Skip to content

Remove transitive vulerability to LiteLLM via upgrade of google-cloud-aiplatform#64786

Merged
eladkal merged 1 commit intoapache:mainfrom
jscheffl:bugfix/remove-transitive-vulnerability-to-litellm-via-gcloud-aiplatform
Apr 7, 2026
Merged

Remove transitive vulerability to LiteLLM via upgrade of google-cloud-aiplatform#64786
eladkal merged 1 commit intoapache:mainfrom
jscheffl:bugfix/remove-transitive-vulnerability-to-litellm-via-gcloud-aiplatform

Conversation

@jscheffl
Copy link
Copy Markdown
Contributor

@jscheffl jscheffl commented Apr 6, 2026

To remove potential vulnerability as google-cloud-ai-platform optionally sources litellm, upgrade dependency to google package which prevents the vulnerable version to be used.

Unfortunately I see no other way to enforce this as the transitive dependency is optional only and enforcing a specific version is only possible if we make the optional dependency mandatory.

Unfortunately the google package only upper bounds the version to the last non-vulnerable version, hoping for an improvement as litellm==1.83.0 should actually fix it.

PMC Only, see https://github.com/apache/airflow/security/dependabot/537
Google PR: googleapis/python-aiplatform#6484


Was generative AI tooling used to co-author this PR?
  • Yes (please specify the tool below)

  • Read the Pull Request Guidelines for more information. Note: commit author/co-author name and email in commits become permanently public when merged.
  • For fundamental code changes, an Airflow Improvement Proposal (AIP) is needed.
  • When adding dependency, check compliance with the ASF 3rd Party License Policy.
  • For significant user-facing changes create newsfragment: {pr_number}.significant.rst, in airflow-core/newsfragments. You can add this file in a follow-up commit after the PR is created so you know the PR number.

@jscheffl jscheffl requested a review from shahar1 as a code owner April 6, 2026 18:05
@boring-cyborg boring-cyborg Bot added area:providers kind:documentation provider:google Google (including GCP) related issues labels Apr 6, 2026
@jscheffl jscheffl force-pushed the bugfix/remove-transitive-vulnerability-to-litellm-via-gcloud-aiplatform branch from 4f64888 to 6d48c72 Compare April 6, 2026 20:59
@eladkal eladkal merged commit 91270c7 into apache:main Apr 7, 2026
74 checks passed
shivaam pushed a commit to shivaam/airflow that referenced this pull request Apr 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area:providers kind:documentation provider:google Google (including GCP) related issues

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants