fix: updating fastapi (!26) · Merge requests · OSDU Software / OSDU Data Platform / Domain Data Management Services / Wellbore / Wellbore Domain Services Worker

Susie Lin requested to merge fixing-cve-issues into main Jun 05, 2024

Scans were showing the following CVE issues

Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version fastapi (METADATA) │ CVE-2024-24762 │ HIGH │ fixed │ 0.95.2 │ 0.109.1 starlette (METADATA) │ │ │ │ 0.27.0 │ 0.36.2

This is the version update that will fix the issue

For awareness, when migrating to the newer version of FastAPI to bypass the CVE issues, it was discovered that the library update included an update to the use of Pydantic V2, and this introduced breaking changed to this service. Specifically for the query parameter filter because the structure of the string is {columnname}:{op}:{num}. When the FastAPI model attempts to parse this with pydantic V2, pydantic throws an error that the input is not a valid string. In order to bypass this breaking change, I explicitly set the version of pydantic for the project to be 1.10, which is still an acceptable version for the new FastAPI library.

This open github issue seems related: https://github.com/tiangolo/fastapi/issues/11251

Edited Jun 07, 2024 by Susie Lin

fix: updating fastapi

Merge request reports