fix(deps): update all dependencies

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	Age	Confidence
actions/checkout	action	patch	v6.0.1 → v6.0.2
certifi	dependencies	minor	2026.1.4 → 2026.2.25
cgr.dev/chainguard/python	final	digest	66a97fc → 47fe69a
cgr.dev/chainguard/python	stage	digest	2ea83e2 → ec75fa1
fastapi (changelog)	dependencies	minor	^0.128.0 → ^0.133.0
github/codeql-action	action	minor	v4.31.9 → v4.32.4
ortelius/workflow-toolkit	action	digest	a111f83 → 7fc4bdd
peter-evans/create-pull-request	action	minor	v8.0.0 → v8.1.0
sqlalchemy (changelog)	dependencies	patch	2.0.45 → 2.0.47
starlette (changelog)	dependencies	minor	^0.50.0 → ^0.52.0
step-security/harden-runner	action	minor	v2.14.0 → v2.15.0
uvicorn (changelog)	dependencies	minor	^0.40.0 → ^0.41.0

---

Release Notes

actions/checkout (actions/checkout)

v6.0.2

Compare Source

• Fix tag handling: preserve annotations and explicit fetch-tags by @​ericsciple in #​2356

certifi/python-certifi (certifi)

v2026.2.25

Compare Source

fastapi/fastapi (fastapi)

v0.133.0

Compare Source

v0.132.1

Compare Source

Refactors

• ♻️ Refactor logic to handle OpenAPI and Swagger UI escaping data. PR #​14986 by @​tiangolo.

Internal

• 👥 Update FastAPI People - Experts. PR #​14972 by @​tiangolo.
• 👷 Allow skipping benchmark job in test workflow. PR #​14974 by @​YuriiMotov.

v0.132.0

Compare Source

Breaking Changes

• 🔒️ Add strict_content_type checking for JSON requests. PR #​14978 by @​tiangolo.
  • Now FastAPI checks, by default, that JSON requests have a Content-Type header with a valid JSON value, like application/json, and rejects requests that don't.
  • If the clients for your app don't send a valid Content-Type header you can disable this with strict_content_type=False.
  • Check the new docs: Strict Content-Type Checking.

Internal

• ⬆ Bump flask from 3.1.2 to 3.1.3. PR #​14949 by @​dependabot[bot].
• ⬆ Update all dependencies to use griffelib instead of griffe. PR #​14973 by @​svlandeg.
• 🔨 Fix FastAPI People workflow. PR #​14951 by @​YuriiMotov.
• 👷 Do not run codspeed with coverage as it's not tracked. PR #​14966 by @​tiangolo.
• 👷 Do not include benchmark tests in coverage to speed up coverage processing. PR #​14965 by @​tiangolo.

v0.131.0

Compare Source

Breaking Changes

• 🗑️ Deprecate ORJSONResponse and UJSONResponse. PR #​14964 by @​tiangolo.

v0.130.0

Compare Source

Features

• ✨ Serialize JSON response with Pydantic (in Rust), when there's a Pydantic return type or response model. PR #​14962 by @​tiangolo.
  • This results in 2x (or more) performance increase for JSON responses.
  • New docs: Custom Response - JSON Performance.

v0.129.2

Compare Source

Internal

• ⬆️ Upgrade pytest. PR #​14959 by @​tiangolo.
• 👷 Fix CI, do not attempt to publish fastapi-slim. PR #​14958 by @​tiangolo.
• ➖ Drop support for fastapi-slim, no more versions will be released, use only "fastapi[standard]" or fastapi. PR #​14957 by @​tiangolo.
• 🔧 Update pyproject.toml, remove unneeded lines. PR #​14956 by @​tiangolo.

v0.129.1

Compare Source

Fixes

• ♻️ Fix JSON Schema for bytes, use "contentMediaType": "application/octet-stream" instead of "format": "binary". PR #​14953 by @​tiangolo.

Docs

• 🔨 Add Kapa.ai widget (AI chatbot). PR #​14938 by @​tiangolo.
• 🔥 Remove Python 3.9 specific files, no longer needed after updating translations. PR #​14931 by @​tiangolo.
• 📝 Update docs for JWT to prevent timing attacks. PR #​14908 by @​tiangolo.

Translations

• ✏️ Fix several typos in ru translations. PR #​14934 by @​argoarsiks.
• 🌐 Update translations for ko (update-all and add-missing). PR #​14923 by @​YuriiMotov.
• 🌐 Update translations for uk (add-missing). PR #​14922 by @​YuriiMotov.
• 🌐 Update translations for zh-hant (update-all and add-missing). PR #​14921 by @​YuriiMotov.
• 🌐 Update translations for fr (update-all and add-missing). PR #​14920 by @​YuriiMotov.
• 🌐 Update translations for de (update-all) . PR #​14910 by @​YuriiMotov.
• 🌐 Update translations for ja (update-all). PR #​14916 by @​YuriiMotov.
• 🌐 Update translations for pt (update-all). PR #​14912 by @​YuriiMotov.
• 🌐 Update translations for es (update-all and add-missing). PR #​14911 by @​YuriiMotov.
• 🌐 Update translations for zh (update-all). PR #​14917 by @​YuriiMotov.
• 🌐 Update translations for uk (update-all). PR #​14914 by @​YuriiMotov.
• 🌐 Update translations for tr (update-all). PR #​14913 by @​YuriiMotov.
• 🌐 Update translations for ru (update-outdated). PR #​14909 by @​YuriiMotov.

Internal

• 👷 Always run tests on push to master branch and when run by scheduler. PR #​14940 by @​YuriiMotov.
• 🎨 Upgrade typing syntax for Python 3.10. PR #​14932 by @​tiangolo.
• ⬆ Bump cryptography from 46.0.4 to 46.0.5. PR #​14892 by @​dependabot[bot].
• ⬆ Bump pillow from 12.1.0 to 12.1.1. PR #​14899 by @​dependabot[bot].

v0.129.0

Compare Source

Breaking Changes

• ➖ Drop support for Python 3.9. PR #​14897 by @​tiangolo.

Refactors

• 🎨 Update internal types for Python 3.10. PR #​14898 by @​tiangolo.

Docs

• 📝 Update highlights in webhooks docs. PR #​14905 by @​tiangolo.
• 📝 Update source examples and docs from Python 3.9 to 3.10. PR #​14900 by @​tiangolo.

Internal

• 🔨 Update docs.py scripts to migrate Python 3.9 to Python 3.10. PR #​14906 by @​tiangolo.

v0.128.8

Compare Source

Docs

• 📝 Fix grammar in docs/en/docs/tutorial/first-steps.md. PR #​14708 by @​SanjanaS10.

Internal

• 🔨 Tweak PDM hook script. PR #​14895 by @​tiangolo.
• ♻️ Update build setup for fastapi-slim, deprecate it, and make it only depend on fastapi. PR #​14894 by @​tiangolo.

v0.128.7

Compare Source

Features

• ✨ Show a clear error on attempt to include router into itself. PR #​14258 by @​JavierSanchezCastro.
• ✨ Replace dict by Mapping on HTTPException.headers. PR #​12997 by @​rijenkii.

Refactors

• ♻️ Simplify reading files in memory, do it sequentially instead of (fake) parallel. PR #​14884 by @​tiangolo.

Docs

• 📝 Use dfn tag for definitions instead of abbr in docs. PR #​14744 by @​YuriiMotov.

Internal

• ✅ Tweak comment in test to reference PR. PR #​14885 by @​tiangolo.
• 🔧 Update LLM-prompt for abbr and dfn tags. PR #​14747 by @​YuriiMotov.
• ✅ Test order for the submitted byte Files. PR #​14828 by @​valentinDruzhinin.
• 🔧 Configure test workflow to run tests with inline-snapshot=review. PR #​14876 by @​YuriiMotov.

v0.128.6

Compare Source

Fixes

• 🐛 Fix on_startup and on_shutdown parameters of APIRouter. PR #​14873 by @​YuriiMotov.

