chore(deps): update dependency fastapi to v0.135.1#28
chore(deps): update dependency fastapi to v0.135.1#28github-actions[bot] merged 1 commit intomainfrom
Conversation
Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
Summary by CodeRabbit
WalkthroughFastAPI dependency version is bumped from 0.135.0 to 0.135.1 across dependency configuration files. No functional changes introduced. Changes
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes 🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@requirements.txt`:
- Line 1: The requirements currently lack an explicit urllib3 constraint and
setup.cfg is out of sync; add an explicit constraint for urllib3 with minimum
safe version 2.6.3 (e.g., urllib3>=2.6.3) to both requirements.txt and the
install_requires section of setup.cfg so both dependency sources match and block
the vulnerable 1.26.20 and earlier releases; update both files consistently and
re-lock/reinstall dependencies after changing them.
In `@setup.cfg`:
- Around line 15-18: The package currently declares python_requires = >=3.6
which conflicts with the pinned dependency fastapi==0.135.1 (requires Python
>=3.10); update the python_requires specifier to require Python >=3.10 (e.g.,
change python_requires to ">=3.10") so the declared runtime matches the FastAPI
requirement (also scan for any other metadata or CI configs that mirror the old
minimum and update them if present).
ℹ️ Review info
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Cache: Disabled due to data retention organization setting
Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting
📒 Files selected for processing (2)
requirements.txtsetup.cfg
| @@ -1,4 +1,4 @@ | |||
| fastapi==0.135.0 | |||
| fastapi==0.135.1 | |||
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "=== Full requirements.txt content ==="
cat requirements.txt
echo -e "\n=== setup.cfg content (if exists) ==="
if [ -f setup.cfg ]; then cat setup.cfg; else echo "No setup.cfg found"; fi
echo -e "\n=== Direct urllib3 pins/constraints ==="
rg -nP '^\s*urllib3(\s*[<>=!~].*)?$' -g '!**/dist/**' -g '!**/build/**' || echo "No urllib3 constraints found"
echo -e "\n=== Dependencies likely to pull urllib3 ==="
rg -nP '^\s*(requests|botocore|boto3|httpx|aiohttp)\s*[<>=!~]' requirements.txt setup.cfg 2>/dev/null || echo "No matching dependencies"
echo -e "\n=== Lock/constraints files ==="
fd -HI '(^|/)(requirements.*\.txt|constraints.*\.txt|poetry\.lock|Pipfile\.lock)$' 2>/dev/null || echo "No lock files found"Repository: RedHatInsights/ccx-upgrades-data-eng
Length of output: 1628
🌐 Web query:
urllib3 1.26.20 CVE vulnerabilities
💡 Result:
urllib3==1.26.20 is affected by these known CVEs (because it falls within the listed vulnerable version ranges):
| CVE | What it is | Affected versions (includes 1.26.20) | Fixed in |
|---|---|---|---|
| CVE-2025-50181 | Redirects not actually disabled when configured via PoolManager(retries=...) (can undermine SSRF/redirect protections) |
all versions < 2.5.0 | 2.5.0 [2] |
| CVE-2025-66418 | Unbounded number of Content-Encoding decompression steps → resource exhaustion (DoS) |
>= 1.24 and < 2.6.0 | 2.6.0 [3] |
| CVE-2025-66471 | Streaming API can massively over-decompress highly compressed data → CPU/RAM exhaustion (DoS) | >= 1.0 and < 2.6.0 | 2.6.0 [4] |
| CVE-2026-21441 | Redirect response bodies can be decompressed/drained in a way that bypasses decompression-bomb safeguards → resource exhaustion (DoS) | >= 1.22 and < 2.6.3 | 2.6.3 [5] |
Notes:
- CVE-2024-37891 does not affect 1.26.20 (it was fixed in 1.26.19; 1.26.20 is newer). [1]
- Practical remediation: upgrade to
urllib3>=2.6.3to address the redirect + decompression issues above. [5]
Sources: GitLab advisory index for urllib3 (shows the CVE set, including 2024-37891/2025/2026 items) [1], and the individual advisories/records for each CVE [2][3][4][5].
