Sync Repo-docs-audits-2026-07-09-dependency-audit from project files

2026-07-09 13:51:20 +02:00
parent 8c7ffa0773
commit fe405234ea

@@ -1,4 +1,4 @@
<!-- codex-wiki-sync:e4c82de96ff1812cee740957 -->
<!-- codex-wiki-sync:576ede02ac9fec1bc104f3eb -->
> Mirrored from `/mnt/DATA/git/govoplan-core/docs/audits/2026-07-09-dependency-audit.md`.
> Origin: `repository`.
@@ -69,7 +69,10 @@ Notes:
- `pip-audit` still reports private GovOPlaN packages as skipped because they
are not published on PyPI. That is expected for editable local development
installs.
- FastAPI 0.139 emits deprecation warnings for `fastapi.testclient` importing
Starlette's `TestClient` with `httpx`; this is not a vulnerability and does
not fail current tests. Track separately if the test client should move to
`httpx2`.
- `httpx2>=2.5,<3` is included in development requirements so Starlette's
`TestClient` uses the non-deprecated backend. `httpx==0.28.1` remains in dev
requirements for tests that mock connector HTTP responses directly.
- Split-module API routers now use Starlette's renamed
`HTTP_422_UNPROCESSABLE_CONTENT` status constant. This preserves the 422
status code while avoiding the deprecated `HTTP_422_UNPROCESSABLE_ENTITY`
alias.