Release 0.71.1 · br3ndonland/inboard

0.71.1
1a123f7
Verified

This tag was signed with the committer’s verified signature.

br3ndonland Brendon Smith

SSH Key Fingerprint: w+KL3qQKtku1MfLFSZLCl93kSgxH3O4OvtcxHG5k0Go
Verified
Learn about vigilant mode
Compare

Choose a tag to compare

Loading

View all tags

0.71.1

0.71.1
1a123f7
Compare

Choose a tag to compare

Loading

View all tags
Verified

This tag was signed with the committer’s verified signature.

br3ndonland Brendon Smith

SSH Key Fingerprint: w+KL3qQKtku1MfLFSZLCl93kSgxH3O4OvtcxHG5k0Go
Verified
Learn about vigilant mode

br3ndonland tagged this 13 Nov 20:53

### Changes

**Update to `pypa/gh-action-pypi-publish` 1.11**
(eaa41e3b06729e34f8439879a65e72f8aacbce09)

After this update,
[PEP 740 attestations](https://peps.python.org/pep-0740/)
will be added automatically when publishing packages to PyPI.
This release will also switch to referencing the action by the exact
commit ID (Git SHA) for stability and security.

For background on the updated OIDC Trusted Publishing workflow, see
[br3ndonland/inboard@59ec546](https://github.com/br3ndonland/inboard/commit/59ec546),
[br3ndonland/inboard@08044c6](https://github.com/br3ndonland/inboard/commit/08044c6),
[pypa/[email protected]](https://github.com/pypa/gh-action-pypi-publish/releases/tag/v1.11.0),
and the [PyPI docs](https://docs.pypi.org/trusted-publishers/).

**Update to FastAPI 0.115.5 and Starlette 0.41**
(1bde85a8387820b5ae8635fec73d5093d2517096)

This release will update/upgrade to
[FastAPI 0.115.5](https://fastapi.tiangolo.com/release-notes/)
and
[Starlette 0.41](https://www.starlette.io/release-notes/). inboard was
already on FastAPI 0.115, so this is a patch release to align with
FastAPI versioning.

FastAPI 0.115.3 updated Starlette to `"starlette>=0.40.0,<0.42.0"`.
Changes to Starlette between 0.39 and 0.41 include a fix for a DoS
(Denial of Service) security vulnerability released in Starlette 0.40.0
([GHSA-f96h-pmfr-66vw](https://github.com/encode/starlette/security/advisories/GHSA-f96h-pmfr-66vw)).

FastAPI has been repeatedly updating the minor version of Starlette in
patch releases of FastAPI. Previously, inboard pinned FastAPI to the
minor version (like `"fastapi>=0.115,<0.116"`), allowing patch version
updates whenever the inboard project was installed. Unfortunately, it
can result in version incompatibilities when FastAPI updates the
Starlette minor version unexpectedly like this. For example, the inboard
`pyproject.toml` previously specified `"fastapi>=0.115,<0.116"` and
`"starlette>=0.37.2,<0.39.0"`. With the release of FastAPI 0.115.3,
those two version specifiers are incompatible.

It would be simpler if FastAPI released a minor version each time it
updated the minor version of Starlette. As a stopgap, this release will
pin the FastAPI version exactly (`"fastapi==0.115.5"`) so the versions
of FastAPI and Starlette do not become unexpectedly incompatible. This
of course means inboard will need to provide updates to FastAPI more
frequently (for patch releases instead of for minor releases). As
usual, the lack of attention to release practices in the open source
community means more maintenance work for the inboard maintainer.

### Commits

- Bump version from 0.71.0 to 0.71.1 (1a123f7)
- Align Prettier versions (461ca62)
- Update to `pypa/gh-action-pypi-publish` 1.11 (eaa41e3)
- Update to Hatch 1.13.0 and Hatchling 1.26 (d846eba)
- Update to Ruff 0.7 (317e7f9)
- Update to `mypy==1.13.0` (49181da)
- Update to FastAPI 0.115.5 and Starlette 0.41 (1bde85a)
- Update changelog for version 0.71.0 (#112) (351f19c)

Assets 2

Provide feedback

Saved searches

Use saved searches to filter your results more quickly