(security): pin litellm<1.82.6 to mitigate supply
 chain attack

Tightens the constraint from <=1.82.6 to <1.82.6 as 1.82.6 is also
compromised (BerriAI/litellm#21971).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 pyproject.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pyproject.toml b/pyproject.toml
index 527cbaa2..f7e35a93 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -94,7 +94,7 @@ Documentation = "https://docs.dreadnode.io"
 
 [tool.uv]
 constraint-dependencies = [
-    "litellm<=1.82.6",  # Pin to mitigate supply chain attack (BerriAI/litellm#21971)
+    "litellm<1.82.6",  # Pin to mitigate supply chain attack (BerriAI/litellm#21971)
 ]
 
 # Build