From 9be34c9a4cf2b816c853ebba39a8f4a73cb808d5 Mon Sep 17 00:00:00 2001 From: bk86a Date: Thu, 25 Jun 2026 09:26:08 +0200 Subject: [PATCH] chore(deps): bundle Dependabot bumps + clear pydantic-settings CVE, cut v0.19.5 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bundles the six open Dependabot PRs (#105–#110). All six were failing the CI `security` gate on the same stale lock pin: pydantic-settings==2.14.1 (GHSA-4xgf-cpjx-pc3j, fixed in 2.14.2). The gate audits requirements.lock, which Dependabot never regenerates, so every PR was blocked by a CVE most of them don't touch. Regenerating the lockfile clears it. - fastapi >=0.136.3 → >=0.138.0 (#107) - slowapi >=0.1.9 → >=0.1.10 (#108) - pydantic-settings >=2.14.1 → >=2.14.2 (#110) - ruff >=0.15.17 → >=0.15.19 (#106, dev) - pytest >=9.1.0 → >=9.1.1 (#109, dev) - actions/checkout v6 → v7 (#105, CI) Lockfile regen also floated anyio, click, fastapi, wrapt transitives. pip-audit -r requirements.lock: no known vulnerabilities. 222 tests pass. Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/ci.yml | 14 +++++++------- CHANGELOG.md | 17 +++++++++++++++++ app/__init__.py | 2 +- requirements-dev.txt | 4 ++-- requirements.lock | 10 +++++----- requirements.txt | 6 +++--- 6 files changed, 35 insertions(+), 18 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8e832c0..fae04b7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -27,7 +27,7 @@ jobs: outputs: code: ${{ steps.filter.outputs.code }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@v7 - uses: dorny/paths-filter@v4 id: filter with: @@ -49,7 +49,7 @@ jobs: needs: changes runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@v7 - if: needs.changes.outputs.code == 'true' uses: actions/setup-python@v6 with: @@ -67,7 +67,7 @@ jobs: needs: changes runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@v7 - if: needs.changes.outputs.code == 'true' uses: actions/setup-python@v6 with: @@ -83,7 +83,7 @@ jobs: needs: changes runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@v7 - if: needs.changes.outputs.code == 'true' uses: actions/setup-python@v6 with: @@ -103,7 +103,7 @@ jobs: needs: changes runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@v7 - if: needs.changes.outputs.code == 'true' uses: actions/setup-python@v6 with: @@ -119,7 +119,7 @@ jobs: needs: changes runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@v7 - if: needs.changes.outputs.code == 'true' name: Build image run: docker build -t postalcode2nuts . @@ -139,7 +139,7 @@ jobs: needs: [changes, lint, import-check, test, security, docker] runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@v7 - uses: docker/login-action@v4 with: registry: ghcr.io diff --git a/CHANGELOG.md b/CHANGELOG.md index 92cd38c..fea5977 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,23 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/). ## [Unreleased] +## [0.19.5] - 2026-06-25 + +### Security + +- **`pydantic-settings` bumped to 2.14.2** to clear **GHSA-4xgf-cpjx-pc3j** (fixed in 2.14.2). The CI `security` gate audits `requirements.lock`, where `pydantic-settings` was still pinned at 2.14.1; Dependabot only edits `requirements.txt`, so the fix lands by regenerating the lockfile. This single stale lock pin was failing the `security` check on every open Dependabot PR (#105–#110), not just the `pydantic-settings` one. + +### Changed + +- **Dependency bumps** via Dependabot (bundled in #111, superseding #105, #106, #107, #108, #109, #110): + - `fastapi` >=0.136.3 → >=0.138.0 (#107) + - `slowapi` >=0.1.9 → >=0.1.10 (#108) + - `pydantic-settings` >=2.14.1 → >=2.14.2 (#110) + - `ruff` >=0.15.17 → >=0.15.19 (#106, dev) + - `pytest` >=9.1.0 → >=9.1.1 (#109, dev) + - `actions/checkout` v6 → v7 (#105, CI) +- **Lockfile regeneration** also floated transitive pins: `anyio` 4.14.0 → 4.14.1, `click` 8.4.1 → 8.4.2, `fastapi` 0.137.2 → 0.138.0, `wrapt` 2.2.1 → 2.2.2. + ## [0.19.4] - 2026-06-19 ### Security diff --git a/app/__init__.py b/app/__init__.py index 8261536..3f56ae5 100644 --- a/app/__init__.py +++ b/app/__init__.py @@ -1 +1 @@ -__version__ = "0.19.4" +__version__ = "0.19.5" diff --git a/requirements-dev.txt b/requirements-dev.txt index 7118ef9..62da764 100644 --- a/requirements-dev.txt +++ b/requirements-dev.txt @@ -1,6 +1,6 @@ -r requirements.txt -ruff>=0.15.17,<1 +ruff>=0.15.19,<1 bandit>=1.9.4,<2 pip-audit>=2.10.1,<3 -pytest>=9.1.0,<10 +pytest>=9.1.1,<10 pytest-asyncio>=1.4.0,<2 diff --git a/requirements.lock b/requirements.lock index d660fc1..830fc09 100644 --- a/requirements.lock +++ b/requirements.lock @@ -3,11 +3,11 @@ # pip install -r requirements.txt && pip freeze > requirements.lock annotated-doc==0.0.4 annotated-types==0.7.0 -anyio==4.14.0 +anyio==4.14.1 certifi==2026.6.17 -click==8.4.1 +click==8.4.2 Deprecated==1.3.1 -fastapi==0.137.2 +fastapi==0.138.0 h11==0.16.0 httpcore==1.0.9 httptools==0.8.0 @@ -16,7 +16,7 @@ idna==3.18 limits==5.8.0 packaging==26.2 pydantic==2.13.4 -pydantic-settings==2.14.1 +pydantic-settings==2.14.2 pydantic_core==2.46.4 python-dotenv==1.2.2 PyYAML==6.0.3 @@ -29,4 +29,4 @@ uvicorn==0.49.0 uvloop==0.22.1 watchfiles==1.2.0 websockets==16.0 -wrapt==2.2.1 +wrapt==2.2.2 diff --git a/requirements.txt b/requirements.txt index d2ffff3..ebb9259 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,9 +1,9 @@ -fastapi>=0.136.3,<1 +fastapi>=0.138.0,<1 uvicorn[standard]>=0.49.0,<1 httpx>=0.28.1,<1 pydantic>=2.13.4,<3 -pydantic-settings>=2.14.1,<3 -slowapi>=0.1.9,<1 +pydantic-settings>=2.14.2,<3 +slowapi>=0.1.10,<1 limits[redis]>=5.8.0 python-dotenv>=1.2.2,<2 # Transitive (via httpx); pinned to clear CVE-2026-45409