Skip to content

fix(deps): bump deps to resolve all 9 Dependabot alerts#40

Merged
1xabhay merged 1 commit into
mainfrom
deps/dependabot-security-bumps
Jun 23, 2026
Merged

fix(deps): bump deps to resolve all 9 Dependabot alerts#40
1xabhay merged 1 commit into
mainfrom
deps/dependabot-security-bumps

Conversation

@1xabhay

@1xabhay 1xabhay commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

Summary

Bumps five vulnerable dependencies to close all 9 open Dependabot alerts (4 high, 1 moderate, 4 low). Only pyproject.toml (direct-dep floors) and uv.lock change — no source code.

Package Before → After Alerts cleared
starlette (direct) 1.2.1 → 1.3.1 #27 request.form() DoS (High), #26 authority poison (Low)
python-multipart (direct) 0.0.29 → 0.0.32 #24 quadratic querystring (High), #23, #22, #21 (Low)
cryptography (transitive) 47.0.0 → 49.0.0 #25 vulnerable OpenSSL in wheels (High)
msgpack (transitive) 1.1.2 → 1.2.1 #28 OOB read on Unpacker reuse (High)
pydantic-settings (transitive) 2.14.0 → 2.14.2 #29 NestedSecretsSettingsSource symlink read (Moderate)

fastapi-mail 1.6.4 → 1.6.5 came along — it pinned cryptography below 49.

Verification

Run via the Makefile targets against the Docker stack:

  • make auditNo known vulnerabilities found
  • make typeSuccess: no issues found in 33 source files
  • make test207 passed

Note: make lint reports 27 pre-existing E501 line-too-long errors (inline-HTML f-strings in app/response/service.py and elsewhere). These exist on main and are untouched by this PR — out of scope for a dependency bump.

🤖 Generated with Claude Code

@claude
fix(deps): bump starlette, python-multipart, cryptography, msgpack, p…
b1712df 
…ydantic-settings

Resolve all 9 open Dependabot alerts:

- starlette 1.2.1 -> 1.3.1 (#27 form() DoS High, #26 authority poison Low)
- python-multipart 0.0.29 -> 0.0.32 (#24 quadratic querystring High; #23, #22, #21 Low)
- cryptography 47.0.0 -> 49.0.0 (#25 vulnerable OpenSSL High)
- msgpack 1.1.2 -> 1.2.1 (#28 OOB read on Unpacker reuse High)
- pydantic-settings 2.14.0 -> 2.14.2 (#29 symlink read Moderate)

fastapi-mail 1.6.4 -> 1.6.5 came along to allow cryptography 49.

Direct-dep floors bumped in pyproject.toml; transitive deps via uv lock.
Verified: make audit (no known vulnerabilities), make type (clean),
make test (207 passed).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@1xabhay 1xabhay merged commit 4578f4f into main Jun 23, 2026
1 check passed
@1xabhay 1xabhay deleted the deps/dependabot-security-bumps branch June 23, 2026 12:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@1xabhay