8000 Updates starlette dependency to 0.13.6 due to vulnerability in 0.13.4 by jamesag26 · Pull Request #1759 · fastapi/fastapi · GitHub
[go: up one dir, main page]
Skip to content

Updates starlette dependency to 0.13.6 due to vulnerability in 0.13.4 #1759

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
tiangolo merged 1 commit into from
Jul 22, 2020
Merged

Updates starlette dependency to 0.13.6 due to vulnerability in 0.13.4 #1759

tiangolo merged 1 commit into from
Jul 22, 2020

Conversation

@jamesag26
Copy link
Contributor
@jamesag26 jamesag26 commented Jul 21, 2020

The project has Starlett dependency of version 0.13.4 which has a directory traversal vulnerability for windows machines. I was made aware of this through: https://snyk.io/vuln/SNYK-PYTHON-STARLETTE-573266

This upgrade would mostly be for the fix to this vulnerability that was introduced in Starlette 0.13.5. This upgrade would be to version 0.13.6 because version 0.13.6 fixes a breaking change related to how 0.13.5 was initially implemented.

Here is a link to the Starlett issue that was fixed for more details: Kludex/starlette#981

@codecov
Copy link
codecov bot commented Jul 21, 2020
edited
Loading

Codecov Report

Merging #1759 into master will not change coverage.
The diff coverage is n/a.

Impacted file tree graph

@@            Coverage Diff            @@
##            master     #1759   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files          235       235           
  Lines         6989      6989           
=========================================
  Hits          6989      6989

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 42f1716...1658ead. Read the comment docs.

@tiangolo tiangolo merged commit 4170659 into fastapi:master Jul 22, 2020
@tiangolo
Copy link
Member
tiangolo commented Jul 22, 2020

Great, thank you! @jamesag26 ! 🎉 🍰

This is available in FastAPI 0.60.1 🚀

@dhirschfeld dhirschfeld mentioned this pull request Jul 22, 2020
Closed
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Kludex Kludex Kludex approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jamesag26 @tiangolo @Kludex
0