Update dependency fastapi to v0.129.0

[red-hat-konflux]

This PR contains the following updates:

Package	Change	Age	Confidence
fastapi (changelog)	==0.128.8 -> ==0.129.0

---

Release Notes

fastapi/fastapi (fastapi)

v0.129.0

Breaking Changes

• ➖ Drop support for Python 3.9. PR #​14897 by @​tiangolo.

Refactors

• 🎨 Update internal types for Python 3.10. PR #​14898 by @​tiangolo.

Docs

• 📝 Update highlights in webhooks docs. PR #​14905 by @​tiangolo.
• 📝 Update source examples and docs from Python 3.9 to 3.10. PR #​14900 by @​tiangolo.

Internal

• 🔨 Update docs.py scripts to migrate Python 3.9 to Python 3.10. PR #​14906 by @​tiangolo.

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

[coderabbitai]

Summary by CodeRabbit

Release Notes

• Chores
  • Updated FastAPI framework to the latest version (0.129.0).

Walkthrough

FastAPI dependency upgraded from version 0.128.8 to 0.129.0 across both configuration files. No functional code changes, new features, or modified control flow. Only dependency specification updates.

Changes

Cohort / File(s)	Summary
Dependency Version Updates requirements.txt, setup.cfg	Bumped fastapi from 0.128.8 to 0.129.0 in both dependency configuration files.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description is largely incomplete against the template. While it provides release notes and package information from Renovate, it lacks required sections: Additional Context, Type of change selection, Testing steps, and most checklist items.	Add missing template sections: specify type of change (e.g., 'Bump-up dependent library' or 'Breaking change'), describe testing steps, and complete the checklist items. Note the breaking change (Python 3.9 support dropped) and confirm compatibility.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: updating the fastapi dependency to version 0.129.0, which is the primary focus of the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch konflux/mintmaker/main/python-deps

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

setup.cfg (1)

10-11: ⚠️ Potential issue | 🔴 Critical

Remove Python 3.9 classifiers and update python_requires — fastapi 0.129.0 requires Python 3.10+.

The classifiers declare Python 3.9 support, but fastapi 0.129.0 has dropped Python 3.9 support (requires Python 3.10 or newer). Additionally, python_requires = >=3.6 (line 15) is too permissive and must be updated to >=3.10 to prevent installation failures and misrepresent the package's compatibility.

🔧 Proposed fix

     Programming Language :: Python :: 3
-    Programming Language :: Python :: 3.9
-    Programming Language :: Python :: 3.9.7
+    Programming Language :: Python :: 3.10
+    Programming Language :: Python :: 3.11
+    Programming Language :: Python :: 3.12

-python_requires = >=3.6
+python_requires = >=3.10

🤖 Fix all issues with AI agents

In `@requirements.txt`:
- Line 1: Add an explicit urllib3 pin to requirements.txt to ensure a
non-vulnerable version is installed; edit the requirements file (which currently
contains fastapi==0.129.0) and add a new line "urllib3>=2.6.0" (or higher) so
dependency resolution cannot bring in urllib3 < 2.6.0 — also verify any direct
dependency on requests (e.g., requests==2.32.5) remains compatible with the
pinned urllib3 and update lock/dev dependency files accordingly.

In `@setup.cfg`:
- Line 15: Update the package metadata to require Python 3.10+ by changing the
python_requires setting from ">=3.6" to ">=3.10" in setup.cfg (the
python_requires entry) so installations on older Python versions are prevented;
ensure any CI/tooling that reads python_requires is consistent with the new
minimum if applicable.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

git ls-files | grep -E "(requirements|pyproject|setup|lock)" | head -20

Repository: RedHatInsights/ccx-upgrades-data-eng

Length of output: 121

---

🏁 Script executed:

cat -n requirements.txt

Repository: RedHatInsights/ccx-upgrades-data-eng

Length of output: 681

---

🏁 Script executed:

#!/bin/bash
# Check urllib3 version requirements from requests and httpx
pip install --dry-run requests==2.32.5 httpx==0.28.1 2>&1 | grep -i urllib3

