Inicio Explorar Axuda
Iniciar sesión
yunoadmin
/
bambuddy
réplica de https://github.com/maziggy/bambuddy
1
0
Fork 0
Ficheiros Incidencias 0 Wiki
Explorar o código

chore(deps): floor-pin starlette>=1.0.1 against PYSEC-2026-161

  pip-audit reported starlette 1.0.0 in the dev venv. starlette is
  transitive via fastapi, whose range still admits 1.0.0, so the
  resolver was silently picking the vulnerable build.

  Same floor-pin strategy as the existing idna/urllib3 entries —
  direct pin in requirements.txt with a why-comment so it isn't
  mistaken for an unused line and dropped later.

  Verified clean: pip-audit reports "No known vulnerabilities found"
  after the upgrade (starlette 1.0.0 → 1.1.0 locally).
maziggy hai 3 días
pai
3b9633a178
achega
b9d51ffd80
Modificáronse 1 ficheiros con 5 adicións e 0 borrados
Dividir vista Mostrar estatísticas de Diff
  1. 5 0
      requirements.txt

+ 5 - 0
requirements.txt
Ver ficheiro 

@@ -74,6 +74,11 @@ httpx>=0.26.0
 
 # would silently keep installing the vulnerable 2.6.x line.
 
 urllib3>=2.7.0
 
 
+# Transitive of fastapi. starlette 1.0.0 has PYSEC-2026-161; 1.0.1 is the
 
+# fixed release. fastapi's range still admits 1.0.0 so we pin the floor
 
+# directly to stop the resolver from picking the vulnerable build.
 
+starlette>=1.0.1
 
+
 
 # Plate Detection (optional - enables build plate empty detection)
 
 opencv-python-headless>=4.8.0
 
 numpy>=1.24.0