Security: Update dependencies to fix CVE vulnerabilities

[vprashrex]

Target Issue: #560

• Update fastapi[standard] to >=0.116.0
• Update sentry-sdk[fastapi] to >=2.20.0 (major version upgrade)
• Migrate dev-dependencies from deprecated [tool.uv] to [dependency-groups]

CVEs addressed:

• CVE-2025-66418, CVE-2025-66471, CVE-2026-21441 (urllib3)
• CVE-2025-69223 to CVE-2025-69230 (aiohttp)
• CVE-2025-54121, CVE-2025-62727 (starlette)
• CVE-2025-66221, CVE-2026-21860 (werkzeug)
• CVE-2025-68146, CVE-2026-22701 (filelock)

Verified with pip-audit: 0 vulnerabilities found.

Summary

Target issue is #PLEASE_TYPE_ISSUE_NUMBER
Explain the motivation for making this change. What existing problem does the pull request solve?

Checklist

Before submitting a pull request, please ensure that you mark these task.

• Ran fastapi run --reload app/main.py or docker compose up in the repository root and test.
• If you've fixed a bug or added code that is tested and has test cases.

Notes

Please add here if any other information is required for the reviewer.

---

 kaapi-backend % uv run pip-audit
No known vulnerabilities found

Summary by CodeRabbit

• Chores
  • Relaxed version constraints for core web framework, file upload handling, and error monitoring to permit newer releases.
  • Expanded the public dependency list to include modern libraries for web, templating, email, HTTP, database, and AI integrations.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

The PR updates backend/pyproject.toml: relaxes several dependency version upper bounds (notably fastapi[standard]), adjusts python-multipart constraint, raises the minimum for sentry-sdk[fastapi], and expands the main dependency list with additional packages. Lines changed: +3/-3.

Changes

Cohort / File(s)	Summary
Dependency & configuration backend/pyproject.toml	Removed upper bound for fastapi[standard] (now >=0.116.0); adjusted python-multipart constraint (now >=0.0.22,<1.0.0); raised sentry-sdk[fastapi] minimum (now >=2.20.0); expanded main dependency list (e.g., pydantic>2.0, emails, jinja2, alembic, httpx, psycopg[binary], sqlmodel, openai, etc.).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰
I hopped through toml with a curious twitch,
Loosened the bounds with a nimble switch.
New packages scattered like crumbs on the ground,
I sniff and I nibble — dependencies found.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title 'Security: Update dependencies to fix CVE vulnerabilities' directly and clearly describes the main purpose of the changeset: updating dependencies to address security vulnerabilities.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In `@backend/pyproject.toml`:
- Line 22: The dependency bump to "sentry-sdk[fastapi]>=2.20.0" introduces
breaking changes — search for usages of the removed config keys and deprecated
Hub/scope APIs and update them: replace any client init options using
with_locals with include_local_variables and request_bodies with
max_request_body_size; replace calls to configure_scope() / push_scope() with
the new get_isolation_scope(), get_current_scope(), or new_scope() helpers where
appropriate; if FastAPI middleware spans are required, instantiate
FastApiIntegration(middleware_spans=True) when creating the Sentry integration;
and verify any self-hosted Sentry endpoint expectations (envelope endpoint
/envelope) and minimum server version. After making these changes (look for
symbols like Sentry.init, configure_scope, push_scope, FastApiIntegration), run
a FastAPI startup smoke test to confirm request/error reporting works.
- Around line 41-42: CI is pinning the 'uv' tool to 0.4.15 while the project now
uses [dependency-groups] in pyproject.toml, which requires uv >= 0.4.27 for PEP
735 support; update the uv version constraint in the CI workflow
(continuous_integration.yml) to at least 0.4.27 (preferably a newer stable
release) so dev dependencies (pytest, mypy, ruff, coverage) are installed
correctly when the [dependency-groups] section is used.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

Sentry SDK Python 2.x migration guide breaking changes

💡 Result:

Key breaking changes when migrating Sentry’s Python SDK from 1.x → 2.x (the official migration guide is here) [1]:

