Conversation
Tracks the 2026-05-06 post-v0.5.0 sweep of Dependabot and code-scanning alerts (14 dependency alerts, 13 code-scanning warnings at the time). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
62 open Dependabot alerts (1 critical litellm auth bypass, 15 high) vs 14 at the original 2026-05-06 sweep. Priority raised to high; approach and acceptance criteria updated to the grouped-by-package view. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Targeted uv lock upgrade closing 61 of 62 open Dependabot alerts: litellm 1.91.2 (critical auth bypass), pyjwt 2.13.0, starlette 1.3.1 (fastapi 0.139.0), transformers 5.3.0, urllib3 2.7.0, cryptography 49.0.0, Mako 1.3.12, python-multipart 0.0.32, soupsieve 2.8.4, aiohttp 3.14.1, pypdf 6.14.2, idna 3.18, onnx 1.22.0, pydantic-settings 2.14.2, python-dotenv 1.2.2, Pygments 2.20.0. torch (low) has no patched release yet and stays open. Full unit suite green (636 passed) with a clean env. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Closes the 12 actions/missing-workflow-permissions code-scanning alerts. contents: read at workflow level; detect-changes additionally gets pull-requests: read for dorny/paths-filter on PR events. Changelog entry for the DEBT-024 sweep included. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Hardens POST /admin/login against py/cookie-injection (code-scanning alert #1): tokens must match the urlsafe-base64 charset of generated API keys before key-store lookup, so header-unsafe characters can never reach the Set-Cookie value. The flow was already safe in practice (only key-store-validated admin tokens were echoed into the cookie), this makes the bound explicit and testable. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
PR #80 review feedback: - Gemini (comment 3564172639, medium): strip surrounding whitespace from pasted tokens before format validation and key-store lookup; new test covers the pasted-with-whitespace case. - CodeRabbit (review 4677816114, nitpick): the malformed-token test now asserts lookup_by_token is never called, matching its name. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…mentator starlette-prometheus 0.10 (latest, unmaintained) is incompatible with starlette >= 1.0: get_path_template does route.path on _IncludedRouter, which no longer has that attribute, so every request through the middleware failed with AttributeError (500). Caught by the integration job on PR #80; unit tests do not exercise the app-level middleware. prometheus-fastapi-instrumentator 8.0.2 declares starlette >=1.0,<2.0. Metric names change (http_* families with templated handler labels); nothing in-repo referenced the old starlette_* names. ARCH-014 and CONTEXT.md updated, mypy override for the old package dropped. Verified on the local Docker stack: /metrics 200 with per-handler metrics, authenticated admin request 200 through the full middleware chain. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
- DEBT-024 security sweep: uv.lock re-lock closes 61/62 open Dependabot alerts (litellm critical auth bypass, pyjwt, starlette, transformers RCE, aiohttp x21, pypdf x9) - Minimal permissions blocks on all GitHub workflows (12 code-scanning alerts) - Admin login hardening: token charset guard + whitespace strip (py/cookie-injection) - /metrics migrated to prometheus-fastapi-instrumentator (starlette 1.x compatibility) Reviews: 2/2 addressed (Gemini 1, CodeRabbit 1) Tests: 638 unit passed, integration + NFR gates green Refs: DEBT-024
…ectory with 9 updates Updates the requirements on [alembic](https://github.com/sqlalchemy/alembic), [pyyaml](https://github.com/yaml/pyyaml), [testcontainers](https://github.com/testcontainers/testcontainers-python), [pytest](https://github.com/pytest-dev/pytest), [pytest-asyncio](https://github.com/pytest-dev/pytest-asyncio), [pytest-cov](https://github.com/pytest-dev/pytest-cov), [ruff](https://github.com/astral-sh/ruff), [mypy](https://github.com/python/mypy) and [import-linter](https://github.com/seddonym/import-linter) to permit the latest version. Updates `alembic` to 1.18.5 - [Release notes](https://github.com/sqlalchemy/alembic/releases) - [Changelog](https://github.com/sqlalchemy/alembic/blob/main/CHANGES) - [Commits](https://github.com/sqlalchemy/alembic/commits) Updates `pyyaml` to 6.0.3 - [Release notes](https://github.com/yaml/pyyaml/releases) - [Changelog](https://github.com/yaml/pyyaml/blob/6.0.3/CHANGES) - [Commits](yaml/pyyaml@6.0...6.0.3) Updates `testcontainers` to 4.14.2 - [Release notes](https://github.com/testcontainers/testcontainers-python/releases) - [Changelog](https://github.com/testcontainers/testcontainers-python/blob/main/CHANGELOG.md) - [Commits](testcontainers/testcontainers-python@testcontainers-v4.8.0...testcontainers-v4.14.2) Updates `pytest` to 9.1.1 - [Release notes](https://github.com/pytest-dev/pytest/releases) - [Changelog](https://github.com/pytest-dev/pytest/blob/main/CHANGELOG.rst) - [Commits](pytest-dev/pytest@9.0.3...9.1.1) Updates `pytest-asyncio` to 1.4.0 - [Release notes](https://github.com/pytest-dev/pytest-asyncio/releases) - [Commits](pytest-dev/pytest-asyncio@v0.24.0...v1.4.0) Updates `pytest-cov` to 7.1.0 - [Changelog](https://github.com/pytest-dev/pytest-cov/blob/master/CHANGELOG.rst) - [Commits](pytest-dev/pytest-cov@v5.0.0...v7.1.0) Updates `ruff` to 0.15.21 - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](astral-sh/ruff@0.15.0...0.15.21) Updates `mypy` to 2.2.0 - [Changelog](https://github.com/python/mypy/blob/master/CHANGELOG.md) - [Commits](python/mypy@v1.13.0...v2.2.0) Updates `import-linter` to 2.13 - [Changelog](https://github.com/seddonym/import-linter/blob/main/docs/release_notes.md) - [Commits](seddonym/import-linter@v2.7...v2.13) --- updated-dependencies: - dependency-name: alembic dependency-version: 1.18.4 dependency-type: direct:development dependency-group: development-dependencies - dependency-name: import-linter dependency-version: '2.11' dependency-type: direct:development dependency-group: development-dependencies - dependency-name: mypy dependency-version: 2.1.0 dependency-type: direct:development dependency-group: development-dependencies - dependency-name: pytest dependency-version: 9.1.0 dependency-type: direct:development dependency-group: development-dependencies - dependency-name: pytest-asyncio dependency-version: 1.4.0 dependency-type: direct:development dependency-group: development-dependencies - dependency-name: pytest-cov dependency-version: 7.1.0 dependency-type: direct:development dependency-group: development-dependencies - dependency-name: pyyaml dependency-version: 6.0.3 dependency-type: direct:development dependency-group: development-dependencies - dependency-name: ruff dependency-version: 0.15.17 dependency-type: direct:development dependency-group: development-dependencies - dependency-name: testcontainers dependency-version: 4.14.2 dependency-type: direct:development dependency-group: development-dependencies ... Signed-off-by: dependabot[bot] <support@github.com>
…ment-dependencies-9b5c4575c9 chore(deps-dev): Bump the development-dependencies group across 1 directory with 9 updates
Bumps [actions/checkout](https://github.com/actions/checkout) from 6 to 7. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v6...v7) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
…lop/actions/checkout-7 chore(deps): Bump actions/checkout from 6 to 7
Bumps [dorny/paths-filter](https://github.com/dorny/paths-filter) from 3 to 4. - [Release notes](https://github.com/dorny/paths-filter/releases) - [Changelog](https://github.com/dorny/paths-filter/blob/master/CHANGELOG.md) - [Commits](dorny/paths-filter@v3...v4) --- updated-dependencies: - dependency-name: dorny/paths-filter dependency-version: '4' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
…lop/dorny/paths-filter-4 chore(deps): Bump dorny/paths-filter from 3 to 4
Reconcile the esbuild security bump (PR #77) that Dependabot recreated against main (default branch) instead of develop. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
- Bump version 0.5.0 -> 0.5.1 across 8 components - Promote CHANGELOG entry from [Unreleased] to [0.5.1] - 2026-07-12 - Refresh uv.lock for the version change - BACKLOG: DEBT-024 completed (resolution notes), new DEBT-025 (isolate unit tests from local .env) - Reconcile esbuild 0.28 bump from main (PR #77 landed on the default branch) Prepares the develop -> main release PR for v0.5.1 (security hardening: DEBT-024 sweep). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
- Version bump 0.5.0 -> 0.5.1 across 8 components - CHANGELOG promoted to [0.5.1] - 2026-07-12 - BACKLOG: DEBT-024 completed, DEBT-025 added - esbuild 0.28 bump reconciled from main Tests: 638 unit passed, lint green, widget build green Refs: DEBT-024
|
Warning Review limit reached
Next review available in: 41 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (5)
📒 Files selected for processing (18)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Code Review
This pull request updates the project to version 0.5.1, focusing on security hardening and dependency updates. Key changes include replacing the unmaintained starlette-prometheus package with prometheus-fastapi-instrumentator for serving metrics, and hardening the admin login endpoint to prevent cookie injection by validating tokens against a urlsafe-base64 regex. The reviewer suggested extending the Prometheus instrumentator configuration to exclude health checks and documentation endpoints, which prevents internal polling traffic from polluting latency metrics.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
Tracks the Gemini suggestion on PR #82 (exclude health/docs endpoints from request metrics) as deferred low-priority debt. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
What
v0.5.1 release: security hardening. Promotes develop to main.
Details
permissions:blocks on all workflows (12 code-scanning alerts); admin login hardening closing thepy/cookie-injectionalert./metricsmoved from starlette-prometheus (unmaintained, broken by starlette 1.x) to prometheus-fastapi-instrumentator (ARCH-014 updated).The remaining open Dependabot alert (torch, low) has no patched release; tracked in DEBT-024 resolution notes.
Testing
After merge
Tag
v0.5.1on the merge commit. No back-merge needed: the only main-side commit (esbuild bump #77) was reconciled into develop by PR #81.🤖 Generated with Claude Code