fix: bump fastapi and uvicorn to patch security vulnerabilities (#278)#308
fix: bump fastapi and uvicorn to patch security vulnerabilities (#278)#308meruedoro wants to merge 1 commit intotbrandenburg:mainfrom
Conversation
|
Someone is attempting to deploy a commit to the Tom Brandenburg's projects Team on Vercel. A member of the Team first needs to authorize it. |
There was a problem hiding this comment.
Pull request overview
This PR updates the Python backend dependency constraints to address known security vulnerabilities by moving FastAPI and Uvicorn from hard pins to minimum-version floors, and regenerating the uv.lock accordingly.
Changes:
- Relax
fastapifrom==0.111.0to>=0.115.0. - Relax
uvicornfrom==0.29.0to>=0.30.0. - Regenerate
packages/pybackend/uv.lockto resolve newer patched transitive dependencies (notably Starlette).
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| packages/pybackend/pyproject.toml | Switches FastAPI/Uvicorn constraints from exact pins to minimum floors for security patch uptake. |
| packages/pybackend/uv.lock | Lockfile regeneration reflecting the new resolution set (FastAPI/Starlette/Uvicorn and transitive changes). |
You can also share your feedback on Copilot code review. Take the survey.
packages/pybackend/pyproject.toml
Outdated
| "fastapi>=0.115.0", | ||
| "python-frontmatter==1.0.0", | ||
| "uvicorn==0.29.0", | ||
| "uvicorn>=0.30.0", |
There was a problem hiding this comment.
Good catch — updated to uvicorn[standard]>=0.30.0 in 52b2c0c. The lockfile now includes websockets, httptools, watchfiles, python-dotenv, and uvloop as expected.
…ndenburg#278) - fastapi: ==0.111.0 -> >=0.115.0 (resolves to 0.135.1) - uvicorn: ==0.29.0 -> uvicorn[standard]>=0.30.0 (resolves to 0.42.0) - starlette: 0.37.2 -> 0.52.1 (fixes CVE-2024-47874, CVSS 8.7) Hard version pins forced vulnerable transitive dependencies. Switching to minimum-version floors lets the resolver pick the latest compatible (and patched) releases. Added uvicorn[standard] extras to retain websockets/wsproto support needed by the backend's WebSocket endpoints. Regenerated uv.lock accordingly.
meruedoro
force-pushed
the
fix/issue-278-python-dependency-security
branch
from
b54b18a to
52b2c0c
Compare
Summary
Fixes #278 — resolves 33 known CVEs in Python dependencies by bumping hard-pinned versions to minimum-version floors.
Root Cause
pyproject.tomlhard-pinnedfastapi==0.111.0anduvicorn==0.29.0, which forced the resolver to pull in vulnerable transitive dependencies — most critically starlette 0.37.2 (CVE-2024-47874, CVSS 8.7 HIGH: DoS via multipart/form-data parsing).Changes
packages/pybackend/pyproject.tomlfastapi==0.111.0→fastapi>=0.115.0packages/pybackend/pyproject.tomluvicorn==0.29.0→uvicorn>=0.30.0packages/pybackend/uv.lockKey CVE Addressed
Why minimum floors instead of exact pins
Switching from
==to>=lets the resolver pick the latest compatible release while guaranteeing a minimum patched version. This avoids re-creating the same problem when new patches are released upstream.Testing
uv syncresolves cleanly (34 packages, 32 audited)tests/unit/, excludingtest_api.pywhich requires Linux-onlyfcntl)