chore(deps): update dependency fastapi to v0.135.0

[red-hat-konflux]

This PR contains the following updates:

Package	Change	Age	Confidence
fastapi (changelog)	==0.134.0 -> ==0.135.0

---

Release Notes

fastapi/fastapi (fastapi)

v0.135.0

Compare Source

Features

• ✨ Add support for Server Sent Events. PR #​15030 by @​tiangolo.
  • New docs: Server-Sent Events (SSE).

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

[coderabbitai]

Summary by CodeRabbit

• Chores
  • Updated FastAPI dependency to version 0.135.0.

Walkthrough

FastAPI dependency version is bumped from 0.134.0 to 0.135.0 across two dependency configuration files. No functional, structural, or behavioral changes introduced.

Changes

Cohort / File(s)	Summary
FastAPI version bump requirements.txt, setup.cfg	FastAPI dependency updated from 0.134.0 to 0.135.0 in both configuration files.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description is largely incomplete relative to the repository's template. While it includes release notes and context, it lacks the required 'Type of change', 'Testing steps', and 'Checklist' sections.	Complete the description by selecting the 'Bump-up dependent library (no changes in the code)' option, documenting testing steps, and verifying the checklist items.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically summarizes the main change: bumping the FastAPI dependency from 0.134.0 to 0.135.0, which is the only substantive change in this PR.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch konflux/mintmaker/main/python-deps

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@requirements.txt`:
- Line 3: The requirements currently list requests==2.32.5 which allows an older
urllib3; add an explicit constraint for urllib3 to ensure the transitive
dependency is upgraded by adding a line pinning urllib3 to at least 2.6.3 (e.g.,
"urllib3>=2.6.3,<3") in the requirements/constraints so
CVE-2025-66471/CVE-2025-66418/CVE-2026-21441 are fixed and compatibility with
requests (requests==2.32.5) is preserved.

In `@setup.cfg`:
- Line 18: The setup.cfg currently pins fastapi==0.135.0 but still declares
python_requires = >=3.6, causing a compatibility mismatch; update the
python_requires field in setup.cfg to ">=3.10" to match FastAPI 0.135.0 (or
alternatively pin FastAPI to a version compatible with >=3.6 if you must keep
older Python support), ensuring the change targets the python_requires entry in
setup.cfg and the fastapi==0.135.0 dependency declaration.

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 01d5810 and 5e9bae5.

📒 Files selected for processing (2)

• requirements.txt
• setup.cfg

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check requests 2.32.5 dependencies for urllib3
echo "=== Checking requests 2.32.5 dependencies ==="
curl -s https://pypi.org/pypi/requests/2.32.5/json | jq -r '.info.requires_dist[] | grep -i urllib3'

echo -e "\n=== Checking latest urllib3 versions and vulnerability info ==="
curl -s https://pypi.org/pypi/urllib3/json | jq -r '{version: .info.version, requires_python: .info.requires_python}'

echo -e "\n=== Checking urllib3 releases for vulnerability fixes ==="
curl -s https://pypi.org/pypi/urllib3/json | jq -r '.releases | keys[] | select(test("^2\\.|^1\\.2"))' | sort -V | tail -20

Repository: RedHatInsights/ccx-upgrades-data-eng

Length of output: 646

---

🌐 Web query:

urllib3 HIGH severity vulnerabilities decompression bomb CVE 2024

💡 Result:

There aren’t widely cited urllib3 “decompression bomb” HIGH-severity CVEs from 2024; the main HIGH issues in this area were disclosed later (Dec 2025 / Jan 2026):

CVE	What it is	Affected urllib3 versions	Fixed in
CVE-2025-66418	Unbounded decompression chain (too many Content-Encoding “links”) can cause extreme CPU/memory use → DoS	>= 1.24, < 2.6.0	2.6.0 [1][2]
CVE-2025-66471	Streaming API can fully decompress a tiny but highly-compressed chunk (“data amplification”) → CPU/memory DoS	>= 1.0, < 2.6.0	2.6.0 [3][4]
CVE-2026-21441	Redirect responses could get fully decompressed even with streaming (preload_content=False), bypassing safeguards → decompression bomb DoS	>= 1.22, < 2.6.3	2.6.3 [5]

What to do

• Upgrade to urllib3 ≥ 2.6.3 to cover all of the above (2.6.0 fixes the 2025 issues; 2.6.3 fixes the redirect-streaming issue). [4][5]
• If you can’t upgrade immediately: disable redirects for untrusted URLs (redirect=False) to mitigate CVE-2026-21441. [5]

Sources: NVD + GitHub Advisory DB + Rapid7 Red Hat synopsis. [1][3][4][5]

---

🏁 Script executed:

#!/bin/bash
# Correct jq query for requests 2.32.5 dependencies
echo "=== Checking requests 2.32.5 dependencies for urllib3 ==="
curl -s https://pypi.org/pypi/requests/2.32.5/json | jq '.info.requires_dist'

# Check urllib3 1.26.20 specifically to confirm it exists
echo -e "\n=== Checking urllib3 1.26.20 ==="
curl -s https://pypi.org/pypi/urllib3/1.26.20/json | jq '.info | {version, release_date: .release_url}'

# Get more details on urllib3 security advisories
echo -e "\n=== Checking urllib3 security advisories ==="
curl -s https://api.github.com/repos/urllib3/urllib3/security/advisories | jq '.[] | select(.severity == "high") | {cve_id: .cve_id, summary: .summary, affected_versions: .affected_versions, fixed_in: .fixed_versions}' | head -50

