chore(deps): bundle Dependabot bumps + clear pydantic-settings CVE, cut v0.19.5

.github/workflows/ci.yml

@@ -27,7 +27,7 @@ jobs:
     outputs:
       code: ${{ steps.filter.outputs.code }}
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
       - uses: dorny/paths-filter@v4
         id: filter
         with:
@@ -49,7 +49,7 @@ jobs:
     needs: changes
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
       - if: needs.changes.outputs.code == 'true'
         uses: actions/setup-python@v6
         with:
@@ -67,7 +67,7 @@ jobs:
     needs: changes
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
       - if: needs.changes.outputs.code == 'true'
         uses: actions/setup-python@v6
         with:
@@ -83,7 +83,7 @@ jobs:
     needs: changes
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
       - if: needs.changes.outputs.code == 'true'
         uses: actions/setup-python@v6
         with:
@@ -103,7 +103,7 @@ jobs:
     needs: changes
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
       - if: needs.changes.outputs.code == 'true'
         uses: actions/setup-python@v6
         with:
@@ -119,7 +119,7 @@ jobs:
     needs: changes
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
       - if: needs.changes.outputs.code == 'true'
         name: Build image
         run: docker build -t postalcode2nuts .
@@ -139,7 +139,7 @@ jobs:
     needs: [changes, lint, import-check, test, security, docker]
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
       - uses: docker/login-action@v4
         with:
           registry: ghcr.io

CHANGELOG.md

@@ -6,6 +6,23 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/).
 
 ## [Unreleased]
 
+## [0.19.5] - 2026-06-25
+
+### Security
+
+- **`pydantic-settings` bumped to 2.14.2** to clear **GHSA-4xgf-cpjx-pc3j** (fixed in 2.14.2). The CI `security` gate audits `requirements.lock`, where `pydantic-settings` was still pinned at 2.14.1; Dependabot only edits `requirements.txt`, so the fix lands by regenerating the lockfile. This single stale lock pin was failing the `security` check on every open Dependabot PR (#105–#110), not just the `pydantic-settings` one.
+
+### Changed
+
+- **Dependency bumps** via Dependabot (bundled in #111, superseding #105, #106, #107, #108, #109, #110):
+  - `fastapi` >=0.136.3 → >=0.138.0 (#107)
+  - `slowapi` >=0.1.9 → >=0.1.10 (#108)
+  - `pydantic-settings` >=2.14.1 → >=2.14.2 (#110)
+  - `ruff` >=0.15.17 → >=0.15.19 (#106, dev)
+  - `pytest` >=9.1.0 → >=9.1.1 (#109, dev)
+  - `actions/checkout` v6 → v7 (#105, CI)
+- **Lockfile regeneration** also floated transitive pins: `anyio` 4.14.0 → 4.14.1, `click` 8.4.1 → 8.4.2, `fastapi` 0.137.2 → 0.138.0, `wrapt` 2.2.1 → 2.2.2.
+
 ## [0.19.4] - 2026-06-19
 
 ### Security

app/__init__.py

@@ -1 +1 @@
-__version__ = "0.19.4"
+__version__ = "0.19.5"

requirements-dev.txt

@@ -1,6 +1,6 @@
 -r requirements.txt
-ruff>=0.15.17,<1
+ruff>=0.15.19,<1
 bandit>=1.9.4,<2
 pip-audit>=2.10.1,<3
-pytest>=9.1.0,<10
+pytest>=9.1.1,<10
 pytest-asyncio>=1.4.0,<2

requirements.lock

@@ -3,11 +3,11 @@
 #   pip install -r requirements.txt && pip freeze > requirements.lock
 annotated-doc==0.0.4
 annotated-types==0.7.0
-anyio==4.14.0
+anyio==4.14.1
 certifi==2026.6.17
-click==8.4.1
+click==8.4.2
 Deprecated==1.3.1
-fastapi==0.137.2
+fastapi==0.138.0
 h11==0.16.0
 httpcore==1.0.9
 httptools==0.8.0
@@ -16,7 +16,7 @@ idna==3.18
 limits==5.8.0
 packaging==26.2
 pydantic==2.13.4
-pydantic-settings==2.14.1
+pydantic-settings==2.14.2
 pydantic_core==2.46.4
 python-dotenv==1.2.2
 PyYAML==6.0.3
@@ -29,4 +29,4 @@ uvicorn==0.49.0
 uvloop==0.22.1
 watchfiles==1.2.0
 websockets==16.0
-wrapt==2.2.1
+wrapt==2.2.2

requirements.txt

@@ -1,9 +1,9 @@
-fastapi>=0.136.3,<1
+fastapi>=0.138.0,<1
 uvicorn[standard]>=0.49.0,<1
 httpx>=0.28.1,<1
 pydantic>=2.13.4,<3
-pydantic-settings>=2.14.1,<3
-slowapi>=0.1.9,<1
+pydantic-settings>=2.14.2,<3
+slowapi>=0.1.10,<1
 limits[redis]>=5.8.0
 python-dotenv>=1.2.2,<2
 # Transitive (via httpx); pinned to clear CVE-2026-45409