Skip to content

chore(deps): bump the python-minor-and-patch group with 4 updates#789

Merged
rafeekpro merged 5 commits into
developfrom
dependabot/uv/develop/python-minor-and-patch-dc6b5be279
Jun 17, 2026
Merged

chore(deps): bump the python-minor-and-patch group with 4 updates#789
rafeekpro merged 5 commits into
developfrom
dependabot/uv/develop/python-minor-and-patch-dc6b5be279

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 15, 2026

Copy link
Copy Markdown
Contributor

Bumps the python-minor-and-patch group with 4 updates: fastapi, langgraph, anthropic and openai.

Updates fastapi from 0.136.3 to 0.137.0

Release notes

Sourced from fastapi's releases.

0.137.0

Breaking Changes

  • ♻️ Refactor internals to preserve APIRouter and APIRoute instances. PR #15745 by @​tiangolo.

Unblocks ✨ SO MANY THINGS ✨

Before this, router.include_router(other_router) would take each path operation from other_router and "clone" it, or recreate it from scratch.

This would mean that in the end there was only one top level router, part of the app.

The way it is structured here is that there are a few additional classes to handle intermediate metadata for router and route inclusion. That way the information of "router X includes Y and Y includes Z" is stored somewhere, without affecting (recreating / clonning) the final route.

Non Objectives

Dependencies for 404: previously I intended to support dependencies that would be executed even for 404, but that would conflict with the fact that a router could not find a match, but the next router did find a match. Executing dependencies in the router that did not find a match would not make sense, they could consume the request, body, etc. This original idea was discarded.

Specific Breaking Changes

Now router.routes is no longer a plain list of APIRoute objects, it can contain these intermediate objects that can contain additional routers, forming a tree.

Any logic that depended on iterating on the router.routes directly would be affected, that logic cannot expect to be able to extract data from a plain list of routes, as it's no longer a plain list but a tree.

Additionally, any logic that iterated on router.routes to modify them would now also see these new objects, and would not see all the routes in the app.

router.routes should be considered an internal implementation detail, only passed around to the FastAPI functions that need it.

Features

  • Adding routes (path operations) after a router is included now works, they are reflected as they are not copied.
  • Including subrouter in mainrouter can be done before adding routes (path operations) to subrouter, because now the the entire object is stored instead of copying the routes.
  • As routes are not copied, in some cases that might save some memory.

Alpha Features

This is not documented yet, so it's not officially supported yet and could change in the future.

But, as APIRoute and APIRouter instances are now preserved, they could be customized.

APIRouter has two new methods, .matches() and .handle(), counterpart to the existing ones in APIRoute. With this a router could customize how it matches and handles requests. For example, it could match only requests that include some specific header, for example for handling versions in headers.

Still, for now, consider this very experimental and potentially changing and breaking in the future.

Future Features Enabled

  • Custom APIRoute subclasses (undocumented, but alraedy works as desccribed above)
  • Custom APIRouter subclasses (undocumented, but already works as described above)
  • Dependencies per router
  • Exception handlers per router
  • Middleware per router

... (truncated)

Commits

Updates langgraph from 1.2.4 to 1.2.5

Release notes

Sourced from langgraph's releases.

langgraph==1.2.5

Changes since 1.2.4

  • release(langgraph): 1.2.5 (#8062)
  • fix(langgraph): merge lc_versions config metadata (#8052)
  • release(cli): 0.4.28 (#8041)
  • fix: updateState bug for deltaChannel on empty thread (#8011)
  • chore: migrate Python type checking to ty (#8002)
  • chore(deps-dev): bump types-requests from 2.33.0.20260408 to 2.33.0.20260518 in /libs/langgraph (#7977)
  • chore(deps): bump the minor-and-patch group in /libs/langgraph with 14 updates (#7975)
Commits
  • 7ab79f9 release(langgraph): 1.2.5 (#8062)
  • 385033f fix(langgraph): merge lc_versions config metadata (#8052)
  • 93307d6 release(cli): 0.4.29 (#8046)
  • e05ba29 feat(cli): add support for passing certfile and cert key to run dev server un...
  • f0e8147 release(cli): 0.4.28 (#8041)
  • d57a74f fix: updateState bug for deltaChannel on empty thread (#8011)
  • 6f83cc9 chore(deps): bump starlette from 1.0.0 to 1.0.1 in /libs/cli (#8005)
  • 2ae62c6 chore(deps-dev): bump starlette from 1.0.0 to 1.0.1 in /libs/sdk-py (#8006)
  • 2b1abc8 chore: migrate Python type checking to ty (#8002)
  • 43682f0 chore(deps): bump the minor-and-patch group in /libs/cli with 4 updates (#7962)
  • Additional commits viewable in compare view