References:
[1] https://advisories.gitlab.com/pkg/pypi/urllib3/
[2] https://advisories.gitlab.com/pkg/pypi/urllib3/CVE-2025-50181/
[3] https://advisories.gitlab.com/pkg/pypi/urllib3/CVE-2025-66418/
[4] https://ubuntu.com/security/CVE-2025-66471
[5] https://opencve.ameos.net/cve/CVE-2026-21441
🏁 Script executed:
#!/bin/bash
# Verify that requests and httpx versions support urllib3>=2.6.3
pip index versions requests 2>&1 | head -20
pip index versions httpx 2>&1 | head -20Repository: RedHatInsights/ccx-upgrades-data-eng
Length of output: 2141
🌐 Web query:
requests 2.32.5 urllib3 compatibility
💡 Result:
requests==2.32.5 declares a dependency of:
urllib3>=1.21.1,<3→ so it is compatible with bothurllib3 1.xandurllib3 2.x(but noturllib3 3.x).[1]
Requests added explicit support for urllib3 2.0 starting in Requests 2.30.0, so 2.32.5 is in the “urllib3 2.x supported” line. [2]
Practical pinning examples
- Allow any supported urllib3:
requests==2.32.5(lets pip pickurllib3<3) - Force urllib3 2.x:
requests==2.32.5 urllib3>=2,<3 - Stay on urllib3 1.x:
requests==2.32.5 urllib3<2
Sources: [1] [2]
Add explicit urllib3 constraint to block vulnerable versions; current proposal requires correction.
urllib3 1.26.20 is vulnerable to 4 CVEs (CVE-2025-50181, CVE-2025-66418, CVE-2025-66471, CVE-2026-21441). The minimum safe version is 2.6.3, not 2.2.2 as originally proposed. Add the constraint to both requirements.txt and setup.cfg (they are currently out of sync).
Corrected fix
fastapi==0.135.1
+urllib3>=2.6.3,<3
fastapi-utils==0.8.0
requests==2.32.5Also update setup.cfg install_requires:
requests==2.32.5
requests-oauthlib ==2.0.0
+ urllib3>=2.6.3,<3
prometheus_fastapi_instrumentator==7.1.0🧰 Tools
🪛 OSV Scanner (2.3.3)
[HIGH] 1-1: urllib3 1.26.20: urllib3 streaming API improperly handles highly compressed data
[HIGH] 1-1: urllib3 1.26.20: Decompression-bomb safeguards bypassed when following HTTP redirects (streaming API)
[HIGH] 1-1: urllib3 1.26.20: urllib3 allows an unbounded number of links in the decompression chain
[HIGH] 1-1: urllib3 1.26.20: urllib3 redirects are not disabled when retries are disabled on PoolManager instantiation
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@requirements.txt` at line 1, The requirements currently lack an explicit
urllib3 constraint and setup.cfg is out of sync; add an explicit constraint for
urllib3 with minimum safe version 2.6.3 (e.g., urllib3>=2.6.3) to both
requirements.txt and the install_requires section of setup.cfg so both
dependency sources match and block the vulnerable 1.26.20 and earlier releases;
update both files consistently and re-lock/reinstall dependencies after changing
them.
| python_requires = >=3.6 | ||
| install_requires = | ||
| uvicorn[standard]==0.41.0 | ||
| fastapi==0.135.0 | ||
| fastapi==0.135.1 |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
fastapi 0.135.1 python version requirements PyPI
💡 Result:
FastAPI 0.135.1 on PyPI declares Requires: Python >= 3.10. [1]
Align python_requires with FastAPI 0.135.1's Python 3.10+ requirement.
python_requires = >=3.6 is incompatible with fastapi==0.135.1, which requires Python >= 3.10. This will cause installation failures on unsupported runtimes. Raise the minimum supported Python version to 3.10.
Proposed fix
-python_requires = >=3.6
+python_requires = >=3.10
install_requires =
uvicorn[standard]==0.41.0
fastapi==0.135.1📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| python_requires = >=3.6 | |
| install_requires = | |
| uvicorn[standard]==0.41.0 | |
| fastapi==0.135.0 | |
| fastapi==0.135.1 | |
| python_requires = >=3.10 | |
| install_requires = | |
| uvicorn[standard]==0.41.0 | |
| fastapi==0.135.1 |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@setup.cfg` around lines 15 - 18, The package currently declares
python_requires = >=3.6 which conflicts with the pinned dependency
fastapi==0.135.1 (requires Python >=3.10); update the python_requires specifier
to require Python >=3.10 (e.g., change python_requires to ">=3.10") so the
declared runtime matches the FastAPI requirement (also scan for any other
metadata or CI configs that mirror the old minimum and update them if present).
1 participant
This PR contains the following updates:
==0.135.0->==0.135.1Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
To execute skipped test pipelines write comment
/ok-to-test.Documentation
Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.