Translations

• 🌐 Update translations for zh (update-outdated). PR #​14843 by @​tiangolo.

Internal

• ✅ Fix parameterized tests with snapshots. PR #​14875 by @​YuriiMotov.

v0.128.5

Compare Source

Refactors

• ♻️ Refactor and simplify Pydantic v2 (and v1) compatibility internal utils. PR #​14862 by @​tiangolo.

Internal

• ✅ Add inline snapshot tests for OpenAPI before changes from Pydantic v2. PR #​14864 by @​tiangolo.

v0.128.4

Compare Source

Refactors

• ♻️ Refactor internals, simplify Pydantic v2/v1 utils, create_model_field, better types for lenient_issubclass. PR #​14860 by @​tiangolo.
• ♻️ Simplify internals, remove Pydantic v1 only logic, no longer needed. PR #​14857 by @​tiangolo.
• ♻️ Refactor internals, cleanup unneeded Pydantic v1 specific logic. PR #​14856 by @​tiangolo.

Translations

• 🌐 Update translations for fr (outdated pages). PR #​14839 by @​YuriiMotov.
• 🌐 Update translations for tr (outdated and missing). PR #​14838 by @​YuriiMotov.

Internal

• ⬆️ Upgrade development dependencies. PR #​14854 by @​tiangolo.

v0.128.3

Compare Source

Refactors

• ♻️ Re-implement on_event in FastAPI for compatibility with the next Starlette, while keeping backwards compatibility. PR #​14851 by @​tiangolo.

Upgrades

• ⬆️ Upgrade Starlette supported version range to starlette>=0.40.0,<1.0.0. PR #​14853 by @​tiangolo.

Translations

• 🌐 Update translations for ru (update-outdated). PR #​14834 by @​tiangolo.

Internal

• 👷 Run tests with Starlette from git. PR #​14849 by @​tiangolo.
• 👷 Run tests with lower bound uv sync, upgrade fastapi[all] minimum dependencies: ujson >=5.8.0, orjson >=3.9.3. PR #​14846 by @​tiangolo.

v0.128.2

Compare Source

Features

• ✨ Add support for PEP695 TypeAliasType. PR #​13920 by @​cstruct.
• ✨ Allow Response type hint as dependency annotation. PR #​14794 by @​jonathan-fulton.

Fixes

• 🐛 Fix using Json[list[str]] type (issue #​10997). PR #​14616 by @​mkanetsuna.

Docs

• 📝 Update docs for translations. PR #​14830 by @​tiangolo.
• 📝 Fix duplicate word in advanced-dependencies.md. PR #​14815 by @​Rayyan-Oumlil.

Translations

• 🌐 Enable Traditional Chinese translations. PR #​14842 by @​tiangolo.
• 🌐 Enable French docs translations. PR #​14841 by @​tiangolo.
• 🌐 Update translations for fr (translate-page). PR #​14837 by @​tiangolo.
• 🌐 Update translations for de (update-outdated). PR #​14836 by @​tiangolo.
• 🌐 Update translations for pt (update-outdated). PR #​14833 by @​tiangolo.
• 🌐 Update translations for ko (update-outdated). PR #​14835 by @​tiangolo.
• 🌐 Update translations for es (update-outdated). PR #​14832 by @​tiangolo.
• 🌐 Update translations for tr (update-outdated). PR #​14831 by @​tiangolo.
• 🌐 Update translations for tr (add-missing). PR #​14790 by @​tiangolo.
• 🌐 Update translations for fr (update-outdated). PR #​14826 by @​tiangolo.
• 🌐 Update translations for zh-hant (update-outdated). PR #​14825 by @​tiangolo.
• 🌐 Update translations for uk (update-outdated). PR #​14822 by @​tiangolo.
• 🔨 Update docs and translations scripts, enable Turkish. PR #​14824 by @​tiangolo.