• Python 2 is not supported anymore: sentry-sdk 2.x requires Python ≥ 3.6 (so Python 2.7 must stay on sentry-sdk 1.x). [1], [2]
• Config option removals/renames:
  • with_locals removed → use include_local_variables
  • request_bodies removed → use max_request_body_size [1], [2]
• Profiling options are no longer “experimental”:
  • Stop setting profiles_sample_rate / profiler_mode via _experiments; set them as top-level init options. [1]
• Scopes/Hub API direction changed:
  • Hub-based APIs and some scope-manager patterns (e.g., configure_scope(), push_scope()) are deprecated in favor of global / isolation / current scopes and helpers like new_scope() / isolation_scope() / get_current_scope() / get_isolation_scope(). [1], [2]
• Transport / ingestion changes:
  • Events are sent via the /envelope endpoint; self-hosted Sentry must be ≥ 20.6.0. [1], [2]
  • Custom transports: Transport.capture_event is deprecated → use Transport.capture_envelope (and transports should be Transport subclasses). [1]
• API changes:
  • before_emit_metric callback signature changed to include (key, value, unit, tags). [1]
  • last_event_id() was removed in 2.0.0 (and later brought back in 2.2.0). [1], [2]

Sources: official Sentry docs migration guide [1] and the 2.0.0 release notes summary [2].

---

🌐 Web query:

Sentry SDK FastAPI integration 2.x compatibility changes

💡 Result:

Key 2.x changes that can affect FastAPI / Starlette users of sentry-sdk:

• Runtime / backend compatibility

  • Python support: sentry-sdk 2.0 requires Python ≥ 3.6 (older Python must stay on 1.x). [1]
  • Self-hosted Sentry: sentry-sdk 2.0 requires Sentry ≥ v20.6.0 (SDK switched to sending via the /envelope endpoint). [1]

• Scope / context propagation changes (important for request-scoped data)

  • Hub-based APIs and some scope helpers (e.g., configure_scope(), push_scope()) are deprecated in 2.x in favor of global / isolation / current scopes (use get_isolation_scope(), get_current_scope(), new_scope(), isolation_scope(), etc.). This can matter if you were manually managing per-request tags/user/context in FastAPI middleware or dependencies. [1]

• FastAPI/Starlette integration behavior changes

  • (2.48.0) Middleware spans disabled by default for Django, Starlette, and FastAPI integrations. If you relied on per-middleware spans for performance analysis, you must re-enable them: FastApiIntegration(middleware_spans=True) / StarletteIntegration(middleware_spans=True). [2]
  • (2.5.0) New integration option failed_request_status_codes lets you control which HTTP response codes generate Sentry events (default is 5xx). Example:

    from sentry_sdk.integrations.starlette import StarletteIntegration
    from sentry_sdk.integrations.fastapi import FastApiIntegration
    
    sentry_sdk.init(
        integrations=[
            StarletteIntegration(failed_request_status_codes=[403, range(500, 599)]),
            FastApiIntegration(failed_request_status_codes=[403, range(500, 599)]),
        ]
    )
    ``` [3]

---

Address Sentry SDK 2.x breaking changes before merging.

This major version bump introduces several breaking changes confirmed by the official migration guide:

• Config options removed: with_locals → include_local_variables, request_bodies → max_request_body_size
• Deprecated APIs: Hub-based patterns (configure_scope(), push_scope()) replaced with get_isolation_scope(), get_current_scope(), new_scope()
• FastAPI-specific: Middleware spans disabled by default in 2.48.0+; re-enable with FastApiIntegration(middleware_spans=True) if needed
• Infrastructure requirement: Self-hosted Sentry must be ≥ v20.6.0 (SDK now sends via /envelope endpoint)

Audit the codebase for removed config options and deprecated scope/Hub APIs, then run a startup smoke test with FastAPI to confirm request handling and error reporting work as expected.

🤖 Prompt for AI Agents

In `@backend/pyproject.toml` at line 22, The dependency bump to
"sentry-sdk[fastapi]>=2.20.0" introduces breaking changes — search for usages of
the removed config keys and deprecated Hub/scope APIs and update them: replace
any client init options using with_locals with include_local_variables and
request_bodies with max_request_body_size; replace calls to configure_scope() /
push_scope() with the new get_isolation_scope(), get_current_scope(), or
new_scope() helpers where appropriate; if FastAPI middleware spans are required,
instantiate FastApiIntegration(middleware_spans=True) when creating the Sentry
integration; and verify any self-hosted Sentry endpoint expectations (envelope
endpoint /envelope) and minimum server version. After making these changes (look
for symbols like Sentry.init, configure_scope, push_scope, FastApiIntegration),
run a FastAPI startup smoke test to confirm request/error reporting works.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

cat backend/pyproject.toml

Repository: ProjectTech4DevAI/kaapi-backend

Length of output: 2270

---

🏁 Script executed:

