-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vendoring starlette@0.33.0 #11956
Vendoring starlette@0.33.0 #11956
Conversation
A recent security vulnerability was identified in [`starlette` versions below 0.36.2](GHSA-93gm-qmq6-w238). We can't upgrade our version of `starlette` at the current time, because it's not compatible with our vendored version of `fastapi`. However, the change in starlette is simply to set a lower-bound on `python-multipart`, so that's included here as well. However, I'm still vendoring `starlette` because our upper bound pin is preventing other users from upgrading their dependencies. Once our deprecation period for `pydantic<2` has passed, we can drop both vendored libraries and go back to the public versions. Note that I'm removing `black` from our pre-commit config, because we are using `ruff` exclusively. `black` had some trouble with formatting these files from `starlette`, which made me realize it shouldn't be in play anymore. Fixes #11719
✅ Deploy Preview for prefect-docs-preview ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
Do all the internal references need to change to avoid things like:
or we just need to change how we install it |
Sorry, I did a last minute tweak to the vendoring script and mistakenly botched the import fixes :D Just pushed a fixed version up |
- id: ruff | ||
language_version: python3 | ||
args: [--fix, --exit-non-zero-on-fix, --show-fixes] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ruff format is pretty great imo if we're nixing black
- id: ruff | |
language_version: python3 | |
args: [--fix, --exit-non-zero-on-fix, --show-fixes] | |
- id: ruff-format | |
- id: ruff | |
language_version: python3 | |
args: [--fix, --exit-non-zero-on-fix, --show-fixes] |
A recent security vulnerability was identified in
starlette
versions below0.36.2. We can't upgrade
our version of
starlette
at the current time, because it's not compatible withour vendored version of
fastapi
. However, the change in starlette is simplyto set a lower-bound on
python-multipart
, so that's included here as well.However, I'm still vendoring
starlette
because our upper bound pin ispreventing other users from upgrading their dependencies.
Once our deprecation period for
pydantic<2
has passed, we can drop bothvendored libraries and go back to the public versions.
Note that I'm removing
black
from our pre-commit config, because we are usingruff
exclusively.black
had some trouble with formatting these files fromstarlette
, which made me realize it shouldn't be in play anymore.Fixes #11719