Internal

• 🔨 Add max pages to translate to configs. PR #​14840 by @​tiangolo.

v0.128.1

Compare Source

Features

• ✨ Add viewport meta tag to improve Swagger UI on mobile devices. PR #​14777 by @​Joab0.
• 🚸 Improve error message for invalid query parameter type annotations. PR #​14479 by @​retwish.

Fixes

• 🐛 Update ValidationError schema to include input and ctx. PR #​14791 by @​jonathan-fulton.
• 🐛 Fix TYPE_CHECKING annotations for Python 3.14 (PEP 649). PR #​14789 by @​mgu.
• 🐛 Strip whitespaces from Authorization header credentials. PR #​14786 by @​WaveTheory1.
• 🐛 Fix OpenAPI duplication of anyOf refs for app-level responses with specified content and model as Union. PR #​14463 by @​DJMcoder.

Refactors

• 🎨 Tweak types for mypy. PR #​14816 by @​tiangolo.
• 🏷️ Re-export IncEx type from Pydantic instead of duplicating it. PR #​14641 by @​mvanderlee.
• 💡 Update comment for Pydantic internals. PR #​14814 by @​tiangolo.

Docs

• 📝 Update docs for contributing translations, simplify title. PR #​14817 by @​tiangolo.
• 📝 Fix typing issue in docs_src/app_testing/app_b code example. PR #​14573 by @​timakaa.
• 📝 Fix example of license identifier in documentation. PR #​14492 by @​johnson-earls.
• 📝 Add banner to translated pages. PR #​14809 by @​YuriiMotov.
• 📝 Add links to related sections of docs to docstrings. PR #​14776 by @​YuriiMotov.
• 📝 Update embedded code examples to Python 3.10 syntax. PR #​14758 by @​YuriiMotov.
• 📝 Fix dependency installation command in docs/en/docs/contributing.md. PR #​14757 by @​YuriiMotov.
• 📝 Use return type annotation instead of response_model when possible. PR #​14753 by @​YuriiMotov.
• 📝 Use WSGIMiddleware from a2wsgi instead of deprecated fastapi.middleware.wsgi.WSGIMiddleware. PR #​14756 by @​YuriiMotov.
• 📝 Fix minor typos in release notes. PR #​14780 by @​whyvineet.
• 🐛 Fix copy button in custom.js. PR #​14722 by @​fcharrier.
• 📝 Add contribution instructions about LLM generated code and comments and automated tools for PRs. PR #​14706 by @​tiangolo.
• 📝 Update docs for management tasks. PR #​14705 by @​tiangolo.
• 📝 Update docs about managing translations. PR #​14704 by @​tiangolo.
• 📝 Update docs for contributing with translations. PR #​14701 by @​tiangolo.
• 📝 Specify language code for code block. PR #​14656 by @​YuriiMotov.

Translations

• 🌐 Improve LLM prompt of uk documentation. PR #​14795 by @​roli2py.
• 🌐 Update translations for ja (update-outdated). PR #​14588 by @​tiangolo.
• 🌐 Update translations for uk (update outdated, found by fixer tool). PR #​14739 by @​YuriiMotov.
• 🌐 Update translations for tr (update-outdated). PR #​14745 by @​tiangolo.
• 🌐 Update llm-prompt.md for Korean language. PR #​14763 by @​seuthootDev.
• 🌐 Update translations for ko (update outdated, found by fixer tool). PR #​14738 by @​YuriiMotov.
• 🌐 Update translations for de (update-outdated). PR #​14690 by @​tiangolo.
• 🌐 Update LLM prompt for Russian translations. PR #​14733 by @​YuriiMotov.
• 🌐 Update translations for ru (update-outdated). PR #​14693 by @​tiangolo.
• 🌐 Update translations for pt (update-outdated). PR #​14724 by @​tiangolo.
• 🌐 Update Korean LLM prompt. PR #​14740 by @​hard-coders.
• 🌐 Improve LLM prompt for Turkish translations. PR #​14728 by @​Kadermiyanyedi.
• 🌐 Update portuguese llm-prompt.md. PR #​14702 by @​ceb10n.
• 🌐 Update LLM prompt instructions file for French. PR #​14618 by @​tiangolo.
• 🌐 Update translations for ko (add-missing). PR #​14699 by @​tiangolo.
• 🌐 Update translations for ko (update-outdated). PR #​14589 by @​tiangolo.
• 🌐 Update translations for uk (update-outdated). PR #​14587 by @​tiangolo.
• 🌐 Update translations for es (update-outdated). PR #​14686 by @​tiangolo.
• 🔧 Add LLM prompt file for Turkish, generated from the existing translations. PR #​14547 by @​tiangolo.
• 🔧 Add LLM prompt file for Traditional Chinese, generated from the existing translations. PR #​14550 by @​tiangolo.
• 🔧 Add LLM prompt file for Simplified Chinese, generated from the existing translations. PR #​14549 by @​tiangolo.

