Skip to content

Comments

fix(deps): update all dependencies#511

Open
renovate[bot] wants to merge 1 commit intomainfrom
renovate/all
Open

fix(deps): update all dependencies#511
renovate[bot] wants to merge 1 commit intomainfrom
renovate/all

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Jan 12, 2026

This PR contains the following updates:

Package Type Update Change Age Confidence
actions/checkout action patch v6.0.1v6.0.2 age confidence
certifi dependencies minor 2026.1.42026.2.25 age confidence
cgr.dev/chainguard/python final digest 66a97fc47fe69a
cgr.dev/chainguard/python stage digest 2ea83e2ec75fa1
fastapi (changelog) dependencies minor ^0.128.0^0.133.0 age confidence
github/codeql-action action minor v4.31.9v4.32.4 age confidence
ortelius/workflow-toolkit action digest a111f837fc4bdd
peter-evans/create-pull-request action minor v8.0.0v8.1.0 age confidence
sqlalchemy (changelog) dependencies patch 2.0.452.0.47 age confidence
starlette (changelog) dependencies minor ^0.50.0^0.52.0 age confidence
step-security/harden-runner action minor v2.14.0v2.15.0 age confidence
uvicorn (changelog) dependencies minor ^0.40.0^0.41.0 age confidence

Release Notes

actions/checkout (actions/checkout)

v6.0.2

Compare Source

certifi/python-certifi (certifi)

v2026.2.25

Compare Source

fastapi/fastapi (fastapi)

v0.133.0

Compare Source

v0.132.1

Compare Source

Refactors
Internal

v0.132.0

Compare Source

Breaking Changes
  • 🔒️ Add strict_content_type checking for JSON requests. PR #​14978 by @​tiangolo.
    • Now FastAPI checks, by default, that JSON requests have a Content-Type header with a valid JSON value, like application/json, and rejects requests that don't.
    • If the clients for your app don't send a valid Content-Type header you can disable this with strict_content_type=False.
    • Check the new docs: Strict Content-Type Checking.
Internal

v0.131.0

Compare Source

Breaking Changes

v0.130.0

Compare Source

Features

v0.129.2

Compare Source

Internal

v0.129.1

Compare Source

Fixes
  • ♻️ Fix JSON Schema for bytes, use "contentMediaType": "application/octet-stream" instead of "format": "binary". PR #​14953 by @​tiangolo.
Docs
Translations
Internal

v0.129.0

Compare Source

Breaking Changes
Refactors
Docs
Internal

v0.128.8

Compare Source

Docs
Internal

v0.128.7

Compare Source

Features
Refactors
  • ♻️ Simplify reading files in memory, do it sequentially instead of (fake) parallel. PR #​14884 by @​tiangolo.
Docs
Internal

v0.128.6

Compare Source

Fixes
Translations
Internal

v0.128.5

Compare Source

Refactors
  • ♻️ Refactor and simplify Pydantic v2 (and v1) compatibility internal utils. PR #​14862 by @​tiangolo.
Internal
  • ✅ Add inline snapshot tests for OpenAPI before changes from Pydantic v2. PR #​14864 by @​tiangolo.

v0.128.4

Compare Source

Refactors
  • ♻️ Refactor internals, simplify Pydantic v2/v1 utils, create_model_field, better types for lenient_issubclass. PR #​14860 by @​tiangolo.
  • ♻️ Simplify internals, remove Pydantic v1 only logic, no longer needed. PR #​14857 by @​tiangolo.
  • ♻️ Refactor internals, cleanup unneeded Pydantic v1 specific logic. PR #​14856 by @​tiangolo.
Translations
Internal

v0.128.3

Compare Source

Refactors
  • ♻️ Re-implement on_event in FastAPI for compatibility with the next Starlette, while keeping backwards compatibility. PR #​14851 by @​tiangolo.
Upgrades
  • ⬆️ Upgrade Starlette supported version range to starlette>=0.40.0,<1.0.0. PR #​14853 by @​tiangolo.
Translations
Internal
  • 👷 Run tests with Starlette from git. PR #​14849 by @​tiangolo.
  • 👷 Run tests with lower bound uv sync, upgrade fastapi[all] minimum dependencies: ujson >=5.8.0, orjson >=3.9.3. PR #​14846 by @​tiangolo.

