Update dependency fastapi to v0.129.2

[red-hat-konflux]

This PR contains the following updates:

Package	Change	Age	Confidence
fastapi (changelog)	==0.129.1 -> ==0.129.2

---

Release Notes

fastapi/fastapi (fastapi)

v0.129.2

Compare Source

Internal

• ⬆️ Upgrade pytest. PR #​14959 by @​tiangolo.
• 👷 Fix CI, do not attempt to publish fastapi-slim. PR #​14958 by @​tiangolo.
• ➖ Drop support for fastapi-slim, no more versions will be released, use only "fastapi[standard]" or fastapi. PR #​14957 by @​tiangolo.
• 🔧 Update pyproject.toml, remove unneeded lines. PR #​14956 by @​tiangolo.

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

[coderabbitai]

Summary by CodeRabbit

• Chores
  • Updated FastAPI dependency to version 0.129.2.

Walkthrough

FastAPI dependency version bumped from 0.129.1 to 0.129.2 across dependency configuration files. No functional changes, logic modifications, or control flow adjustments introduced.

Changes

Cohort / File(s)	Summary
Dependency Version Update requirements.txt, setup.cfg	FastAPI version bumped from 0.129.1 to 0.129.2 in both requirements and setup configuration files.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description is largely incomplete; it lacks required sections including Additional Context, Type of change selection, Testing steps, and Checklist completion.	Add missing required sections: select 'Bump-up dependent library' or 'Security fix in dependent library' from Type of change, describe testing steps, and complete the checklist items.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: updating the fastapi dependency version from 0.129.1 to 0.129.2, which is the primary purpose of this PR.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch konflux/mintmaker/main/python-deps

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 86.93%. Comparing base (7c6108b) to head (a96f704).
⚠️ Report is 3 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main      #20   +/-   ##
=======================================
  Coverage   86.93%   86.93%           
=======================================
  Files          10       10           
  Lines         199      199           
  Branches        6        6           
=======================================
  Hits          173      173           
  Misses         25       25           
  Partials        1        1           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

requirements.txt (1)

1-15: ⚠️ Potential issue | 🟠 Major

Address HIGH severity urllib3 vulnerabilities through botocore/Python version management.

Static analysis detected 4 HIGH severity vulnerabilities in urllib3 1.26.20, an indirect dependency introduced via boto3 → botocore:

• Improper handling of highly compressed data (GHSA-2xpw-w6gg-jr37, CVE-2025-66471)
• Decompression-bomb safeguards bypassed with HTTP redirects (GHSA-38jv-5279-wg99, CVE-2026-21441)
• Unbounded decompression chain links (GHSA-gm62-xv2j-4w53, CVE-2025-66418)
• Redirects not disabled when retries are disabled (GHSA-pq67-6m6q-mj2v, CVE-2025-50181)

These are pre-existing issues not introduced by the fastapi update. The vulnerability persists because:

• On Python < 3.10: botocore pins urllib3>=1.25.4,<1.27, locking to the vulnerable 1.26.x line
• On Python ≥ 3.10: botocore allows urllib3>=1.25.4,<3, enabling upgrade to urllib3 2.6.3+ (patched)

Since the project specifies python_requires = >=3.6 without further constraint, it may run on Python 3.9 or below where the vulnerability cannot be easily resolved without upgrading botocore or Python itself. Update botocore, upgrade to Python 3.10+, or both to mitigate.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@requirements.txt` around lines 1 - 15, The project is exposed to
HIGH-severity urllib3 vulnerabilities via boto3→botocore; fix by either (A)
raising the supported Python baseline and declaring python_requires >=3.10 so
botocore can resolve to urllib3 2.x (update packaging config where
python_requires is defined), or (B) explicitly upgrade the AWS libs in
requirements to versions that pull a safe urllib3 (e.g., bump boto3 and botocore
to the minimum versions that allow urllib3>=2.6.3) — update the requirements.txt
entries for boto3 and botocore accordingly and verify a resolved urllib3>=2.6.3
in your dependency lock/install output.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@setup.cfg`:
- Line 18: The dependency line pins an invalid FastAPI release ("fastapi
==0.129.2"); update the setup.cfg dependency to a valid published version (for
example "fastapi ==0.129.0") so installations succeed—locate and edit the
fastapi entry in setup.cfg to replace 0.129.2 with a valid version string.

---

Outside diff comments:
In `@requirements.txt`:
- Around line 1-15: The project is exposed to HIGH-severity urllib3
vulnerabilities via boto3→botocore; fix by either (A) raising the supported
Python baseline and declaring python_requires >=3.10 so botocore can resolve to
urllib3 2.x (update packaging config where python_requires is defined), or (B)
explicitly upgrade the AWS libs in requirements to versions that pull a safe
urllib3 (e.g., bump boto3 and botocore to the minimum versions that allow
urllib3>=2.6.3) — update the requirements.txt entries for boto3 and botocore
accordingly and verify a resolved urllib3>=2.6.3 in your dependency lock/install
output.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

curl -s "https://pypi.org/pypi/fastapi/0.129.2/json" | jq -r '.info | "\(.name) version \(.version) - Released: \(.last_modified)"'

Repository: RedHatInsights/ccx-upgrades-inference

Length of output: 121

---

🌐 Web query:

fastapi 0.129.2 security advisory CVE vulnerability

💡 Result:

I couldn’t find any security advisory/CVE that targets FastAPI “0.129.2”, and that version does not appear to be a published FastAPI release as of Feb 22, 2026 (current listed latest is 0.129.0, released Feb 12, 2026). (data.safetycli.com)

What people often confuse with “FastAPI CVEs”:

• CVE-2021-32677 (GHSA-8h2j-cgx8-6xv7) — a CSRF issue in FastAPI < 0.65.2, fixed in 0.65.2. (github.com)
• CVE-2023-30798 — multipart form DoS risk addressed by upgrading Starlette to 0.25.0 (or FastAPI to 0.92.0, which pulls in the fix). (scout.docker.com)
• CVE-2025-46814 — not FastAPI; it affects fastapi-guard < 2.0.0 (a third-party security middleware) via X-Forwarded-For header injection; fixed in fastapi-guard 2.0.0+. (nvd.nist.gov)

If you tell me what scanner/report flagged “0.129.2” (tool name + output snippet), I can map it to the exact package/CVE it’s referring to (FastAPI vs Starlette vs a FastAPI-adjacent package like fastapi-guard).

Citations:

• 1: https://data.safetycli.com/packages/pypi/fastapi/?utm_source=openai
• 2: GHSA-8h2j-cgx8-6xv7
• 3: https://scout.docker.com/vulnerabilities/id/CVE-2023-30798?utm_source=openai
• 4: https://nvd.nist.gov/vuln/detail/CVE-2025-46814

---

fastapi 0.129.2 does not exist as a published release.

The latest fastapi version is 0.129.0 (released Feb 12, 2026). Specifying fastapi ==0.129.2 will cause installation to fail. Update to a valid version like 0.129.0.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@setup.cfg` at line 18, The dependency line pins an invalid FastAPI release
("fastapi ==0.129.2"); update the setup.cfg dependency to a valid published
version (for example "fastapi ==0.129.0") so installations succeed—locate and
edit the fastapi entry in setup.cfg to replace 0.129.2 with a valid version
string.