Skip to content

MPT-22633 bump prod deps and add Dependabot config#67

Merged
ffaraone merged 1 commit into
mainfrom
MPT-22633_bump_deps_add_dependabot
Jun 25, 2026
Merged

MPT-22633 bump prod deps and add Dependabot config#67
ffaraone merged 1 commit into
mainfrom
MPT-22633_bump_deps_add_dependabot

Conversation

@d3rky

@d3rky d3rky commented Jun 25, 2026
edited by atlassian Bot
Loading

Copy link
Copy Markdown
Contributor

🤖 AI-generated PR — Please review carefully.

What

Bump outdated production dependencies and add Dependabot coverage. Resolves MPT-22633.

Dependency Before After
cryptography >=46.0.5,<47.0.0 >=49.0.0,<50.0.0
gunicorn >=24.1.1,<25.0.0 >=26.0.0,<27.0.0
rich >=14.3.3,<15.0.0 >=15.0.0,<16.0.0
typer >=0.24.1,<0.25.0 >=0.26.0,<0.27.0
fastapi[standard] >=0.131.0,<0.132.0 >=0.136.3,<0.137.0 ⚠️

uv.lock regenerated; new .github/dependabot.yml covering the uv, docker, and github-actions ecosystems (weekly for uv, monthly for docker/actions; prod/dev groups; deps commit prefix).

Why fastapi is capped at <0.137

fastapi 0.137 reworked router.routes into a tree of intermediate objects. fastapi-pagination (0.15.15, latest on PyPI) still iterates the flat route list in add_pagination(), so on 0.137+ the paginated /extensions and /instances endpoints raise UninitializedConfigurationError. fastapi is therefore held at the latest compatible release (0.136.3); lift the cap once a fastapi-pagination release supports 0.137+.

Compatibility review (verified against the code)

  • gunicorn 26 removed the eventlet worker — mrok uses uvicorn workers only. Also brings HTTP request-smuggling (RFC 9112/9110) and HTTP/2 body-duplication security fixes.
  • typer 0.26 vendored Click — no direct click imports in the codebase.
  • rich 15 dropped Python 3.8 — mrok requires Python 3.12+.
  • cryptography 49 removals (SECT* curves, ChaCha20 counter, type aliases) — mrok only uses RSA + standard x509 in mrok/ziti/pki.py.

Testing

  • ruff check / ruff format --check — pass
  • mypy mrok — pass
  • bandit — pass
  • pytest431 passed, coverage 99%
  • pre-commit run on changed files — pass

@d3rky
build(deps): bump prod deps and add Dependabot config
03f5fad 
Bump production dependencies to their latest compatible releases and add
Dependabot coverage so future updates surface automatically.

- cryptography 46 -> 49, gunicorn 24 -> 26 (HTTP request-smuggling and
  HTTP/2 body-duplication security fixes), rich 14 -> 15, typer 0.24 -> 0.26.
- fastapi bumped 0.131 -> 0.136.3 but capped <0.137: fastapi 0.137 reworked
  router.routes into a tree, which breaks fastapi-pagination.add_pagination();
  lift the cap once fastapi-pagination supports 0.137+.
- Regenerate uv.lock and add .github/dependabot.yml covering the uv, docker,
  and github-actions ecosystems.

MPT-22633
@sonarqubecloud

sonarqubecloud Bot commented Jun 25, 2026

Copy link
Copy Markdown

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@ffaraone ffaraone merged commit 9d35609 into main Jun 25, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ffaraone ffaraone ffaraone approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@d3rky @ffaraone