Updates anthropic from 0.107.1 to 0.109.1

Release notes

Sourced from anthropic's releases.

v0.109.1

0.109.1 (2026-06-09)

Full Changelog: v0.109.0...v0.109.1

Bug Fixes

  • api: add frontier_llm refusal category (d3a806b)

v0.109.0

0.109.0 (2026-06-09)

Full Changelog: v0.108.0...v0.109.0

Features

  • api: add support for Managed Agents deployments and environment variable credentials (47633bf)

v0.108.0

0.108.0 (2026-06-09)

Full Changelog: v0.107.1...v0.108.0

Features

  • api: add support for claude-mythos-5 and claude-fable-5, with support for server-side fallbacks on refusal (6b76649)
  • client: adds client-side fallbacks middleware for API providers that do not support server-side fallbacks (6b76649)
Changelog

Sourced from anthropic's changelog.

0.109.1 (2026-06-09)

Full Changelog: v0.109.0...v0.109.1

Bug Fixes

  • api: add frontier_llm refusal category (d3a806b)

0.109.0 (2026-06-09)

Full Changelog: v0.108.0...v0.109.0

Features

  • api: add support for Managed Agents deployments and environment variable credentials (47633bf)

0.108.0 (2026-06-09)

Full Changelog: v0.107.1...v0.108.0

Features

  • api: add support for claude-mythos-5 and claude-fable-5, with support for server-side fallbacks on refusal (6b76649)
  • client: adds client-side fallbacks middleware for API providers that do not support server-side fallbacks (6b76649)
Commits

Updates openai from 2.41.0 to 2.41.1

Release notes

Sourced from openai's releases.

v2.41.1

2.41.1 (2026-06-05)

Full Changelog: v2.41.0...v2.41.1

Build System

  • Remove scheduled release workflow trigger (#3366) (2a91011)
Changelog

Sourced from openai's changelog.

2.41.1 (2026-06-05)

Full Changelog: v2.41.0...v2.41.1

Build System

  • Remove scheduled release workflow trigger (#3366) (2a91011)
Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
chore(deps): bump the python-minor-and-patch group with 4 updates
ccd8c65 
Bumps the python-minor-and-patch group with 4 updates: [fastapi](https://github.com/fastapi/fastapi), [langgraph](https://github.com/langchain-ai/langgraph), [anthropic](https://github.com/anthropics/anthropic-sdk-python) and [openai](https://github.com/openai/openai-python).


Updates `fastapi` from 0.136.3 to 0.137.0
- [Release notes](https://github.com/fastapi/fastapi/releases)
- [Commits](fastapi/fastapi@0.136.3...0.137.0)

Updates `langgraph` from 1.2.4 to 1.2.5
- [Release notes](https://github.com/langchain-ai/langgraph/releases)
- [Commits](langchain-ai/langgraph@1.2.4...1.2.5)

Updates `anthropic` from 0.107.1 to 0.109.1
- [Release notes](https://github.com/anthropics/anthropic-sdk-python/releases)
- [Changelog](https://github.com/anthropics/anthropic-sdk-python/blob/main/CHANGELOG.md)
- [Commits](anthropics/anthropic-sdk-python@v0.107.1...v0.109.1)

Updates `openai` from 2.41.0 to 2.41.1
- [Release notes](https://github.com/openai/openai-python/releases)
- [Changelog](https://github.com/openai/openai-python/blob/main/CHANGELOG.md)
- [Commits](openai/openai-python@v2.41.0...v2.41.1)

---
updated-dependencies:
- dependency-name: fastapi
  dependency-version: 0.137.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: python-minor-and-patch
- dependency-name: langgraph
  dependency-version: 1.2.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: python-minor-and-patch
- dependency-name: anthropic
  dependency-version: 0.109.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: python-minor-and-patch
- dependency-name: openai
  dependency-version: 2.41.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: python-minor-and-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code labels Jun 15, 2026
rafeekpro and others added 2 commits June 17, 2026 11:34
@rafeekpro
Merge branch 'develop' into dependabot-python-group
d81dec4
@rafeekpro @claude
fix(tests): adapt OAuth routes assertion to fastapi 0.137 tree
52674e9 
fastapi 0.137 (#15745) refactored router internals: ``router.routes``
is no longer a flat list of ``APIRoute`` objects and now contains
``_IncludedRouter`` wrappers that expose their effective leaves via
``effective_candidates()`` (each an ``_EffectiveRouteContext`` carrying
the rendered ``path``).

The OAuth-routes smoke test iterated ``app.routes`` and read ``.path``
on every entry, which broke with ``AttributeError: '_IncludedRouter'
object has no attribute 'path'``. Replace the comprehension with a
recursive walker that descends through ``effective_candidates()`` (the
new fastapi 0.137 wrapper API) or ``.routes`` (legacy) and only collects
entries that carry a ``.path``.

Also reconciles ``uv.lock`` with develop's ``dap-database`` workspace
addition so ``uv lock --check`` is green.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@rafeekpro rafeekpro mentioned this pull request Jun 17, 2026
Merged
5 tasks
@rafeekpro @claude
chore(types): add mypy annotation for _collect_paths param
99fe876 
Mypy strict mode flagged the new helper as missing a parameter
annotation. Type the iterable of route-like objects as
``Iterable[Any]`` — they can be ``APIRoute``, ``Mount``,
``_IncludedRouter``, or ``_EffectiveRouteContext`` depending on
fastapi version and tree depth.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
rafeekpro added a commit that referenced this pull request Jun 17, 2026
@rafeekpro @claude
fix(security): floor cryptography / python-multipart / starlette to c…
a12ad66 
…lear active CVEs (#791)

* fix(security): floor cryptography / python-multipart / starlette to clear active CVEs

Develop's Python deps CVE scan started failing after fresh advisories
were published against transitive dependencies. None of these were
explicitly pinned in apps/engine/pyproject.toml at versions above the
patched floor, so 'uv lock' was happily resolving the vulnerable
versions and the gate was blocking every Python PR (#789, #790,
plus any future ones).

Add explicit floors:
  - cryptography>=48.0.1   GHSA-537c-gmf6-5ccf
  - python-multipart>=0.0.31  CVE-2026-53538/53539/53540
  - starlette>=1.3.1   CVE-2026-54282/54283

Resolution result (uv.lock):
  cryptography     48.0.0 -> 49.0.0
  python-multipart 0.0.28 -> 0.0.32
  starlette        1.1.0  -> 1.3.1

Smoke-test sweep on the bumped resolution passes the same set develop
passes today — the two failures observed (test_assistant
test_chat_returns_assistant_message and test_error_explainer
test_explain_endpoint_ai_falls_back_to_deterministic_without_provider)
also fail on develop verbatim, are unrelated to the bumps, and stem
from a pre-existing GLM provider auto-detection bug.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* chore(types): wrap status-code range comparisons in bool()

Starlette 1.3 ships stricter type stubs and httpx now returns ``Any``
for ``response.status_code`` in some contexts, so the
``return 200 <= response.status_code < 300`` pattern in the standalone
JWT-login helpers trips mypy's ``no-any-return``. Explicit ``bool(...)``
keeps the semantics identical and gives mypy a concrete annotation
without an ``# type: ignore`` escape hatch.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
@rafeekpro

rafeekpro commented Jun 17, 2026

Copy link
Copy Markdown
Collaborator

@dependabot rebase

@dependabot @github

dependabot Bot commented on behalf of github Jun 17, 2026

Copy link
Copy Markdown
Contributor Author

Looks like this PR has been edited by someone other than Dependabot. That means Dependabot can't rebase it - sorry!

If you're happy for Dependabot to recreate it from scratch, overwriting any edits, you can request @dependabot recreate.

rafeekpro
rafeekpro approved these changes Jun 17, 2026
View reviewed changes

@rafeekpro rafeekpro left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rebased on develop, CVE wall cleared via #791. fastapi 0.137 routes walker + mypy fix all green. Approving.

@rafeekpro rafeekpro merged commit 05d1288 into develop Jun 17, 2026
16 checks passed
@rafeekpro rafeekpro deleted the dependabot/uv/develop/python-minor-and-patch-dc6b5be279 branch June 17, 2026 10:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rafeekpro rafeekpro rafeekpro approved these changes

@rlagowski rlagowski rlagowski approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rafeekpro @rlagowski