fix: address Dependabot CVEs — starlette 1.3.1, pyjwt 2.13.0, fastapi 0.137.1 by Otoru · Pull Request #81 · Otoru/Genesis

Otoru · 2026-06-17T12:48:50Z

Summary

Addresses 13 open Dependabot security alerts by bumping three dependencies.

Changes

Package	Before	After	Constraint change
`starlette` (examples)	0.49.3	1.3.1	`>=0.49.1,<0.50.0` → `>=1.3.1`
`fastapi` (main)	0.128.0	0.137.1	`^0.128.0` → `>=0.128.0`
`pyjwt` (main, new explicit dep)	2.12.1	2.13.0	added `>=2.13.0`

FastAPI's ^0.128.0 was silently capping at <0.129.0 in Poetry, blocking the starlette upgrade. FastAPI 0.137.1 removed the starlette upper bound, enabling 1.x.
PyJWT is a transitive dep of redis; adding it explicitly as a direct dep floors the minimum to the patched version.

Alerts resolved

Starlette (7 alerts):

Inbound API Command has no response Reply-Text #28 — Critical: DoS via silently ignored urlencoded form limits
Event body handling #26 — High: SSRF + NTLM credential theft via UNC paths
Potencial Deadlock fix #25 — Medium: Arbitrary HTTP method dispatch via getattr
Inbound sample code is not working #19 — Medium: Host header validation bypass
Migrate project to use poetry #8 — Medium: O(n²) DoS via Range header merging in FileResponse
Create test client to validate behavior of handlers #7 — Medium: DoS via large multipart forms
Welcome to Genesis Discussions! #27 — Low: Unvalidated request path poisons request.url.hostname

PyJWT (6 alerts):

Typing #24 — High: Public-key JWK accepted as HMAC secret (token forgery)
Refactory ESL to unquote content after parsing #10 — High: Accepts unknown crit header extensions
⬆️ Bump black from 22.12.0 to 24.3.0 #23 — Medium: PyJWKClient SSRF via unvalidated URL schemes (file://, ftp://)
Users/vitoru/create cli #22 — Medium: Unauthenticated DoS via Base64URL decoding in detached JWS
🐛 (mod_audio_stream) Change parse logic to suport mod_audio_strem events #21 — Medium: Algorithm allow-list bypass with PyJWK/PyJWKClient
🧑‍💻 (python) Change python version and logging format #20 — Low: Unbounded JWKS endpoint requests via unknown kid values

The remaining ~10 alerts (urllib3, black, idna, pytest, requests, etc.) are already at their patched versions in the lock file and should auto-dismiss once Dependabot re-evaluates.

Notes

Starlette 1.x emits a StarletteDeprecationWarning when httpx is used with starlette.testclient — Starlette now prefers httpx2. This is non-breaking and all 242 tests pass; migrating to httpx2 can be done in a follow-up.

Test plan

poetry run black --check genesis/ tests/ examples/ — clean
poetry run mypy — clean
poetry run pytest tests/ — 242 passed, 0 failed

- fastapi: ^0.128.0 → >=0.128.0, resolves to 0.137.1 (removes starlette upper bound) - starlette (examples): >=0.49.1,<0.50.0 → >=1.3.1, resolves to 1.3.1 - pyjwt: add explicit >=2.13.0 floor (transitive dep from redis), resolves to 2.13.0 Starlette CVEs addressed: DoS via form/multipart/Range, SSRF via UNC paths, host header bypass, path poisoning, getattr dispatch (#7, #8, #19, #25, #26, #27, #28) PyJWT CVEs addressed: token forgery, crit header bypass, SSRF via file:// schemes, DoS via Base64URL decoding, algorithm allow-list bypass, unbounded JWKS requests (#10, #20, #21, #22, #23, #24) All 242 tests pass. black and mypy clean.

Otoru merged commit 12fbd79 into main Jun 17, 2026
11 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

fix: address Dependabot CVEs — starlette 1.3.1, pyjwt 2.13.0, fastapi 0.137.1#81

fix: address Dependabot CVEs — starlette 1.3.1, pyjwt 2.13.0, fastapi 0.137.1#81
Otoru merged 1 commit into
mainfrom
fix/dependabot-starlette-pyjwt

Otoru commented Jun 17, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Uh oh!

Conversation

Otoru commented Jun 17, 2026

Summary

Changes

Alerts resolved

Notes

Test plan

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant