Dependabot alerts remain that can only be resolved by major-version bumps of core deps. Each needs deliberate testing, so tracking them here as dedicated work.
fastapi + starlette
starlette must reach >= 1.3.1 to clear all open alerts, but fastapi ~0.121.x pins starlette < 0.51.0. starlette 1.x only becomes installable with fastapi >= 0.135.0 (latest 0.138.0), so the two bump together.
starlette 0.x → 1.0 is a major release with breaking changes — test against our middleware, starlette-context, exception handlers, and routing.
Open alerts cleared by this:
- missing Host header validation poisons
request.url.path — medium
request.form() limits silently ignored (DoS) — high- SSRF / NTLM credential theft via UNC paths in
StaticFiles — high
- arbitrary HTTP method dispatched to
HTTPEndpoint via getattr — medium
- unvalidated request path concatenated into authority — low
cryptography 46 → 48/49
Needs >= 48.0.1 (latest 49.0.0) to clear the bundled-OpenSSL alert (high); we pin ~46.0.5. Three major versions of a security-critical lib that bundles OpenSSL — upgrade and test deliberately, and verify python-jose[cryptography] ~3.5.0 still works.
ecdsa — no fix available
High-severity alert with no patched version (latest 0.19.2 is what we lock, pulled in transitively via dnspython). Not actionable until upstream ships a fix; tracking for visibility.
Dependabot alerts remain that can only be resolved by major-version bumps of core deps. Each needs deliberate testing, so tracking them here as dedicated work.
fastapi + starlette
starlette must reach
>= 1.3.1to clear all open alerts, butfastapi ~0.121.xpinsstarlette < 0.51.0. starlette1.xonly becomes installable with fastapi>= 0.135.0(latest0.138.0), so the two bump together.starlette
0.x → 1.0is a major release with breaking changes — test against our middleware,starlette-context, exception handlers, and routing.Open alerts cleared by this:
request.url.path— mediumrequest.form()limits silently ignored (DoS) — highStaticFiles— highHTTPEndpointviagetattr— mediumcryptography 46 → 48/49
Needs
>= 48.0.1(latest49.0.0) to clear the bundled-OpenSSL alert (high); we pin~46.0.5. Three major versions of a security-critical lib that bundles OpenSSL — upgrade and test deliberately, and verifypython-jose[cryptography] ~3.5.0still works.ecdsa — no fix available
High-severity alert with no patched version (latest
0.19.2is what we lock, pulled in transitively viadnspython). Not actionable until upstream ships a fix; tracking for visibility.