Skip to content

Update dependency fastapi to v0.139.0#302

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/fastapi-0.x
Open

Update dependency fastapi to v0.139.0#302
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/fastapi-0.x

Conversation

@renovate

@renovate renovate Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
fastapi (changelog) ==0.111.0==0.139.0 age confidence

Release Notes

fastapi/fastapi (fastapi)

v0.139.0

Compare Source

Features
  • ✨ Support dependencies in app.frontend(), e.g. for automatic cookie authentication for the frontend. PR #​15908 by @​tiangolo.
Translations
Internal

v0.138.2

Compare Source

Refactors
  • ♻️ Make app.frontend() return 404 for methods other than GET or HEAD with no static file matches. PR #​15863 by @​tiangolo.
Internal

v0.138.1

Compare Source

Refactors
Internal

v0.138.0

Compare Source

Features
  • ✨ Add support for app.frontend("/", directory="dist") and router.frontend("/", directory="dist"). PR #​15800 by @​tiangolo.
Docs
Translations
Internal

v0.137.2

Compare Source

Features
  • ✨ Add iter_route_contexts() for advanced use cases that used to use router.routes (e.g. Jupyverse). PR #​15785 by @​tiangolo.
Translations
Internal

v0.137.1

Compare Source

Fixes

v0.137.0

Compare Source

Breaking Changes

Unblocks ✨ SO MANY THINGS ✨

Before this, router.include_router(other_router) would take each path operation from other_router and "clone" it, or recreate it from scratch.

This would mean that in the end there was only one top level router, part of the app.

The way it is structured here is that there are a few additional classes to handle intermediate metadata for router and route inclusion. That way the information of "router X includes Y and Y includes Z" is stored somewhere, without affecting (recreating / clonning) the final route.

Non Objectives

Dependencies for 404: previously I intended to support dependencies that would be executed even for 404, but that would conflict with the fact that a router could not find a match, but the next router did find a match. Executing dependencies in the router that did not find a match would not make sense, they could consume the request, body, etc. This original idea was discarded.

Specific Breaking Changes

Now router.routes is no longer a plain list of APIRoute objects, it can contain these intermediate objects that can contain additional routers, forming a tree.

Any logic that depended on iterating on the router.routes directly would be affected, that logic cannot expect to be able to extract data from a plain list of routes, as it's no longer a plain list but a tree.

Additionally, any logic that iterated on router.routes to modify them would now also see these new objects, and would not see all the routes in the app.

router.routes should be considered an internal implementation detail, only passed around to the FastAPI functions that need it.

Features
  • Adding routes (path operations) after a router is included now works, they are reflected as they are not copied.
  • Including subrouter in mainrouter can be done before adding routes (path operations) to subrouter, because now the the entire object is stored instead of copying the routes.
  • As routes are not copied, in some cases that might save some memory.
Alpha Features

This is not documented yet, so it's not officially supported yet and could change in the future.

But, as APIRoute and APIRouter instances are now preserved, they could be customized.

APIRouter has two new methods, .matches() and .handle(), counterpart to the existing ones in APIRoute. With this a router could customize how it matches and handles requests. For example, it could match only requests that include some specific header, for example for handling versions in headers.

Still, for now, consider this very experimental and potentially changing and breaking in the future.

Future Features Enabled
  • Custom APIRoute subclasses (undocumented, but alraedy works as desccribed above)
  • Custom APIRouter subclasses (undocumented, but already works as described above)
  • Dependencies per router
  • Exception handlers per router
  • Middleware per router
  • Other features planned
Docs
Translations
Internal

v0.136.3

Compare Source

Refactors
  • ♻️ Do not accept underscore headers when using convert_underscores=True (the default). PR #​15589 by @​tiangolo.

v0.136.1

Compare Source

Upgrades
Internal

v0.136.0

Compare Source

Upgrades

v0.135.4

Compare Source

Refactors
Internal

v0.135.3

Compare Source

Features
Docs
Internal

v0.135.2

Compare Source

Upgrades
Docs
Translations
Internal

v0.135.1

Compare Source

Fixes
  • 🐛 Fix, avoid yield from a TaskGroup, only as an async context manager, closed in the request async exit stack. PR #​15038 by @​tiangolo.
Docs
Internal

v0.135.0

Compare Source

Features

v0.134.0

Compare Source

Features
  • ✨ Add support for streaming JSON Lines and binary data with yield. PR #​15022 by @​tiangolo.
    • This also upgrades Starlette from >=0.40.0 to >=0.46.0, as it's needed to properly unrwap and re-raise exceptions from exception groups.
    • New docs: Stream JSON Lines.
    • And new docs: Stream Data.
Docs
Internal

v0.133.1

Compare Source

Features
Internal

v0.133.0

Compare Source

v0.132.1

Compare Source

Refactors
Internal

v0.132.0

Compare Source

Breaking Changes
  • 🔒️ Add strict_content_type checking for JSON requests. PR #​14978 by @​tiangolo.
    • Now FastAPI checks, by default, that JSON requests have a Content-Type header with a valid JSON value, like application/json, and rejects requests that don't.
    • If the clients for your app don't send a valid Content-Type header you can disable this with strict_content_type=False.
    • Check the new docs: Strict Content-Type Checking.
Internal

v0.131.0

[Compare Source](https://re

Note

PR body was truncated to here.


Configuration

📅 Schedule: (in timezone UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@claude claude Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Large 28-minor-version bump (0.111.0 → 0.139.0) with several documented breaking changes; worth a human confirming CI is green and the release notes were skimmed.

Extended reasoning...

Overview

Single-line change to template/server/requirements.txt, bumping fastapi==0.111.0 to fastapi==0.139.0. This is the sandbox server template — the FastAPI app in template/server/main.py that runs inside every E2B code-interpreter sandbox and exposes /execute, /contexts, /health endpoints consumed by the JS and Python SDKs.

Security risks

No direct security risk from the change itself. The version range does include a security-flavored change (v0.132.0 strict Content-Type checking) that hardens JSON parsing by default; both SDK clients already send Content-Type: application/json on POSTs, so this should be a net improvement rather than a regression.

Level of scrutiny

Elevated. A Renovate one-line bump is normally trivially approvable, but jumping 28 minor versions crosses several documented breaking changes: v0.132.0 (strict_content_type), v0.134.0 (Starlette bumped to >=0.46.0), v0.136.3 (no more underscore headers with convert_underscores=True), v0.137.0 (router.routes is no longer a flat list). The template code is straightforward standard FastAPI, so I don't see a concrete break, but the runtime blast radius is high — this ships to every sandbox.

Other factors

No bugs surfaced by the bug hunting system. No prior reviewer comments. No test exercise of this template file in the diff. Given the small textual change but high downstream impact, I'd rather a human confirm CI and eyeball the changelog than shadow-approve.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants