Skip to content

chore(deps): update dependency fastapi to v0.135.0 #27

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
github-actions merged 1 commit into from
Mar 1, 2026
Merged

chore(deps): update dependency fastapi to v0.135.0 #27

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion requirements.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
fastapi==0.134.0
fastapi==0.135.0
fastapi-utils==0.8.0
requests==2.32.5
Copy link

@coderabbitai coderabbitai bot Mar 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check requests 2.32.5 dependencies for urllib3
echo "=== Checking requests 2.32.5 dependencies ==="
curl -s https://pypi.org/pypi/requests/2.32.5/json | jq -r '.info.requires_dist[] | grep -i urllib3'

echo -e "\n=== Checking latest urllib3 versions and vulnerability info ==="
curl -s https://pypi.org/pypi/urllib3/json | jq -r '{version: .info.version, requires_python: .info.requires_python}'

echo -e "\n=== Checking urllib3 releases for vulnerability fixes ==="
curl -s https://pypi.org/pypi/urllib3/json | jq -r '.releases | keys[] | select(test("^2\\.|^1\\.2"))' | sort -V | tail -20

Repository: RedHatInsights/ccx-upgrades-data-eng

Length of output: 646

🌐 Web query:

urllib3 HIGH severity vulnerabilities decompression bomb CVE 2024

💡 Result:

There aren’t widely cited urllib3 “decompression bomb” HIGH-severity CVEs from 2024; the main HIGH issues in this area were disclosed later (Dec 2025 / Jan 2026):

CVE What it is Affected urllib3 versions Fixed in
CVE-2025-66418 Unbounded decompression chain (too many Content-Encoding “links”) can cause extreme CPU/memory use → DoS >= 1.24, < 2.6.0 2.6.0 [1][2]
CVE-2025-66471 Streaming API can fully decompress a tiny but highly-compressed chunk (“data amplification”) → CPU/memory DoS >= 1.0, < 2.6.0 2.6.0 [3][4]
CVE-2026-21441 Redirect responses could get fully decompressed even with streaming (preload_content=False), bypassing safeguards → decompression bomb DoS >= 1.22, < 2.6.3 2.6.3 [5]

What to do

  • Upgrade to urllib3 ≥ 2.6.3 to cover all of the above (2.6.0 fixes the 2025 issues; 2.6.3 fixes the redirect-streaming issue). [4][5]
  • If you can’t upgrade immediately: disable redirects for untrusted URLs (redirect=False) to mitigate CVE-2026-21441. [5]

Sources: NVD + GitHub Advisory DB + Rapid7 Red Hat synopsis. [1][3][4][5]

🏁 Script executed:

#!/bin/bash
# Correct jq query for requests 2.32.5 dependencies
echo "=== Checking requests 2.32.5 dependencies for urllib3 ==="
curl -s https://pypi.org/pypi/requests/2.32.5/json | jq '.info.requires_dist'

# Check urllib3 1.26.20 specifically to confirm it exists
echo -e "\n=== Checking urllib3 1.26.20 ==="
curl -s https://pypi.org/pypi/urllib3/1.26.20/json | jq '.info | {version, release_date: .release_url}'

# Get more details on urllib3 security advisories
echo -e "\n=== Checking urllib3 security advisories ==="
curl -s https://api.github.com/repos/urllib3/urllib3/security/advisories | jq '.[] | select(.severity == "high") | {cve_id: .cve_id, summary: .summary, affected_versions: .affected_versions, fixed_in: .fixed_versions}' | head -50

Repository: RedHatInsights/ccx-upgrades-data-eng

Length of output: 596

🌐 Web query:

urllib3 CVE HIGH severity vulnerabilities complete list 2024 2025 2026

💡 Result:

High-severity (CVSS High: 7.0–8.9) urllib3 CVEs published in 2024–2026 (as of 2026-03-01):

2024

  • None (urllib3 advisories/CVEs published in 2024 for urllib3 are Moderate/Medium, not High). [4]

2025

  • CVE-2025-66471 — Streaming API improper handling of highly compressed data → potential resource exhaustion/DoS. Affected: urllib3 >=1.0, <2.6.0. Fix: 2.6.0. (CVSS v3.1 7.5 High; CVSS v4.0 8.9 High). [2]
  • CVE-2025-66418 — Unbounded number of links in decompression chain → high CPU/memory usage (DoS). Affected: urllib3 >=1.24, <2.6.0. Fix: 2.6.0. (CVSS v3.1 7.5 High; CVSS v4.0 8.9 High). [1]

2026

  • CVE-2026-21441 — Redirect responses decompressed during streaming (preload_content=False) → decompression-bomb style resource exhaustion/DoS. Affected: urllib3 >=1.22, <2.6.3. Fix: 2.6.3. (CVSS v3.1 7.5 High; CVSS v4.0 8.9 High). [3]

Sources

[1] NVD: CVE-2025-66418 https://nvd.nist.gov/vuln/detail/CVE-2025-66418
[2] NVD: CVE-2025-66471 https://nvd.nist.gov/vuln/detail/CVE-2025-66471
[3] NVD: CVE-2026-21441 https://nvd.nist.gov/vuln/detail/CVE-2026-21441
[4] urllib3 GitHub Security Advisories list https://github.com/urllib3/urllib3/security

Upgrade urllib3 to 2.6.3 to address HIGH-severity decompression vulnerabilities.

