Skip to content

chore(deps): security-focused lock refresh (framework pinned, runtime-verified)#15

Merged
sidxz merged 1 commit into
mainfrom
chore/uv-lock-upgrade
Jun 20, 2026
Merged

chore(deps): security-focused lock refresh (framework pinned, runtime-verified)#15
sidxz merged 1 commit into
mainfrom
chore/uv-lock-upgrade

Conversation

@sidxz

@sidxz sidxz commented Jun 18, 2026

Copy link
Copy Markdown
Owner

Refreshes uv.lock to clear dependency advisories, scoped to avoid a web-framework
break found by booting the real service
.

What happened

A blanket uv lock --upgrade pulled fastapi 0.137 + starlette 1.x, whose routing
rework stops setting scope["endpoint"]. That makes AccessLogMiddleware log
http.route="__unmatched__" for every request — silently, because the unit test
uses a small middleware stack that still propagates scope["endpoint"] while the real
8-middleware stack doesn't. Caught only by running the app (TestClient capture of
http.route on the real src.main:app).

Scope (this PR)

  • Upgraded (clear advisories): cryptography 49, pyjwt 2.13, python-multipart 0.0.32, urllib3 2.7, mako 1.3.12
  • Upgraded (runtime-verified safe): redis 8 (TLS ping OK), structlog 26 (log output byte-identical to 25), sqlalchemy 2.0.51, uvicorn 0.49, pydantic 2.13
  • Pinned to the tested 0.13.0 line: fastapi<0.136, starlette<1.0 — neither is a security advisory

Verification (real app, not just CI)

  • ✅ Boots: /health, /.well-known/jwks.json, /auth/providers all 200; migrations run; 0 startup errors
  • ✅ Access-log route templates restored (/auth/providers, /authz/resolve; 404 → __unmatched__)
  • redis-py 8.0.0 → redis 7.4.8 over TLS: PING + SET/GET roundtrip OK
  • ✅ Service tests 227 ✓, SDK tests 92 ✓, ruff clean

Deferred (needs a real starlette 1.x migration)

2 starlette HIGH advisories are only fixed in 1.x and remain:

  • CVE-2026-48818 (SSRF/NTLM via UNC paths) — Windows-specific, N/A on the Linux container
  • CVE-2026-54283 (form-limit bypass) — mitigated by MaxBodySizeMiddleware

Clearing these requires moving to starlette 1.x, which must also make _route_template
version-robust (re-match instead of relying on scope["endpoint"]) + audit other 1.x
behavior changes. Tracked as follow-up.

🤖 Generated with Claude Code

@sidxz sidxz changed the title chore(deps): uv lock --upgrade — clear HIGH advisories in locked deps chore(deps): security-focused lock refresh (framework pinned, runtime-verified) Jun 18, 2026
Full refresh now that the access-log fix (framework-robust _route_template) is on
main, so starlette 1.x is safe. Clears every lockfile HIGH advisory: cryptography
46->49, pyjwt 2.11->2.13, python-multipart 0.0.22->0.0.32, urllib3 2.6->2.7,
mako 1.3.10->1.3.12, and starlette 0.52->1.3 (the SSRF/cred-theft + form-limit
CVEs). Plus redis 8, structlog 26, sqlalchemy 2.0.51, uvicorn 0.49, fastapi 0.138.

Verified: trivy fs exit 0, service tests 230 pass, access-log resolves real route
templates on starlette 1.3.1, redis-py 8 TLS ping OK, app boots clean.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@sidxz sidxz force-pushed the chore/uv-lock-upgrade branch from 4f5ea87 to 55dbdfb Compare June 20, 2026 13:52
@sidxz sidxz merged commit fdb5a09 into main Jun 20, 2026
5 checks passed
@sidxz sidxz deleted the chore/uv-lock-upgrade branch June 20, 2026 13:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant