Skip to content

Security + install: cryptography 49, dependabot hardening, first-run message#1212

Merged
jaylfc merged 8 commits into
masterfrom
dev
Jun 20, 2026
Merged

Security + install: cryptography 49, dependabot hardening, first-run message#1212
jaylfc merged 8 commits into
masterfrom
dev

Conversation

@jaylfc

@jaylfc jaylfc commented Jun 20, 2026
edited by coderabbitai Bot
Loading

Copy link
Copy Markdown
Owner

Promotes the dependabot security pass + install-message fix to master.

Clears the master advisory count from 3 (the cryptography HIGH) and stops dependabot re-proposing the breaking bumps. Crypto bump green on #1211 (app + 420 crypto/auth tests pass).

Summary by CodeRabbit

  • Documentation
    • Improved installer with clearer first-run instructions for admin account creation and password requirements.

dependabot Bot and others added 7 commits June 20, 2026 14:50
@dependabot
chore(deps): bump astral-sh/setup-uv from 6 to 7
588521c 
Bumps [astral-sh/setup-uv](https://github.com/astral-sh/setup-uv) from 6 to 7.
- [Release notes](https://github.com/astral-sh/setup-uv/releases)
- [Commits](astral-sh/setup-uv@v6...v7)

---
updated-dependencies:
- dependency-name: astral-sh/setup-uv
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@jaylfc
Merge pull request #991 from jaylfc/dependabot/github_actions/dev/ast…
61c9bb2 
…ral-sh/setup-uv-7

chore(deps): bump astral-sh/setup-uv from 6 to 7
@jaylfc
ci(dependabot): ignore fastapi >=0.137 + npm major bumps
5cb7fb5 
fastapi 0.137 regressed include_router (#903) and pyproject pins <0.137, but
dependabot kept proposing the cap-raise (#994). Heavy UI-lib majors (tldraw
4->5, lucide-react 0->1, tsparticles 3->4) break the SPA build (#993) and need
deliberate migration (#75), not an auto-merge. Ignore both so dependabot only
proposes safe minor/patch bumps going forward.
@jaylfc
fix(deps): bump cryptography 48->49 + pydantic-settings to clear advi…
db4ad56 
…sories

cryptography 49.0.0 ships patched OpenSSL wheels (clears the HIGH advisory);
pydantic-settings 2.14.2 fixes the NestedSecretsSettingsSource symlink follow.
app create_app() + 420 crypto/auth/secret tests pass.
@jaylfc
Merge pull request #1211 from jaylfc/fix/sec-crypto-bump
8f0b08e 
fix(deps): cryptography 49 + pydantic-settings (clear 2 advisories)
@jaylfc
install: tell users to create their admin account on first run (no de…
a67b4a8 
…fault password)

A Discord user asked for the 'default password'. There is none -- the first
visit shows a setup page to create an admin account. The installer's closing
message now says so, pointing them to the Web UI to set up their account.
@jaylfc
docs(status): beta.4.1 shipped + dependabot security pass (14->3 advi…
745d061 
…sories)
@qodo-code-review

qodo-code-review Bot commented Jun 20, 2026

Copy link
Copy Markdown

Qodo reviews are paused for this user.

Troubleshooting steps vary by plan Learn more →

On a Teams plan?
Reviews resume once this user has a paid seat and their Git account is linked in Qodo.
Link Git account →

Using GitHub Enterprise Server, GitLab Self-Managed, or Bitbucket Data Center?
These require an Enterprise plan - Contact us
Contact us →

@github-actions

github-actions Bot commented Jun 20, 2026

Copy link
Copy Markdown

👋 Thanks for the PR! This one targets master, which is our
stable branch (it's what live installs track). Please retarget it to
dev — click Edit next to the PR title and change the base
branch dropdown from master to dev. Your commits and any review
carry over, nothing is lost.

See CONTRIBUTING.md for the branch model.

@coderabbitai

coderabbitai Bot commented Jun 20, 2026
edited
Loading

Copy link
Copy Markdown

Review Change Stack

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 4a6e7b76-b905-4dda-b73c-646385694263

📥 Commits

Reviewing files that changed from the base of the PR and between 740afdd and 9c501f3.

⛔ Files ignored due to path filters (1)
  • uv.lock is excluded by !**/*.lock
📒 Files selected for processing (4)
  • .github/dependabot.yml
  • .github/workflows/ci.yml
  • docs/STATUS.md
  • scripts/install-server.sh
📝 Walkthrough

Walkthrough

Updates .github/dependabot.yml to pin out fastapi >= 0.137 and block semver-major npm bumps for desktop SPA dependencies. Bumps astral-sh/setup-uv from v6 to v7 in CI test and lint jobs. Appends first-run admin account instructions to the installer success output. Rolls forward the status doc timestamp.

Dependency management, CI, and installer updates

Layer / File(s) Summary
Dependabot ignore rules and setup-uv v7 bump
.github/dependabot.yml, .github/workflows/ci.yml		 Adds a fastapi ignore rule blocking versions >= 0.137 with regression comments, adds an npm ignore rule skipping semver-major updates for all desktop SPA packages, and upgrades astral-sh/setup-uv from @v6 to @v7 in both the test and lint CI jobs.
Installer first-run messaging and status doc update
scripts/install-server.sh, docs/STATUS.md		 Appends four lines to the installer completion summary directing users to open the Web UI to create an initial admin account and stating there is no default password. Updates the status doc with a new 2026-06-20 ~20:25 UTC timestamp and beta.4.1 release notes.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~4 minutes

Poem

🐇 Hippity-hop, the config is clean,
FastAPI pinned so no regressions are seen!
Major npm bumps? Not on my watch today,
uv gets a v7 to brighten CI's day.
"No default password!" the installer now cries —
A rabbit's small fixes, perfectly wise. 🌸

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch dev

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@gitar-bot

gitar-bot Bot commented Jun 20, 2026
edited
Loading

Copy link
Copy Markdown

Note

Your trial team has used its Gitar budget, so automatic reviews are paused. Upgrade now to unlock full capacity. Comment "Gitar review" to trigger a review manually.
Learn more about usage limits

Code Review ✅ Approved

Security dependency upgrades for cryptography and pydantic-settings resolve active advisories, while configuration updates prevent regression on breaking npm packages. Install messaging now correctly directs users to create an admin account on first run.

Options

Display: compact → Showing less information.

Comment with these commands to change:

Compact 
gitar display:verbose

Important

Your trial ends in 6 days — upgrade now to keep code review, CI analysis, auto-apply, custom automations, and more.

Was this helpful? React with 👍 / 👎 | Gitar

@jaylfc jaylfc merged commit bee4341 into master Jun 20, 2026
11 of 13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jaylfc