v0.128.2

Compare Source

Features
Fixes
Docs
Translations
Internal

v0.128.1

Compare Source

Features
  • ✨ Add viewport meta tag to improve Swagger UI on mobile devices. PR #​14777 by @​Joab0.
  • 🚸 Improve error message for invalid query parameter type annotations. PR #​14479 by @​retwish.
Fixes
Refactors
Docs
Translations
Internal
github/codeql-action (github/codeql-action)

v4.32.4

Compare Source

  • Update default CodeQL bundle version to 2.24.2. #​3493
  • Added an experimental change which improves how certificates are generated for the authentication proxy that is used by the CodeQL Action in Default Setup when private package registries are configured. This is expected to generate more widely compatible certificates and should have no impact on analyses which are working correctly already. We expect to roll this change out to everyone in February. #​3473
  • When the CodeQL Action is run with debugging enabled in Default Setup and private package registries are configured, the "Setup proxy for registries" step will output additional diagnostic information that can be used for troubleshooting. #​3486
  • Added a setting which allows the CodeQL Action to enable network debugging for Java programs. This will help GitHub staff support customers with troubleshooting issues in GitHub-managed CodeQL workflows, such as Default Setup. This setting can only be enabled by GitHub staff. #​3485
  • Added a setting which enables GitHub-managed workflows, such as Default Setup, to use a nightly CodeQL CLI release instead of the latest, stable release that is used by default. This will help GitHub staff support customers whose analyses for a given repository or organization require early access to a change in an upcoming CodeQL CLI release. This setting can only be enabled by GitHub staff. #​3484

v4.32.3

Compare Source

  • Added experimental support for testing connections to private package registries. This feature is not currently enabled for any analysis. In the future, it may be enabled by default for Default Setup. #​3466

v4.32.2

Compare Source

v4.32.1

Compare Source

  • A warning is now shown in Default Setup workflow logs if a private package registry is configured using a GitHub Personal Access Token (PAT), but no username is configured. #​3422
  • Fixed a bug which caused the CodeQL Action to fail when repository properties cannot successfully be retrieved. #​3421

v4.32.0

Compare Source

v4.31.11

Compare Source

  • When running a Default Setup workflow with Actions debugging enabled, the CodeQL Action will now use more unique names when uploading logs from the Dependabot authentication proxy as workflow artifacts. This ensures that the artifact names do not clash between multiple jobs in a build matrix. #​3409
  • Improved error handling throughout the CodeQL Action. #​3415
  • Added experimental support for automatically excluding generated files from the analysis. This feature is not currently enabled for any analysis. In the future, it may be enabled by default for some GitHub-managed analyses. #​3318
  • The changelog extracts that are included with releases of the CodeQL Action are now shorter to avoid duplicated information from appearing in Dependabot PRs. #​3403

v4.31.10

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

4.31.10 - 12 Jan 2026
  • Update default CodeQL bundle version to 2.23.9. #​3393

See the full CHANGELOG.md for more information.

peter-evans/create-pull-request (peter-evans/create-pull-request)

v8.1.0: Create Pull Request v8.1.0

Compare Source

What's Changed
New Contributors

Full Changelog: peter-evans/create-pull-request@v8.0.0...v8.1.0

Kludex/starlette (starlette)

v0.52.1: Version 0.52.1

Compare Source

What's Changed


Full Changelog: Kludex/starlette@0.52.0...0.52.1

v0.52.0: Version 0.52.0

Compare Source

In this release, State can be accessed using dictionary-style syntax for improved type safety (#​3036).

from collections.abc import AsyncIterator
from contextlib import asynccontextmanager
from typing import TypedDict

import httpx

from starlette.applications import Starlette
from starlette.requests import Request

class State(TypedDict):
    http_client: httpx.AsyncClient

@&#8203;asynccontextmanager
async def lifespan(app: Starlette) -> AsyncIterator[State]:
    async with httpx.AsyncClient() as client:
        yield {"http_client": client}

async def homepage(request: Request[State]):
    client = request.state["http_client"]
    # If you run the below line with mypy or pyright, it will reveal the correct type.
    reveal_type(client)  # Revealed type is 'httpx.AsyncClient'

See Accessing State for more details.


