Home Explore Help
Sign In
yunoadmin
/
bambuddy
mirror of https://github.com/maziggy/bambuddy
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

chore(deps): floor-pin starlette>=1.0.1 against PYSEC-2026-161

  pip-audit reported starlette 1.0.0 in the dev venv. starlette is
  transitive via fastapi, whose range still admits 1.0.0, so the
  resolver was silently picking the vulnerable build.

  Same floor-pin strategy as the existing idna/urllib3 entries —
  direct pin in requirements.txt with a why-comment so it isn't
  mistaken for an unused line and dropped later.

  Verified clean: pip-audit reports "No known vulnerabilities found"
  after the upgrade (starlette 1.0.0 → 1.1.0 locally).
maziggy 3 days ago
parent
3b9633a178
commit
b9d51ffd80
1 changed files with 5 additions and 0 deletions
Unified View Show Diff Stats
  1. 5 0
      requirements.txt

+ 5 - 0
requirements.txt
View File 

@@ -74,6 +74,11 @@ httpx>=0.26.0
 
 # would silently keep installing the vulnerable 2.6.x line.
 
 # would silently keep installing the vulnerable 2.6.x line.
 
 urllib3>=2.7.0
 
 urllib3>=2.7.0
 
 
 
+# Transitive of fastapi. starlette 1.0.0 has PYSEC-2026-161; 1.0.1 is the
 
+# fixed release. fastapi's range still admits 1.0.0 so we pin the floor
 
+# directly to stop the resolver from picking the vulnerable build.
 
+starlette>=1.0.1
 
+
 
 # Plate Detection (optional - enables build plate empty detection)
 
 # Plate Detection (optional - enables build plate empty detection)
 
 opencv-python-headless>=4.8.0
 
 opencv-python-headless>=4.8.0
 
 numpy>=1.24.0
 
 numpy>=1.24.0