Sync Repo-docs-audits-2026-07-09-dependency-audit from project files

2026-07-09 13:51:20 +02:00
parent 8c7ffa0773
commit fe405234ea

@@ -1,4 +1,4 @@
<!-- codex-wiki-sync:e4c82de96ff1812cee740957 --> <!-- codex-wiki-sync:576ede02ac9fec1bc104f3eb -->
> Mirrored from `/mnt/DATA/git/govoplan-core/docs/audits/2026-07-09-dependency-audit.md`. > Mirrored from `/mnt/DATA/git/govoplan-core/docs/audits/2026-07-09-dependency-audit.md`.
> Origin: `repository`. > Origin: `repository`.
@@ -69,7 +69,10 @@ Notes:
- `pip-audit` still reports private GovOPlaN packages as skipped because they - `pip-audit` still reports private GovOPlaN packages as skipped because they
are not published on PyPI. That is expected for editable local development are not published on PyPI. That is expected for editable local development
installs. installs.
- FastAPI 0.139 emits deprecation warnings for `fastapi.testclient` importing - `httpx2>=2.5,<3` is included in development requirements so Starlette's
Starlette's `TestClient` with `httpx`; this is not a vulnerability and does `TestClient` uses the non-deprecated backend. `httpx==0.28.1` remains in dev
not fail current tests. Track separately if the test client should move to requirements for tests that mock connector HTTP responses directly.
`httpx2`. - Split-module API routers now use Starlette's renamed
`HTTP_422_UNPROCESSABLE_CONTENT` status constant. This preserves the 422
status code while avoiding the deprecated `HTTP_422_UNPROCESSABLE_ENTITY`
alias.