Skip to content

chore(deps): patch starlette HIGH CVE + streamlit demo (CI-gated)#21

Open
ChunkyTortoise wants to merge 2 commits into
mainfrom
chore/security-bumps-2026-06-01
Open

chore(deps): patch starlette HIGH CVE + streamlit demo (CI-gated)#21
ChunkyTortoise wants to merge 2 commits into
mainfrom
chore/security-bumps-2026-06-01

Conversation

@ChunkyTortoise
Copy link
Copy Markdown
Owner

@ChunkyTortoise ChunkyTortoise commented Jun 2, 2026

Resolves the Dependabot alerts that are safe within the current fastapi==0.115.0 pin.

Fixed

  • starlette >=0.37.2,<0.39.0 -> >=0.40.0,<0.42.0 (requirements_ci.txt, requirements_full.txt). Clears the HIGH alert; upper bound kept <0.42 for fastapi 0.115 compatibility.
  • streamlit (requirements_demo.txt) ==1.39.0 -> >=1.54.0. Clears the medium alert; aligns with requirements.txt / requirements_ci.txt which already pin >=1.54.0.

Deferred (need a tested migration, not a blind bump)

  • eml-parser 1.17.5 -> 2.0.1 (major; parsing API changed).
  • pytest 8.3.3 -> 9.0.3 (major; may need fixture/config updates).
  • starlette medium (needs >=0.47.2) requires a fastapi bump beyond 0.115.

CI (ci.yml + eval-gate.yml) gates this before merge.

chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed Jun 2, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ac64aeec07

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread requirements_ci.txt
# Full stack (dev, evals, ML training): requirements_full.txt
fastapi==0.115.0
starlette>=0.37.2,<0.39.0
starlette>=0.40.0,<0.42.0
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot Jun 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Keep Starlette within FastAPI's dependency range

With fastapi==0.115.0 still pinned here, this new Starlette range is unsatisfiable: FastAPI 0.115.0 declares starlette<0.39.0,>=0.37.2, so pip's resolver cannot install both it and starlette>=0.40.0,<0.42.0. I checked .github/workflows/ci.yml and the Dockerfiles, which install requirements_ci.txt, so CI and container builds will fail at dependency resolution until FastAPI is upgraded to a version that allows Starlette 0.40+ or this bound is kept below 0.39.

Useful? React with 👍 / 👎.

@ChunkyTortoise @claude
chore(deps): bump fastapi 0.115.0->0.115.4 to admit starlette>=0.40
057b759 
fastapi==0.115.0 caps starlette<0.39.0, which conflicts with the HIGH-CVE
patch (starlette>=0.40.0,<0.42.0) and produced ResolutionImpossible in the
docker-build + test CI jobs. 0.115.4 is the first 0.115.x to allow
starlette<0.42.0. Verified: `uv pip compile requirements_ci.txt` resolves
188 packages (starlette==0.41.3). CI is the authoritative test gate.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ChunkyTortoise