Skip to content

deps(pip): bump fastapi from 0.135.2 to 0.135.3#58

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/pip/fastapi-0.135.3
Open

deps(pip): bump fastapi from 0.135.2 to 0.135.3#58
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/pip/fastapi-0.135.3

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Apr 6, 2026
edited
Loading

Bumps fastapi from 0.135.2 to 0.135.3.

Release notes

Sourced from fastapi's releases.

0.135.3

Features

Docs

  • ✏️ Fix typo for client_secret in OAuth2 form docstrings. PR #14946 by @​bysiber.

Internal

Commits

@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot bot commented on behalf of github Apr 6, 2026

Labels

The following labels could not be found: dependencies, python. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@jmanzanog
Copy link
Copy Markdown
Owner

jmanzanog commented Apr 7, 2026

CI is currently failing because the base workflow runs pip-audit against a transitive vulnerability in curl_cffi 0.13.0 pulled by yfinance==1.2.0, not because of this dependency bump itself.

I opened #60 to unblock the queue by scoping the audit to requirements.txt and temporarily ignoring CVE-2026-33752 until upstream relaxes the yfinance constraint.

@jmanzanog
Copy link
Copy Markdown
Owner

jmanzanog commented Apr 7, 2026

CI está fallando por un bloqueo mecánico ajeno a este bump: pip-audit marca curl_cffi 0.13.0 (CVE-2026-33752), pero yfinance==1.2.0 todavía exige curl_cffi<0.14.

Fix temporal ya abierto en #60 para desbloquear estas PRs sin tocar lógica de negocio. Cuando #60 entre a main, esta PR debería quedar mergeable con checks verdes.

@jmanzanog
Copy link
Copy Markdown
Owner

jmanzanog commented Apr 8, 2026

Heads-up: #61 now contains a cleaner root-cause fix for this CI failure.

The current failure is still the pip-audit finding on curl_cffi 0.13.0 / CVE-2026-33752, caused by yfinance 1.2.0 constraining curl_cffi<0.14.

PR #61 bumps yfinance to 1.2.1, which allows curl_cffi>=0.15 and should remove the blocker once merged and branches are updated.

@dependabot
deps(pip): bump fastapi from 0.135.2 to 0.135.3
4b80f36 
Bumps [fastapi](https://github.com/fastapi/fastapi) from 0.135.2 to 0.135.3.
- [Release notes](https://github.com/fastapi/fastapi/releases)
- [Commits](fastapi/fastapi@0.135.2...0.135.3)

---
updated-dependencies:
- dependency-name: fastapi
  dependency-version: 0.135.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot force-pushed the dependabot/pip/fastapi-0.135.3 branch from cedd7cc to 4b80f36 Compare April 8, 2026 17:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jmanzanog