Security + install: cryptography 49, dependabot hardening, first-run message

[jaylfc]

Promotes the dependabot security pass + install-message fix to master.

• cryptography 48->49 (patched OpenSSL, clears the HIGH advisory) + pydantic-settings (fix(deps): cryptography 49 + pydantic-settings (clear 2 advisories) #1211)
• dependabot.yml ignores: fastapi >=0.137 (regression Drop fastapi <0.137 cap once include_router regression is fixed upstream #903) + npm semver-major (tldraw/lucide/tsparticles need deliberate migration). Activates once on master (dependabot reads config from the default branch).
• install-server.sh closing message points users to create their admin account at the Web UI (no default password)
• STATUS refreshed

Clears the master advisory count from 3 (the cryptography HIGH) and stops dependabot re-proposing the breaking bumps. Crypto bump green on #1211 (app + 420 crypto/auth tests pass).

Summary by CodeRabbit

• Documentation
  • Improved installer with clearer first-run instructions for admin account creation and password requirements.

[qodo-code-review]

Qodo reviews are paused for this user.

Troubleshooting steps vary by plan Learn more →

On a Teams plan?
Reviews resume once this user has a paid seat and their Git account is linked in Qodo.
Link Git account →

Using GitHub Enterprise Server, GitLab Self-Managed, or Bitbucket Data Center?
These require an Enterprise plan - Contact us
Contact us →

[github-actions]

👋 Thanks for the PR! This one targets master, which is our
stable branch (it's what live installs track). Please retarget it to
dev — click Edit next to the PR title and change the base
branch dropdown from master to dev. Your commits and any review
carry over, nothing is lost.

See CONTRIBUTING.md for the branch model.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 4a6e7b76-b905-4dda-b73c-646385694263

📥 Commits

Reviewing files that changed from the base of the PR and between 740afdd and 9c501f3.

⛔ Files ignored due to path filters (1)

• uv.lock is excluded by !**/*.lock

📒 Files selected for processing (4)

• .github/dependabot.yml
• .github/workflows/ci.yml
• docs/STATUS.md
• scripts/install-server.sh

---

📝 Walkthrough

Walkthrough

Updates .github/dependabot.yml to pin out fastapi >= 0.137 and block semver-major npm bumps for desktop SPA dependencies. Bumps astral-sh/setup-uv from v6 to v7 in CI test and lint jobs. Appends first-run admin account instructions to the installer success output. Rolls forward the status doc timestamp.

Dependency management, CI, and installer updates

Layer / File(s)	Summary
Dependabot ignore rules and setup-uv v7 bump .github/dependabot.yml, .github/workflows/ci.yml	Adds a fastapi ignore rule blocking versions >= 0.137 with regression comments, adds an npm ignore rule skipping semver-major updates for all desktop SPA packages, and upgrades astral-sh/setup-uv from @v6 to @v7 in both the test and lint CI jobs.
Installer first-run messaging and status doc update scripts/install-server.sh, docs/STATUS.md	Appends four lines to the installer completion summary directing users to open the Web UI to create an initial admin account and stating there is no default password. Updates the status doc with a new 2026-06-20 ~20:25 UTC timestamp and beta.4.1 release notes.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~4 minutes

Poem

🐇 Hippity-hop, the config is clean,
FastAPI pinned so no regressions are seen!
Major npm bumps? Not on my watch today,
uv gets a v7 to brighten CI's day.
"No default password!" the installer now cries —
A rabbit's small fixes, perfectly wise. 🌸

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dev

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gitar-bot]

Note

Your trial team has used its Gitar budget, so automatic reviews are paused. Upgrade now to unlock full capacity. Comment "Gitar review" to trigger a review manually.
Learn more about usage limits

Code Review ✅ Approved

Security dependency upgrades for cryptography and pydantic-settings resolve active advisories, while configuration updates prevent regression on breaking npm packages. Install messaging now correctly directs users to create an admin account on first run.

Options

Display: compact → Showing less information.

Comment with these commands to change:

Compact

gitar display:verbose

---

Important

Your trial ends in 6 days — upgrade now to keep code review, CI analysis, auto-apply, custom automations, and more.

_{Was this helpful? React with 👍 / 👎 | Gitar}