Internal

• ⬇️ Downgrade LLM translations model to GPT-5 to reduce mistakes. PR #​14823 by @​tiangolo.
• 🐛 Fix translation script commit in place. PR #​14818 by @​tiangolo.
• 🔨 Update translation script to retry if LLM-response doesn't pass validation with Translation Fixer tool. PR #​14749 by @​YuriiMotov.
• 👷 Run tests only on relevant code changes (not on docs). PR #​14813 by @​tiangolo.
• 👷 Run mypy by pre-commit. PR #​14806 by @​YuriiMotov.
• ⬆ Bump ruff from 0.14.3 to 0.14.14. PR #​14798 by @​dependabot[bot].
• ⬆ Bump pyasn1 from 0.6.1 to 0.6.2. PR #​14804 by @​dependabot[bot].
• ⬆ Bump sqlmodel from 0.0.27 to 0.0.31. PR #​14802 by @​dependabot[bot].
• ⬆ Bump mkdocs-macros-plugin from 1.4.1 to 1.5.0. PR #​14801 by @​dependabot[bot].
• ⬆ Bump gitpython from 3.1.45 to 3.1.46. PR #​14800 by @​dependabot[bot].
• ⬆ Bump typer from 0.16.0 to 0.21.1. PR #​14799 by @​dependabot[bot].
• 👥 Update FastAPI GitHub topic repositories. PR #​14803 by @​tiangolo.
• 👥 Update FastAPI People - Contributors and Translators. PR #​14796 by @​tiangolo.
• 🔧 Ensure that an edit to uv.lock gets the internal label. PR #​14759 by @​svlandeg.
• 🔧 Update sponsors: remove Requestly. PR #​14735 by @​tiangolo.
• 🔧 Update sponsors, LambdaTest changes to TestMu AI. PR #​14734 by @​tiangolo.
• ⬆ Bump actions/cache from 4 to 5. PR #​14511 by @​dependabot[bot].
• ⬆ Bump actions/upload-artifact from 5 to 6. PR #​14525 by @​dependabot[bot].
• ⬆ Bump actions/download-artifact from 6 to 7. PR #​14526 by @​dependabot[bot].
• 👷 Tweak CI input names. PR #​14688 by @​tiangolo.
• 🔨 Refactor translation script to allow committing in place. PR #​14687 by @​tiangolo.
• 🐛 Fix translation script path. PR #​14685 by @​tiangolo.
• ✅ Enable tests in CI for scripts. PR #​14684 by @​tiangolo.
• 🔧 Add pre-commit local script to fix language translations. PR #​14683 by @​tiangolo.
• ⬆️ Migrate to uv. PR #​14676 by @​DoctorJohn.
• 🔨 Add LLM translations tool fixer. PR #​14652 by @​YuriiMotov.
• 👥 Update FastAPI People - Sponsors. PR #​14626 by @​tiangolo.
• 👥 Update FastAPI GitHub topic repositories. PR #​14630 by @​tiangolo.
• 👥 Update FastAPI People - Contributors and Translators. PR #​14625 by @​tiangolo.
• 🌐 Update translation prompts. PR #​14619 by @​tiangolo.
• 🔨 Update LLM translation script to guide reviewers to change the prompt. PR #​14614 by @​tiangolo.
• 👷 Do not run translations on cron while finishing updating existing languages. PR #​14613 by @​tiangolo.
• 🔥 Remove test variants for Pydantic v1 in test_request_params. PR #​14612 by @​tiangolo.
• 🔥 Remove Pydantic v1 specific test variants. PR #​14611 by @​tiangolo.

github/codeql-action (github/codeql-action)

v4.32.4

Compare Source

• Update default CodeQL bundle version to 2.24.2. #​3493
• Added an experimental change which improves how certificates are generated for the authentication proxy that is used by the CodeQL Action in Default Setup when private package registries are configured. This is expected to generate more widely compatible certificates and should have no impact on analyses which are working correctly already. We expect to roll this change out to everyone in February. #​3473
• When the CodeQL Action is run with debugging enabled in Default Setup and private package registries are configured, the "Setup proxy for registries" step will output additional diagnostic information that can be used for troubleshooting. #​3486
• Added a setting which allows the CodeQL Action to enable network debugging for Java programs. This will help GitHub staff support customers with troubleshooting issues in GitHub-managed CodeQL workflows, such as Default Setup. This setting can only be enabled by GitHub staff. #​3485
• Added a setting which enables GitHub-managed workflows, such as Default Setup, to use a nightly CodeQL CLI release instead of the latest, stable release that is used by default. This will help GitHub staff support customers whose analyses for a given repository or organization require early access to a change in an upcoming CodeQL CLI release. This setting can only be enabled by GitHub staff. #​3484

v4.32.3

Compare Source

• Added experimental support for testing connections to private package registries. This feature is not currently enabled for any analysis. In the future, it may be enabled by default for Default Setup. #​3466

v4.32.2

Compare Source

v4.32.1

Compare Source

• A warning is now shown in Default Setup workflow logs if a private package registry is configured using a GitHub Personal Access Token (PAT), but no username is configured. #​3422
• Fixed a bug which caused the CodeQL Action to fail when repository properties cannot successfully be retrieved. #​3421

v4.32.0

Compare Source

• Update default CodeQL bundle version to 2.24.0. #​3425

v4.31.11

Compare Source

• When running a Default Setup workflow with Actions debugging enabled, the CodeQL Action will now use more unique names when uploading logs from the Dependabot authentication proxy as workflow artifacts. This ensures that the artifact names do not clash between multiple jobs in a build matrix. #​3409
• Improved error handling throughout the CodeQL Action. #​3415
• Added experimental support for automatically excluding generated files from the analysis. This feature is not currently enabled for any analysis. In the future, it may be enabled by default for some GitHub-managed analyses. #​3318
• The changelog extracts that are included with releases of the CodeQL Action are now shorter to avoid duplicated information from appearing in Dependabot PRs. #​3403

v4.31.10

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

4.31.10 - 12 Jan 2026

• Update default CodeQL bundle version to 2.23.9. #​3393

See the full CHANGELOG.md for more information.

peter-evans/create-pull-request (peter-evans/create-pull-request)

v8.1.0: Create Pull Request v8.1.0

Compare Source

What's Changed

• README.md: bump given GitHub actions to their latest versions by @​deining in #​4265
• build(deps): bump the github-actions group with 2 updates by @​dependabot[bot] in #​4273
• build(deps-dev): bump the npm group with 2 updates by @​dependabot[bot] in #​4274
• build(deps-dev): bump undici from 6.22.0 to 6.23.0 by @​dependabot[bot] in #​4284
• Update distribution by @​actions-bot in #​4289
• fix: Handle remote prune failures gracefully on self-hosted runners by @​peter-evans in #​4295
• feat: add @​octokit/plugin-retry to handle retriable server errors by @​peter-evans in #​4298

New Contributors

• @​deining made their first contribution in #​4265

Full Changelog: peter-evans/create-pull-request@v8.0.0...v8.1.0

Kludex/starlette (starlette)

v0.52.1: Version 0.52.1

Compare Source

What's Changed

• Only use typing_extensions in older Python versions by @​Kludex in #​3109

---

Full Changelog: Kludex/starlette@0.52.0...0.52.1

v0.52.0: Version 0.52.0

Compare Source

In this release, State can be accessed using dictionary-style syntax for improved type safety (#​3036).

from collections.abc import AsyncIterator
from contextlib import asynccontextmanager
from typing import TypedDict

import httpx

from starlette.applications import Starlette
from starlette.requests import Request

class State(TypedDict):
    http_client: httpx.AsyncClient

@​asynccontextmanager
async def lifespan(app: Starlette) -> AsyncIterator[State]:
    async with httpx.AsyncClient() as client:
        yield {"http_client": client}

async def homepage(request: Request[State]):
    client = request.state["http_client"]
    # If you run the below line with mypy or pyright, it will reveal the correct type.
    reveal_type(client)  # Revealed type is 'httpx.AsyncClient'

See Accessing State for more details.

---

Full Changelog: Kludex/starlette@0.51.0...0.52.0

v0.51.0: Version 0.51.0

Compare Source

Added

• Add allow_private_network in CORSMiddleware #​3065.

Changed

• Increase warning stacklevel on DeprecationWarning for wsgi module #​3082.

---

New Contributors

• @​santibreo made their first contribution in #​3082
• @​iddqd888 made their first contribution in #​3083

Full Changelog: Kludex/starlette@0.50.0...0.51.0

step-security/harden-runner (step-security/harden-runner)

v2.15.0

Compare Source

What's Changed

Windows and macOS runner support

We are excited to announce that Harden Runner now supports Windows and macOS runners, extending runtime security beyond Linux for the first time.

Insights for Windows and macOS runners will be displayed in the same consistent format you are already familiar with from Linux runners, giving you a unified view of runtime activity across all platforms.

Full Changelog: step-security/harden-runner@v2.14.2...v2.15.0

v2.14.2

Compare Source

What's Changed

Security fix: Fixed a medium severity vulnerability where outbound network connections using sendto, sendmsg, and sendmmsg socket system calls could bypass audit logging when using egress-policy: audit. This issue only affects the Community Tier in audit mode; block mode and Enterprise Tier were not affected. See GHSA-cpmj-h4f6-r6pq for details.

Full Changelog: step-security/harden-runner@v2.14.1...v2.14.2

v2.14.1

Compare Source

What's Changed

1. In some self-hosted environments, the agent could briefly fall back to public DNS resolvers during startup if the system DNS was not yet available. This behavior was unintended for GitHub-hosted runners and has now been fixed to prevent any use of public DNS resolvers.

2. Fixed npm audit vulnerabilities

Full Changelog: step-security/harden-runner@v2.14.0...v2.14.1

Kludex/uvicorn (uvicorn)

v0.41.0: Version 0.41.0

Compare Source

Added

• Add --limit-max-requests-jitter to stagger worker restarts (#​2707)
• Add socket path to scope["server"] (#​2561)

Changed

• Rename LifespanOn.error_occured to error_occurred (#​2776)

Fixed

• Ignore permission denied errors in watchfiles reloader (#​2817)
• Ensure lifespan shutdown runs when should_exit is set during startup (#​2812)
• Reduce the log level of 'request limit exceeded' messages (#​2788)

---

New Contributors

• @​t-kawasumi made their first contribution in #​2776
• @​fardyn made their first contribution in #​2800
• @​ewie made their first contribution in #​2807
• @​shevron made their first contribution in #​2788
• @​jonashaag made their first contribution in #​2707

---

Full Changelog: Kludex/uvicorn@0.40.0...0.41.0

---

Configuration

📅 Schedule: Branch creation - "every 1 hours every weekday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.