# Alternative: Check package metadata directly
python3 << 'EOF'
import urllib.request
import json

# Check requests package requirements
print("=== Checking requests==2.32.5 dependencies ===")
try:
    with urllib.request.urlopen("https://pypi.org/pypi/requests/2.32.5/json") as response:
        data = json.loads(response.read())
        requires = data.get("info", {}).get("requires_dist", [])
        if requires:
            urllib3_reqs = [r for r in requires if "urllib3" in r.lower()]
            print("requests dependencies:", urllib3_reqs)
except Exception as e:
    print(f"Error: {e}")

print("\n=== Checking httpx==0.28.1 dependencies ===")
try:
    with urllib.request.urlopen("https://pypi.org/pypi/httpx/0.28.1/json") as response:
        data = json.loads(response.read())
        requires = data.get("info", {}).get("requires_dist", [])
        if requires:
            urllib3_reqs = [r for r in requires if "urllib3" in r.lower()]
            print("httpx dependencies:", urllib3_reqs if urllib3_reqs else "No urllib3 dependency")
except Exception as e:
    print(f"Error: {e}")
EOF

Repository: RedHatInsights/ccx-upgrades-data-eng

Length of output: 566

---

🌐 Web query:

urllib3 1.26.20 CVE vulnerabilities 2024 2025

💡 Result:

urllib3 1.26.20 (released 2024-08-29) — CVEs in 2024–2025 relevant to this version

2024

• CVE-2024-37891 (Proxy-Authorization header leak on cross-origin redirect)
  Not affected in 1.26.20 — this CVE affects urllib3 versions < 1.26.19, and 1.26.20 is newer than (and includes the fix from) 1.26.19. [1][2]

2025

• CVE-2025-66418 (unbounded decompression chain → CPU/memory DoS)
  Affected: urllib3 >= 1.24 and < 2.6.0 → includes 1.26.20.
  Fixed in: 2.6.0. [3][4]

• CVE-2025-66471 (streaming decompression of highly-compressed data → CPU/memory DoS / “data amplification”)
  Affected: urllib3 >= 1.0 and < 2.6.0 → includes 1.26.20.
  Fixed in: 2.6.0. [5][6]

Practical takeaway

• There is no patched 1.x release line (urllib3 states only 2.x is supported for updates/security fixes), so the real remediation for 1.26.20 is to upgrade to urllib3 2.6.0+ (or current 2.x). [6][7]

Sources: PyPI release info for 1.26.20 [1]; CVE-2024-37891 affected-range info [2]; NVD for CVE-2025-66418 [3] and CVE-2025-66471 [5]; GitLab advisory pages for both 2025 CVEs [4][6]; urllib3 security policy/support statement [7].

---

Update urllib3 to >= 2.6.0 to address decompression vulnerabilities.

urllib3 versions < 2.6.0 are affected by CVE-2025-66418 and CVE-2025-66471, which allow denial-of-service attacks through unbounded and streaming decompression. Since requests==2.32.5 allows urllib3 < 3, vulnerable versions could be installed. Explicitly pin urllib3 >= 2.6.0 in requirements.txt to ensure patched versions are used.

🧰 Tools

🪛 OSV Scanner (2.3.2)

[HIGH] 1-1: urllib3 1.26.20: urllib3 streaming API improperly handles highly compressed data

(GHSA-2xpw-w6gg-jr37)

---

[HIGH] 1-1: urllib3 1.26.20: Decompression-bomb safeguards bypassed when following HTTP redirects (streaming API)

(GHSA-38jv-5279-wg99)

---

[HIGH] 1-1: urllib3 1.26.20: urllib3 allows an unbounded number of links in the decompression chain

(GHSA-gm62-xv2j-4w53)

---

[HIGH] 1-1: urllib3 1.26.20: urllib3 redirects are not disabled when retries are disabled on PoolManager instantiation

(GHSA-pq67-6m6q-mj2v)

🤖 Prompt for AI Agents

In `@requirements.txt` at line 1, Add an explicit urllib3 pin to requirements.txt
to ensure a non-vulnerable version is installed; edit the requirements file
(which currently contains fastapi==0.129.0) and add a new line "urllib3>=2.6.0"
(or higher) so dependency resolution cannot bring in urllib3 < 2.6.0 — also
verify any direct dependency on requests (e.g., requests==2.32.5) remains
compatible with the pinned urllib3 and update lock/dev dependency files
accordingly.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Update python_requires to enforce minimum Python 3.10.

The python_requires = >=3.6 constraint is incompatible with fastapi 0.129.0, which requires Python 3.10+. This will allow installation on unsupported Python versions and cause runtime failures.

🔧 Proposed fix to update python_requires

-python_requires = >=3.6
+python_requires = >=3.10

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	python_requires = >=3.6
	python_requires = >=3.10

🤖 Prompt for AI Agents

In `@setup.cfg` at line 15, Update the package metadata to require Python 3.10+ by
changing the python_requires setting from ">=3.6" to ">=3.10" in setup.cfg (the
python_requires entry) so installations on older Python versions are prevented;
ensure any CI/tooling that reads python_requires is consistent with the new
minimum if applicable.