diff --git a/Repo-docs-audits-2026-07-09-dependency-audit.-.md b/Repo-docs-audits-2026-07-09-dependency-audit.-.md index ff69079..916109e 100644 --- a/Repo-docs-audits-2026-07-09-dependency-audit.-.md +++ b/Repo-docs-audits-2026-07-09-dependency-audit.-.md @@ -1,4 +1,4 @@ - + > Mirrored from `/mnt/DATA/git/govoplan-core/docs/audits/2026-07-09-dependency-audit.md`. > Origin: `repository`. @@ -69,7 +69,10 @@ Notes: - `pip-audit` still reports private GovOPlaN packages as skipped because they are not published on PyPI. That is expected for editable local development installs. -- FastAPI 0.139 emits deprecation warnings for `fastapi.testclient` importing - Starlette's `TestClient` with `httpx`; this is not a vulnerability and does - not fail current tests. Track separately if the test client should move to - `httpx2`. +- `httpx2>=2.5,<3` is included in development requirements so Starlette's + `TestClient` uses the non-deprecated backend. `httpx==0.28.1` remains in dev + requirements for tests that mock connector HTTP responses directly. +- Split-module API routers now use Starlette's renamed + `HTTP_422_UNPROCESSABLE_CONTENT` status constant. This preserves the 422 + status code while avoiding the deprecated `HTTP_422_UNPROCESSABLE_ENTITY` + alias.