From ac64aeec0750fd452e19192ef686e65f74942965 Mon Sep 17 00:00:00 2001 From: Cayman Roden Date: Mon, 1 Jun 2026 19:13:37 -0700 Subject: [PATCH 1/2] chore(deps): bump starlette >=0.40.0 (high CVE), streamlit demo >=1.54.0 --- requirements_ci.txt | 2 +- requirements_demo.txt | 2 +- requirements_full.txt | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/requirements_ci.txt b/requirements_ci.txt index 017ff07..d7d4a76 100644 --- a/requirements_ci.txt +++ b/requirements_ci.txt @@ -1,7 +1,7 @@ # CI test job -- lean install, no torch/deepeval (~2 min cold vs ~25 min with requirements_full.txt). # Full stack (dev, evals, ML training): requirements_full.txt fastapi==0.115.0 -starlette>=0.37.2,<0.39.0 +starlette>=0.40.0,<0.42.0 uvicorn[standard]==0.30.6 sqlalchemy[asyncio]==2.0.35 asyncpg==0.29.0 diff --git a/requirements_demo.txt b/requirements_demo.txt index e8e2259..4504503 100644 --- a/requirements_demo.txt +++ b/requirements_demo.txt @@ -1,6 +1,6 @@ # Minimal requirements for Streamlit Cloud demo deployment. # The full stack requires requirements.txt (includes Tesseract, pgvector, etc.) # This file covers only what streamlit_demo.py needs. -streamlit==1.39.0 +streamlit>=1.54.0 streamlit-extras>=0.4.0 plotly==5.24.1 diff --git a/requirements_full.txt b/requirements_full.txt index d6f7f45..2bc70f9 100644 --- a/requirements_full.txt +++ b/requirements_full.txt @@ -1,7 +1,7 @@ # Full development stack -- includes ML training (deepeval, ragas, langchain) and all optional deps. # CI uses requirements_ci.txt (excludes torch). Streamlit Cloud uses requirements.txt. fastapi==0.115.0 -starlette>=0.37.2,<0.39.0 +starlette>=0.40.0,<0.42.0 uvicorn[standard]==0.30.6 sqlalchemy[asyncio]==2.0.35 asyncpg==0.29.0 From 057b75905fb4de2be3573abc7d2af531ebb3b715 Mon Sep 17 00:00:00 2001 From: Cayman Roden Date: Tue, 2 Jun 2026 14:40:17 -0700 Subject: [PATCH 2/2] chore(deps): bump fastapi 0.115.0->0.115.4 to admit starlette>=0.40 fastapi==0.115.0 caps starlette<0.39.0, which conflicts with the HIGH-CVE patch (starlette>=0.40.0,<0.42.0) and produced ResolutionImpossible in the docker-build + test CI jobs. 0.115.4 is the first 0.115.x to allow starlette<0.42.0. Verified: `uv pip compile requirements_ci.txt` resolves 188 packages (starlette==0.41.3). CI is the authoritative test gate. Co-Authored-By: Claude Opus 4.8 (1M context) --- requirements_ci.txt | 2 +- requirements_full.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/requirements_ci.txt b/requirements_ci.txt index d7d4a76..bfa3d14 100644 --- a/requirements_ci.txt +++ b/requirements_ci.txt @@ -1,6 +1,6 @@ # CI test job -- lean install, no torch/deepeval (~2 min cold vs ~25 min with requirements_full.txt). # Full stack (dev, evals, ML training): requirements_full.txt -fastapi==0.115.0 +fastapi==0.115.4 starlette>=0.40.0,<0.42.0 uvicorn[standard]==0.30.6 sqlalchemy[asyncio]==2.0.35 diff --git a/requirements_full.txt b/requirements_full.txt index 2bc70f9..6faa057 100644 --- a/requirements_full.txt +++ b/requirements_full.txt @@ -1,6 +1,6 @@ # Full development stack -- includes ML training (deepeval, ragas, langchain) and all optional deps. # CI uses requirements_ci.txt (excludes torch). Streamlit Cloud uses requirements.txt. -fastapi==0.115.0 +fastapi==0.115.4 starlette>=0.40.0,<0.42.0 uvicorn[standard]==0.30.6 sqlalchemy[asyncio]==2.0.35