Full Changelog: Kludex/starlette@0.51.0...0.52.0

v0.51.0: Version 0.51.0

Compare Source

Added

  • Add allow_private_network in CORSMiddleware #​3065.

Changed

  • Increase warning stacklevel on DeprecationWarning for wsgi module #​3082.

New Contributors

Full Changelog: Kludex/starlette@0.50.0...0.51.0

step-security/harden-runner (step-security/harden-runner)

v2.15.0

Compare Source

What's Changed

Windows and macOS runner support

We are excited to announce that Harden Runner now supports Windows and macOS runners, extending runtime security beyond Linux for the first time.

Insights for Windows and macOS runners will be displayed in the same consistent format you are already familiar with from Linux runners, giving you a unified view of runtime activity across all platforms.

Full Changelog: step-security/harden-runner@v2.14.2...v2.15.0

v2.14.2

Compare Source

What's Changed

Security fix: Fixed a medium severity vulnerability where outbound network connections using sendto, sendmsg, and sendmmsg socket system calls could bypass audit logging when using egress-policy: audit. This issue only affects the Community Tier in audit mode; block mode and Enterprise Tier were not affected. See GHSA-cpmj-h4f6-r6pq for details.

Full Changelog: step-security/harden-runner@v2.14.1...v2.14.2

v2.14.1

Compare Source

What's Changed

  1. In some self-hosted environments, the agent could briefly fall back to public DNS resolvers during startup if the system DNS was not yet available. This behavior was unintended for GitHub-hosted runners and has now been fixed to prevent any use of public DNS resolvers.

  2. Fixed npm audit vulnerabilities

Full Changelog: step-security/harden-runner@v2.14.0...v2.14.1

Kludex/uvicorn (uvicorn)

v0.41.0: Version 0.41.0

Compare Source

Added

  • Add --limit-max-requests-jitter to stagger worker restarts (#​2707)
  • Add socket path to scope["server"] (#​2561)

Changed

  • Rename LifespanOn.error_occured to error_occurred (#​2776)

Fixed

  • Ignore permission denied errors in watchfiles reloader (#​2817)
  • Ensure lifespan shutdown runs when should_exit is set during startup (#​2812)
  • Reduce the log level of 'request limit exceeded' messages (#​2788)

New Contributors


Full Changelog: Kludex/uvicorn@0.40.0...0.41.0


Configuration

📅 Schedule: Branch creation - "every 1 hours every weekday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/all branch 8 times, most recently from 1583e6a to 79034c3 Compare January 18, 2026 12:28
@renovate renovate bot force-pushed the renovate/all branch 13 times, most recently from fa8c30d to 9242af8 Compare January 27, 2026 22:37
@renovate renovate bot force-pushed the renovate/all branch 5 times, most recently from 91cd86e to 90dda79 Compare February 3, 2026 01:53
@renovate renovate bot force-pushed the renovate/all branch 4 times, most recently from bad4e42 to 361778c Compare February 6, 2026 01:26
@renovate renovate bot force-pushed the renovate/all branch 13 times, most recently from 8e66f12 to 23f0b2e Compare February 14, 2026 00:45
@renovate renovate bot force-pushed the renovate/all branch 9 times, most recently from 8b58d2b to 94d6311 Compare February 23, 2026 13:47
@renovate renovate bot force-pushed the renovate/all branch 6 times, most recently from a0b0e7a to f6d2e00 Compare February 25, 2026 00:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants