Skip to content

chore(deps): bundle Dependabot bumps + clear pydantic-settings CVE, cut v0.19.5#111

Merged
bk86a merged 1 commit into
mainfrom
chore/bundle-deps-v0.19.5
Jun 25, 2026
Merged

chore(deps): bundle Dependabot bumps + clear pydantic-settings CVE, cut v0.19.5#111
bk86a merged 1 commit into
mainfrom
chore/bundle-deps-v0.19.5

Conversation

@bk86a

@bk86a bk86a commented Jun 25, 2026

Copy link
Copy Markdown
Owner

Bundles the six open Dependabot PRs and cuts v0.19.5.

Why bundle

All six open Dependabot PRs (#105#110) were failing the CI security gate on the same stale lock pin: pydantic-settings==2.14.1 (GHSA-4xgf-cpjx-pc3j, fixed in 2.14.2). That gate runs pip-audit -r requirements.lock, and Dependabot only edits requirements.txt — it never regenerates the lockfile. So every PR (including the four unrelated bumps) was blocked by a CVE most of them don't touch. Regenerating the lock clears it for all of them at once.

Bumps

Lockfile regen also floated transitives: anyio 4.14.0→4.14.1, click 8.4.1→8.4.2, fastapi 0.137.2→0.138.0, wrapt 2.2.1→2.2.2.

Verification

  • pip-audit -r requirements.lockNo known vulnerabilities found
  • ruff check . → clean
  • pytest222 passed

Supersedes #105, #106, #107, #108, #109, #110 (Dependabot will auto-close them on merge).

🤖 Generated with Claude Code

…ut v0.19.5

Bundles the six open Dependabot PRs (#105#110). All six were failing the
CI `security` gate on the same stale lock pin: pydantic-settings==2.14.1
(GHSA-4xgf-cpjx-pc3j, fixed in 2.14.2). The gate audits requirements.lock,
which Dependabot never regenerates, so every PR was blocked by a CVE most of
them don't touch. Regenerating the lockfile clears it.

- fastapi >=0.136.3 → >=0.138.0 (#107)
- slowapi >=0.1.9 → >=0.1.10 (#108)
- pydantic-settings >=2.14.1 → >=2.14.2 (#110)
- ruff >=0.15.17 → >=0.15.19 (#106, dev)
- pytest >=9.1.0 → >=9.1.1 (#109, dev)
- actions/checkout v6 → v7 (#105, CI)

Lockfile regen also floated anyio, click, fastapi, wrapt transitives.
pip-audit -r requirements.lock: no known vulnerabilities. 222 tests pass.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant