chore(deps): bundle Dependabot bumps + clear pydantic-settings CVE, cut v0.19.5#111
Merged
Conversation
…ut v0.19.5 Bundles the six open Dependabot PRs (#105–#110). All six were failing the CI `security` gate on the same stale lock pin: pydantic-settings==2.14.1 (GHSA-4xgf-cpjx-pc3j, fixed in 2.14.2). The gate audits requirements.lock, which Dependabot never regenerates, so every PR was blocked by a CVE most of them don't touch. Regenerating the lockfile clears it. - fastapi >=0.136.3 → >=0.138.0 (#107) - slowapi >=0.1.9 → >=0.1.10 (#108) - pydantic-settings >=2.14.1 → >=2.14.2 (#110) - ruff >=0.15.17 → >=0.15.19 (#106, dev) - pytest >=9.1.0 → >=9.1.1 (#109, dev) - actions/checkout v6 → v7 (#105, CI) Lockfile regen also floated anyio, click, fastapi, wrapt transitives. pip-audit -r requirements.lock: no known vulnerabilities. 222 tests pass. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This was referenced Jun 25, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bundles the six open Dependabot PRs and cuts v0.19.5.
Why bundle
All six open Dependabot PRs (#105–#110) were failing the CI
securitygate on the same stale lock pin:pydantic-settings==2.14.1(GHSA-4xgf-cpjx-pc3j, fixed in 2.14.2). That gate runspip-audit -r requirements.lock, and Dependabot only editsrequirements.txt— it never regenerates the lockfile. So every PR (including the four unrelated bumps) was blocked by a CVE most of them don't touch. Regenerating the lock clears it for all of them at once.Bumps
fastapi>=0.136.3 → >=0.138.0 (chore(deps): update fastapi requirement from <1,>=0.136.3 to >=0.138.0,<1 #107)slowapi>=0.1.9 → >=0.1.10 (chore(deps): update slowapi requirement from <1,>=0.1.9 to >=0.1.10,<1 #108)pydantic-settings>=2.14.1 → >=2.14.2 (chore(deps): update pydantic-settings requirement from <3,>=2.14.1 to >=2.14.2,<3 #110) — clears the CVEruff>=0.15.17 → >=0.15.19 (chore(deps-dev): update ruff requirement from <1,>=0.15.17 to >=0.15.19,<1 #106, dev)pytest>=9.1.0 → >=9.1.1 (chore(deps-dev): update pytest requirement from <10,>=9.1.0 to >=9.1.1,<10 #109, dev)actions/checkoutv6 → v7 (chore(deps): bump actions/checkout from 6 to 7 #105, CI)Lockfile regen also floated transitives:
anyio4.14.0→4.14.1,click8.4.1→8.4.2,fastapi0.137.2→0.138.0,wrapt2.2.1→2.2.2.Verification
pip-audit -r requirements.lock→ No known vulnerabilities foundruff check .→ cleanpytest→ 222 passedSupersedes #105, #106, #107, #108, #109, #110 (Dependabot will auto-close them on merge).
🤖 Generated with Claude Code