Three HIGH-severity vulnerabilities exist in urllib3 versions < 2.6.3:

  • CVE-2025-66471: Improper handling of highly compressed data (affects ≥1.0, fixed in 2.6.0)
  • CVE-2025-66418: Unbounded decompression chain links causing resource exhaustion (affects ≥1.24, fixed in 2.6.0)
  • CVE-2026-21441: Redirect responses bypassing decompression safeguards during streaming (affects ≥1.22, fixed in 2.6.3)

Update requests's transitive urllib3 dependency to 2.6.3. The current constraint urllib3<3,>=1.21.1 is flexible; explicitly set it to urllib3>=2.6.3 to ensure these vulnerabilities are patched.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@requirements.txt` at line 3, The requirements currently list requests==2.32.5
which allows an older urllib3; add an explicit constraint for urllib3 to ensure
the transitive dependency is upgraded by adding a line pinning urllib3 to at
least 2.6.3 (e.g., "urllib3>=2.6.3,<3") in the requirements/constraints so
CVE-2025-66471/CVE-2025-66418/CVE-2026-21441 are fixed and compatibility with
requests (requests==2.32.5) is preserved.

requests-oauthlib ==2.0.0
Expand Down
2 changes: 1 addition & 1 deletion setup.cfg
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ packages = find:
python_requires = >=3.6
install_requires =
uvicorn[standard]==0.41.0
fastapi==0.134.0
fastapi==0.135.0
Copy link

@coderabbitai coderabbitai bot Mar 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check if FastAPI 0.135.0 exists on PyPI and gather version info
echo "=== Checking PyPI for FastAPI 0.135.0 ==="
curl -s https://pypi.org/pypi/fastapi/json | jq -r '.releases | to_entries[] | select(.key | test("0.13[0-9]|0.14")) | .key' | sort -V | tail -20

echo -e "\n=== Checking specific version 0.135.0 ==="
curl -s https://pypi.org/pypi/fastapi/0.135.0/json | jq -r '.info | "\(.version) - Release: \(.requires_python)"' 2>/dev/null || echo "Version not found or error occurred"

echo -e "\n=== Latest FastAPI version ==="
curl -s https://pypi.org/pypi/fastapi/json | jq -r '.info.version'

Repository: RedHatInsights/ccx-upgrades-data-eng

Length of output: 301

🏁 Script executed:

#!/bin/bash
# Check the Python version requirement in setup.cfg
echo "=== Checking setup.cfg for python_requires ==="
cat setup.cfg | grep -A 2 "python_requires"

# Also verify FastAPI 0.134.0 requirements for comparison
echo -e "\n=== FastAPI 0.134.0 Python requirements ==="
curl -s https://pypi.org/pypi/fastapi/0.134.0/json | jq -r '.info.requires_python'

echo -e "\n=== FastAPI 0.135.0 Python requirements ==="
curl -s https://pypi.org/pypi/fastapi/0.135.0/json | jq -r '.info.requires_python'

Repository: RedHatInsights/ccx-upgrades-data-eng

Length of output: 303

Update python_requires in setup.cfg to match FastAPI 0.135.0 requirements.

FastAPI 0.135.0 (the latest version on PyPI) requires Python >=3.10, but setup.cfg declares python_requires = >=3.6. This creates a critical mismatch—the package will fail to install on Python 3.6–3.9 despite the configuration claiming support for those versions. Either upgrade the Python requirement to >=3.10 or downgrade FastAPI to a version compatible with Python 3.6+.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@setup.cfg` at line 18, The setup.cfg currently pins fastapi==0.135.0 but
still declares python_requires = >=3.6, causing a compatibility mismatch; update
the python_requires field in setup.cfg to ">=3.10" to match FastAPI 0.135.0 (or
alternatively pin FastAPI to a version compatible with >=3.6 if you must keep
older Python support), ensuring the change targets the python_requires entry in
setup.cfg and the fastapi==0.135.0 dependency declaration.

fastapi-utils==0.8.0
requests==2.32.5
requests-oauthlib ==2.0.0
Expand Down