# Search for CI and build configuration files
find . -type f \( -name ".github" -o -name ".gitlab-ci.yml" -o -name "*.yml" -o -name "*.yaml" \) | head -20
git ls-files | grep -E "(\.github|\.gitlab-ci|\.circleci|tox\.ini|Makefile|scripts)" | head -20

Repository: ProjectTech4DevAI/kaapi-backend

Length of output: 993

---

🏁 Script executed:

# Search for dependency installation commands
rg -i "pip\s+install|uv\s+(?:pip|sync|install)|hatch|dependency-groups" --type-list | head -5
rg -i "pip\s+install|uv\s+(?:pip|sync|install)" -A 2 -B 2

Repository: ProjectTech4DevAI/kaapi-backend

Length of output: 830

---

🏁 Script executed:

# Check for uv.lock and tool configuration
fd -e "uv.lock" -o -e "pyproject.toml" -o -e "requirements*.txt" | head -20
rg -n "tool\.uv|tool\.hatch|tool\.pip" backend/pyproject.toml -A 5

Repository: ProjectTech4DevAI/kaapi-backend

Length of output: 191

---

🌐 Web query:

PEP 735 dependency groups support: which versions of pip, uv, hatch, poetry support [dependency-groups]?

💡 Result:

PEP 735 ([dependency-groups]) support by tool/version:

• pip: pip 25.1+ (released 2025-04-26) adds pip install --group … support for PEP 735 dependency groups. [1][2]
• uv: uv supports PEP 735 [dependency-groups] for development dependencies / groups; this support exists at least as far back as uv 0.4.27. [3][4]
• Hatch: Hatch 1.16+ supports consuming [dependency-groups] via environment dependency-groups = [...]. [5]
• Poetry: Poetry 2.2.0+ supports defining dependency groups using PEP 735 [dependency-groups]. [6]

Sources:
[1] https://discuss.python.org/t/announcement-pip-25-1-release/89702
[2] https://ichard26.github.io/blog/2025/04/whats-new-in-pip-25.1/
[3] https://docs.astral.sh/uv/concepts/projects/dependencies/
[4] dependabot/dependabot-core#10847
[5] https://hatch.pypa.io/1.16/config/environment/advanced/
[6] https://python-poetry.org/blog/announcing-poetry-2.2.0/

---

🏁 Script executed:

# Check for uv version constraints
fd -e "uv.lock" -o -e ".python-version" | xargs cat 2>/dev/null || echo "Files not found"
rg "uv" backend/pyproject.toml -i

Repository: ProjectTech4DevAI/kaapi-backend

Length of output: 191

---

🏁 Script executed:

# Check CI workflows for dev dependency handling
cat .github/workflows/continuous_integration.yml

Repository: ProjectTech4DevAI/kaapi-backend

Length of output: 2032

---

🏁 Script executed:

# Check the other CD workflows
cat .github/workflows/cd-staging.yml | head -50

Repository: ProjectTech4DevAI/kaapi-backend

Length of output: 1354

---

🌐 Web query:

Does uv sync automatically include [dependency-groups] dev dependencies or does it require --group flag?

💡 Result:

uv sync includes the [dependency-groups].dev group automatically by default—you do not need --group dev. (docs.astral.sh)

If you want other dependency groups (e.g. lint, docs, typing), you must either:

• add them explicitly: uv sync --group lint (repeatable), or
• install all groups: uv sync --all-groups, or
• configure defaults in pyproject.toml via tool.uv.default-groups (default is ["dev"]). (docs.astral.sh)

Citations:

• 1: https://docs.astral.sh/uv/concepts/projects/sync/?utm_source=openai
• 2: https://docs.astral.sh/uv/concepts/projects/sync/?utm_source=openai

---

Upgrade uv to 0.4.27+ in CI to ensure [dependency-groups] support.

Line 41–42 switches dev deps to [dependency-groups], but CI pins uv 0.4.15 (continuous_integration.yml). PEP 735 dependency-groups support in uv is confirmed from 0.4.27 onwards, so your current version may not properly install dev dependencies like pytest, mypy, ruff, and coverage. Update the uv version constraint in CI workflows to at least 0.4.27 (or a newer stable release).

🤖 Prompt for AI Agents

In `@backend/pyproject.toml` around lines 41 - 42, CI is pinning the 'uv' tool to
0.4.15 while the project now uses [dependency-groups] in pyproject.toml, which
requires uv >= 0.4.27 for PEP 735 support; update the uv version constraint in
the CI workflow (continuous_integration.yml) to at least 0.4.27 (preferably a
newer stable release) so dev dependencies (pytest, mypy, ruff, coverage) are
installed correctly when the [dependency-groups] section is used.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!