Repository: RedHatInsights/ccx-upgrades-data-eng

Length of output: 596

---

🌐 Web query:

urllib3 CVE HIGH severity vulnerabilities complete list 2024 2025 2026

💡 Result:

High-severity (CVSS High: 7.0–8.9) urllib3 CVEs published in 2024–2026 (as of 2026-03-01):

2024

• None (urllib3 advisories/CVEs published in 2024 for urllib3 are Moderate/Medium, not High). [4]

2025

• CVE-2025-66471 — Streaming API improper handling of highly compressed data → potential resource exhaustion/DoS. Affected: urllib3 >=1.0, <2.6.0. Fix: 2.6.0. (CVSS v3.1 7.5 High; CVSS v4.0 8.9 High). [2]
• CVE-2025-66418 — Unbounded number of links in decompression chain → high CPU/memory usage (DoS). Affected: urllib3 >=1.24, <2.6.0. Fix: 2.6.0. (CVSS v3.1 7.5 High; CVSS v4.0 8.9 High). [1]

2026

• CVE-2026-21441 — Redirect responses decompressed during streaming (preload_content=False) → decompression-bomb style resource exhaustion/DoS. Affected: urllib3 >=1.22, <2.6.3. Fix: 2.6.3. (CVSS v3.1 7.5 High; CVSS v4.0 8.9 High). [3]

Sources

[1] NVD: CVE-2025-66418 https://nvd.nist.gov/vuln/detail/CVE-2025-66418
[2] NVD: CVE-2025-66471 https://nvd.nist.gov/vuln/detail/CVE-2025-66471
[3] NVD: CVE-2026-21441 https://nvd.nist.gov/vuln/detail/CVE-2026-21441
[4] urllib3 GitHub Security Advisories list https://github.com/urllib3/urllib3/security

---

Upgrade urllib3 to 2.6.3 to address HIGH-severity decompression vulnerabilities.

Three HIGH-severity vulnerabilities exist in urllib3 versions < 2.6.3:

• CVE-2025-66471: Improper handling of highly compressed data (affects ≥1.0, fixed in 2.6.0)
• CVE-2025-66418: Unbounded decompression chain links causing resource exhaustion (affects ≥1.24, fixed in 2.6.0)
• CVE-2026-21441: Redirect responses bypassing decompression safeguards during streaming (affects ≥1.22, fixed in 2.6.3)

Update requests's transitive urllib3 dependency to 2.6.3. The current constraint urllib3<3,>=1.21.1 is flexible; explicitly set it to urllib3>=2.6.3 to ensure these vulnerabilities are patched.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@requirements.txt` at line 3, The requirements currently list requests==2.32.5
which allows an older urllib3; add an explicit constraint for urllib3 to ensure
the transitive dependency is upgraded by adding a line pinning urllib3 to at
least 2.6.3 (e.g., "urllib3>=2.6.3,<3") in the requirements/constraints so
CVE-2025-66471/CVE-2025-66418/CVE-2026-21441 are fixed and compatibility with
requests (requests==2.32.5) is preserved.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check if FastAPI 0.135.0 exists on PyPI and gather version info
echo "=== Checking PyPI for FastAPI 0.135.0 ==="
curl -s https://pypi.org/pypi/fastapi/json | jq -r '.releases | to_entries[] | select(.key | test("0.13[0-9]|0.14")) | .key' | sort -V | tail -20

echo -e "\n=== Checking specific version 0.135.0 ==="
curl -s https://pypi.org/pypi/fastapi/0.135.0/json | jq -r '.info | "\(.version) - Release: \(.requires_python)"' 2>/dev/null || echo "Version not found or error occurred"

echo -e "\n=== Latest FastAPI version ==="
curl -s https://pypi.org/pypi/fastapi/json | jq -r '.info.version'

Repository: RedHatInsights/ccx-upgrades-data-eng

Length of output: 301

---

🏁 Script executed:

#!/bin/bash
# Check the Python version requirement in setup.cfg
echo "=== Checking setup.cfg for python_requires ==="
cat setup.cfg | grep -A 2 "python_requires"

# Also verify FastAPI 0.134.0 requirements for comparison
echo -e "\n=== FastAPI 0.134.0 Python requirements ==="
curl -s https://pypi.org/pypi/fastapi/0.134.0/json | jq -r '.info.requires_python'

echo -e "\n=== FastAPI 0.135.0 Python requirements ==="
curl -s https://pypi.org/pypi/fastapi/0.135.0/json | jq -r '.info.requires_python'

Repository: RedHatInsights/ccx-upgrades-data-eng

Length of output: 303

---

Update python_requires in setup.cfg to match FastAPI 0.135.0 requirements.

FastAPI 0.135.0 (the latest version on PyPI) requires Python >=3.10, but setup.cfg declares python_requires = >=3.6. This creates a critical mismatch—the package will fail to install on Python 3.6–3.9 despite the configuration claiming support for those versions. Either upgrade the Python requirement to >=3.10 or downgrade FastAPI to a version compatible with Python 3.6+.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@setup.cfg` at line 18, The setup.cfg currently pins fastapi==0.135.0 but
still declares python_requires = >=3.6, causing a compatibility mismatch; update
the python_requires field in setup.cfg to ">=3.10" to match FastAPI 0.135.0 (or
alternatively pin FastAPI to a version compatible with >=3.6 if you must keep
older Python support), ensuring the change targets the python_requires entry in
setup.cfg and the fastapi==0.135.0 dependency declaration.