Skip to content

Update dependency fastapi to v0.129.0 #15

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
github-actions merged 1 commit into from
Feb 12, 2026
Merged

Update dependency fastapi to v0.129.0 #15

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion requirements.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
fastapi==0.128.8
fastapi==0.129.0
Copy link

@coderabbitai coderabbitai bot Feb 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

git ls-files | grep -E "(requirements|pyproject|setup|lock)" | head -20

Repository: RedHatInsights/ccx-upgrades-data-eng

Length of output: 121

🏁 Script executed:

cat -n requirements.txt

Repository: RedHatInsights/ccx-upgrades-data-eng

Length of output: 681

🏁 Script executed:

#!/bin/bash
# Check urllib3 version requirements from requests and httpx
pip install --dry-run requests==2.32.5 httpx==0.28.1 2>&1 | grep -i urllib3

# Alternative: Check package metadata directly
python3 << 'EOF'
import urllib.request
import json

# Check requests package requirements
print("=== Checking requests==2.32.5 dependencies ===")
try:
    with urllib.request.urlopen("https://pypi.org/pypi/requests/2.32.5/json") as response:
        data = json.loads(response.read())
        requires = data.get("info", {}).get("requires_dist", [])
        if requires:
            urllib3_reqs = [r for r in requires if "urllib3" in r.lower()]
            print("requests dependencies:", urllib3_reqs)
except Exception as e:
    print(f"Error: {e}")

print("\n=== Checking httpx==0.28.1 dependencies ===")
try:
    with urllib.request.urlopen("https://pypi.org/pypi/httpx/0.28.1/json") as response:
        data = json.loads(response.read())
        requires = data.get("info", {}).get("requires_dist", [])
        if requires:
            urllib3_reqs = [r for r in requires if "urllib3" in r.lower()]
            print("httpx dependencies:", urllib3_reqs if urllib3_reqs else "No urllib3 dependency")
except Exception as e:
    print(f"Error: {e}")
EOF

Repository: RedHatInsights/ccx-upgrades-data-eng

Length of output: 566

🌐 Web query:

urllib3 1.26.20 CVE vulnerabilities 2024 2025

💡 Result:

urllib3 1.26.20 (released 2024-08-29) — CVEs in 2024–2025 relevant to this version

2024

  • CVE-2024-37891 (Proxy-Authorization header leak on cross-origin redirect)
    Not affected in 1.26.20 — this CVE affects urllib3 versions < 1.26.19, and 1.26.20 is newer than (and includes the fix from) 1.26.19. [1][2]

2025

  • CVE-2025-66418 (unbounded decompression chain → CPU/memory DoS)
    Affected: urllib3 >= 1.24 and < 2.6.0includes 1.26.20.
    Fixed in: 2.6.0. [3][4]

  • CVE-2025-66471 (streaming decompression of highly-compressed data → CPU/memory DoS / “data amplification”)
    Affected: urllib3 >= 1.0 and < 2.6.0includes 1.26.20.
    Fixed in: 2.6.0. [5][6]

Practical takeaway

  • There is no patched 1.x release line (urllib3 states only 2.x is supported for updates/security fixes), so the real remediation for 1.26.20 is to upgrade to urllib3 2.6.0+ (or current 2.x). [6][7]

Sources: PyPI release info for 1.26.20 [1]; CVE-2024-37891 affected-range info [2]; NVD for CVE-2025-66418 [3] and CVE-2025-66471 [5]; GitLab advisory pages for both 2025 CVEs [4][6]; urllib3 security policy/support statement [7].

Update urllib3 to >= 2.6.0 to address decompression vulnerabilities.

urllib3 versions < 2.6.0 are affected by CVE-2025-66418 and CVE-2025-66471, which allow denial-of-service attacks through unbounded and streaming decompression. Since requests==2.32.5 allows urllib3 < 3, vulnerable versions could be installed. Explicitly pin urllib3 >= 2.6.0 in requirements.txt to ensure patched versions are used.

🧰 Tools
🪛 OSV Scanner (2.3.2)

[HIGH] 1-1: urllib3 1.26.20: urllib3 streaming API improperly handles highly compressed data

(GHSA-2xpw-w6gg-jr37)

[HIGH] 1-1: urllib3 1.26.20: Decompression-bomb safeguards bypassed when following HTTP redirects (streaming API)

(GHSA-38jv-5279-wg99)

[HIGH] 1-1: urllib3 1.26.20: urllib3 allows an unbounded number of links in the decompression chain

(GHSA-gm62-xv2j-4w53)

[HIGH] 1-1: urllib3 1.26.20: urllib3 redirects are not disabled when retries are disabled on PoolManager instantiation

(GHSA-pq67-6m6q-mj2v)

🤖 Prompt for AI Agents 
In `@requirements.txt` at line 1, Add an explicit urllib3 pin to requirements.txt
to ensure a non-vulnerable version is installed; edit the requirements file
(which currently contains fastapi==0.129.0) and add a new line "urllib3>=2.6.0"
(or higher) so dependency resolution cannot bring in urllib3 < 2.6.0 — also
verify any direct dependency on requests (e.g., requests==2.32.5) remains
compatible with the pinned urllib3 and update lock/dev dependency files
accordingly.

fastapi-utils==0.8.0
requests==2.32.5
requests-oauthlib ==2.0.0
Expand Down
2 changes: 1 addition & 1 deletion setup.cfg
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ packages = find:
python_requires = >=3.6
Copy link

@coderabbitai coderabbitai bot Feb 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Update python_requires to enforce minimum Python 3.10.

The python_requires = >=3.6 constraint is incompatible with fastapi 0.129.0, which requires Python 3.10+. This will allow installation on unsupported Python versions and cause runtime failures.

🔧 Proposed fix to update python_requires 
-python_requires = >=3.6
+python_requires = >=3.10
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
python_requires = >=3.6
python_requires = >=3.10
🤖 Prompt for AI Agents 
In `@setup.cfg` at line 15, Update the package metadata to require Python 3.10+ by
changing the python_requires setting from ">=3.6" to ">=3.10" in setup.cfg (the
python_requires entry) so installations on older Python versions are prevented;
ensure any CI/tooling that reads python_requires is consistent with the new
minimum if applicable.

install_requires =
uvicorn[standard]==0.40.0
fastapi==0.128.8
fastapi==0.129.0
fastapi-utils==0.8.0
requests==2.32.5
requests-oauthlib ==2.0.0
Expand Down