fix: widen fastapi constraint for starlette CVE-2025-62727#285
Open
scale-ballen wants to merge 1 commit intomainfrom
Open
fix: widen fastapi constraint for starlette CVE-2025-62727#285scale-ballen wants to merge 1 commit intomainfrom
scale-ballen wants to merge 1 commit intomainfrom
Conversation
The tight `fastapi>=0.115.0,<0.116` pin caps starlette at `<0.47.0`, blocking the fix for CVE-2025-62727 which requires starlette>=0.49.1. Widened to `fastapi>=0.115.0,<0.136`. The SDK only uses stable public APIs (FastAPI, Request, StreamingResponse, BaseHTTPMiddleware, Depends) that are unchanged across these versions. All 501 SDK tests pass. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
scale-ballen
added a commit
to scaleapi/scale-agentex
that referenced
this pull request
Mar 16, 2026
agentex backend: - python-multipart 0.0.12 → 0.0.22 (CVE-2024-53981, CVE-2026-24486) - temporalio 1.18.0 → 1.23.0 (CVE-2026-31812 quinn-proto, pending re-scan) agentex-ui: - next 15.5.9 → 15.5.10 (GHSA-h25m-26qc-wcjf) - minimatch, tar, rollup, flatted transitive deps (13 CVEs via npm audit fix) Remaining: - starlette CVE-2025-62727: blocked on agentex-sdk widening fastapi constraint (scaleapi/scale-agentex-python#285) - libvips x3 + python-3.12: auto-fix on next rebuild against latest Chainguard golden base Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
9 tasks
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
| { name = "ddtrace", specifier = ">=3.13.0" }, | ||
| { name = "distro", specifier = ">=1.7.0,<2" }, | ||
| { name = "fastapi", specifier = ">=0.115.0,<0.116" }, | ||
| { name = "fastapi", specifier = ">=0.115.0,<0.136" }, |
There was a problem hiding this comment.
requirements.lock / requirements-dev.lock not updated
The uv.lock correctly resolves to fastapi 0.135.1 and starlette 0.52.1 (CVE-fixed), but the Rye-generated requirements.lock and requirements-dev.lock files were not regenerated. Both still pin the old, vulnerable versions:
fastapi==0.115.14
starlette==0.46.2 # CVE-2025-62727 unpatched
CONTRIBUTING.md explicitly instructs developers without Rye to bootstrap their environment using:
pip install -r requirements-dev.lockAny developer (or CI job) following that path will still install starlette 0.46.2 and not benefit from the CVE fix. Consider running rye lock / rye sync (or removing the Rye lock files if the project has fully migrated to uv) to bring them in sync with uv.lock.
Prompt To Fix With AI
This is a comment left during a code review.
Path: uv.lock
Line: 83
Comment:
**`requirements.lock` / `requirements-dev.lock` not updated**
The `uv.lock` correctly resolves to `fastapi 0.135.1` and `starlette 0.52.1` (CVE-fixed), but the Rye-generated `requirements.lock` and `requirements-dev.lock` files were not regenerated. Both still pin the old, vulnerable versions:
```
fastapi==0.115.14
starlette==0.46.2 # CVE-2025-62727 unpatched
```
`CONTRIBUTING.md` explicitly instructs developers without Rye to bootstrap their environment using:
```sh
pip install -r requirements-dev.lock
```
Any developer (or CI job) following that path will still install `starlette 0.46.2` and not benefit from the CVE fix. Consider running `rye lock` / `rye sync` (or removing the Rye lock files if the project has fully migrated to `uv`) to bring them in sync with `uv.lock`.
How can I resolve this? If you propose a fix, please make it concise.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
fastapi>=0.115.0,<0.116tofastapi>=0.115.0,<0.136inpyproject.toml>=0.49.1, which fixes CVE-2025-62727 (HIGH severity)Why
The
<0.116constraint was a conservative upper bound, not a compatibility requirement. The SDK uses only stable public FastAPI/Starlette APIs:FastAPIRequestrequest.json(),request.headersStreamingResponseBaseHTTPMiddlewareDependsTest plan
uv lockresolves: fastapi 0.135.1, starlette 0.52.1501 passed, 764 skipped)🤖 Generated with Claude Code
Greptile Summary
This PR widens the
fastapidependency constraint from>=0.115.0,<0.116to>=0.115.0,<0.136inpyproject.tomland regeneratesuv.lockaccordingly, bumping the resolved versions tofastapi 0.135.1andstarlette 0.52.1. The motivation is sound: the old tight upper bound was overly conservative and was blocking downstream consumers (agentex backend) from upgrading starlette to>=0.49.1, which is required to address CVE-2025-62727 (HIGH severity). The SDK's FastAPI surface area is minimal and entirely composed of stable public APIs (FastAPI,Request,StreamingResponse,BaseHTTPMiddleware,Depends), so the wide version range carries very low compatibility risk.Key observations:
uv.lockupdate are correct and well-motivated.uv.lock:annotated-doc 0.0.4andtyping-inspection 0.4.2— both are legitimate FastAPI 0.135.x runtime dependencies and are not security concerns.requirements.lockandrequirements-dev.lockwere not updated. These Rye-generated files still pinfastapi==0.115.14andstarlette==0.46.2(the vulnerable version).CONTRIBUTING.mddirects developers without Rye to usepip install -r requirements-dev.lock, meaning they would not receive the CVE fix. These files should be regenerated (rye lock) or removed/deprecated if the project has fully migrated touv.<0.136ceiling is tight against the latest resolved version (0.135.1). This is fine for now but will require another bump when FastAPI 0.136.0 is released.Confidence Score: 4/5
Important Files Changed
Flowchart
%%{init: {'theme': 'neutral'}}%% flowchart TD A["pyproject.toml\nfastapi >=0.115.0,<0.136"] --> B{Lock tool} B -->|uv lock| C["uv.lock\nfastapi 0.135.1\nstarlette 0.52.1 ✅\nCVE-2025-62727 patched"] B -->|rye lock\n⚠️ NOT RUN| D["requirements.lock\nrequirements-dev.lock\nfastapi 0.115.14\nstarlette 0.46.2 ❌\nCVE-2025-62727 unpatched"] C --> E["uv install\nDevelopers / CI using uv"] D --> F["pip install -r requirements-dev.lock\nDevelopers following CONTRIBUTING.md\nWithout Rye workflow"] E --> G["✅ starlette 0.52.1\nCVE fixed"] F --> H["❌ starlette 0.46.2\nCVE NOT fixed"]Prompt To Fix All With AI
Last reviewed commit: e04bd4f