Skip to content

Bump fastapi to >=0.136.3 to fix PYSEC-2026-161#5838

Open
denisephie wants to merge 1 commit into
SQLMesh:mainfrom
denisephie:bump-fastapi-pysec-2026-161
Open

Bump fastapi to >=0.136.3 to fix PYSEC-2026-161#5838
denisephie wants to merge 1 commit into
SQLMesh:mainfrom
denisephie:bump-fastapi-pysec-2026-161

Conversation

@denisephie

Copy link
Copy Markdown

Bumps the FastAPI pin from ==0.120.1 to >=0.136.3 in both the web and lsp extras to resolve the PYSEC-2026-161 security vulnerability.
The previous exact pin transitively pulled in starlette 0.49.3 which is affected by GHSA-86qp-5c8j-p5mr (missing Host header validation). FastAPI >=0.136.3 allows starlette 1.0.1+ which contains the fix.

Closes #5812

@denisephie denisephie force-pushed the bump-fastapi-pysec-2026-161 branch from 9479333 to 4814f0b Compare June 13, 2026 16:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

1 participant