chore(deps): bump fastmcp from 3.2.0 to 3.2.4#543
Merged
Conversation
Bumps [fastmcp](https://github.com/PrefectHQ/fastmcp) from 3.2.0 to 3.2.4. - [Release notes](https://github.com/PrefectHQ/fastmcp/releases) - [Changelog](https://github.com/PrefectHQ/fastmcp/blob/main/docs/changelog.mdx) - [Commits](PrefectHQ/fastmcp@v3.2.0...v3.2.4) --- updated-dependencies: - dependency-name: fastmcp dependency-version: 3.2.4 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
added
dependencies
Completed Working on "Code Review"✅ Code review complete. No issues found - all changes look good! ✅ ✅ Workflow completed successfully. |
Dependency ReviewThe following issues were found:
License Issuesuv.lock
OpenSSF Scorecard
Scanned Files
|
gkorland
added a commit
that referenced
this pull request
Apr 21, 2026
* fix: update @falkordb/canvas version to 0.0.34 in package.json and package-lock.json
* fix: update @falkordb/canvas version to 0.0.35 in package.json and package-lock.json
* fix: update @falkordb/canvas version to 0.0.36 in package.json and package-lock.json
* Initial plan
* Fix flaky Playwright e2e tests for database connection verification
- Add waitForGraphPresent() polling helper to apiCalls.ts to retry
getGraphs() until expected graph appears instead of one-shot calls
- Add connectDatabaseWithRetry() helper to retry streaming connection
on transient errors with diagnostic logging
- Enhance parseStreamingResponse() to log error message details
- Update all database.spec.ts tests to use scoped test.setTimeout(120000/180000)
- Increase waitForDatabaseConnection timeout to 90s in all DB connection tests
- Replace bare getGraphs() calls with waitForGraphPresent() polling
- Add console.log diagnostics throughout for easier CI debugging
Co-authored-by: gkorland <753206+gkorland@users.noreply.github.com>
* Bump playwright from 1.57.0 to 1.58.0
Bumps [playwright](https://github.com/microsoft/playwright-python) from 1.57.0 to 1.58.0.
- [Release notes](https://github.com/microsoft/playwright-python/releases)
- [Commits](https://github.com/microsoft/playwright-python/compare/v1.57.0...v1.58.0)
---
updated-dependencies:
- dependency-name: playwright
dependency-version: 1.58.0
dependency-type: direct:development
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
* Address review feedback: try/catch in retry, finalMessage guards, specific DB predicates, polling for deletion
- connectDatabaseWithRetry: wrap per-attempt logic in try/catch so
network/parse exceptions don't abort retries; log with attempt# via
console.error; backoff delay behaviour unchanged
- Add expect(messages.length).toBeGreaterThan(0) guard before accessing
finalMessage in all 4 caller blocks (PostgreSQL API, MySQL API,
PostgreSQL delete, MySQL delete)
- Fix UI-to-API test predicates from generic 'graphs.length > 0' to
'testdb'/'_testdb' match, avoiding false positives on pre-existing graphs
- Replace wait(1000)+getGraphs() in both delete tests with
waitForGraphPresent polling until the deleted graphId is absent
Co-authored-by: gkorland <753206+gkorland@users.noreply.github.com>
* Rename waitForGraphPresent to waitForGraphs; make database tests serial
- Rename waitForGraphPresent -> waitForGraphs in apiCalls.ts (more
neutral name since it's used for both presence and absence checks)
- Update all 10 call sites in database.spec.ts accordingly
- Change outer test.describe -> test.describe.serial to prevent
cross-test interference on local multi-worker runs (CI is already
single-worker via workers: CI ? 1 : undefined in playwright.config.ts)
Co-authored-by: gkorland <753206+gkorland@users.noreply.github.com>
* Tighten testdb_delete predicate: use === / endsWith instead of includes
Replace id.includes('testdb_delete') with
id === 'testdb_delete' || id.endsWith('_testdb_delete') in both
delete test predicates and find() calls so only the exact graph forms
('testdb_delete' or '{userId}_testdb_delete') match, preventing
accidental matches on unrelated graph names.
Co-authored-by: gkorland <753206+gkorland@users.noreply.github.com>
* Bump fastapi, uvicorn, litellm, playwright, and globals (#439)
Update dependency versions:
- fastapi: ~=0.131.0 → ~=0.133.0
- uvicorn: ~=0.40.0 → ~=0.41.0
- litellm: ~=1.80.9 → ~=1.81.15
- playwright: ~=1.57.0 → ~=1.58.0
- globals (npm): ^15.15.0 → ^17.3.0
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix: update @falkordb/canvas version to 0.0.40 in package.json and package-lock.json
* fix: update @falkordb/canvas version to 1.51.1 in package-lock.json
* Fix SPA catch-all route not serving index.html (#433)
* Return generic 400 for RequestValidationError instead of Pydantic details
Add a global RequestValidationError exception handler that returns
{"detail": "Bad request"} with status 400, preventing internal
Pydantic validation details from leaking to clients. This primarily
affects the SPA catch-all proxy route when accessed without the
expected path parameter.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Scope validation handler to SPA catch-all, add logging, fix tests
Address PR review feedback:
- Scope the generic 400 handler to only the SPA catch-all route
(query._full_path errors) so API consumers still get useful 422
responses with field-level detail
- Add logging.warning of validation details for server-side debugging
- Make test assertions unconditional instead of guarding behind
status-code checks
- Add test verifying API routes preserve 422 with field-level info
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Fix SPA catch-all route parameter name mismatch
The function parameter `_full_path` didn't match the URL template
`{full_path:path}`, causing FastAPI to treat it as a required query
parameter and return 422 for every non-API route.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* Remove validation error handler workaround
The handler was masking a parameter name mismatch in the catch-all
route. Now that the root cause is fixed, the handler, its import,
pylint suppression, and test file are no longer needed.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* Suppress pylint unused-argument for catch-all route parameter
The parameter name must match the URL template to avoid validation
errors, but the function body doesn't use it.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* Fix: Add CSRF protection via double-submit cookie pattern (#432)
* Add CSRF protection via double-submit cookie pattern
Add CSRFMiddleware to protect all state-changing endpoints (POST, PUT,
DELETE, PATCH) against cross-site request forgery attacks.
Backend:
- New CSRFMiddleware in app_factory.py sets a csrf_token cookie
(non-HttpOnly, readable by JS) on every response
- State-changing requests must echo the token via X-CSRF-Token header
- Uses hmac.compare_digest for timing-safe validation
- Exempts Bearer token auth (not CSRF-vulnerable), login/signup/OAuth
flows, and MCP endpoints
Frontend:
- New app/src/lib/csrf.ts utility reads the cookie and builds headers
- All service files (auth, tokens, database, chat) now include the
X-CSRF-Token header on every state-changing fetch call
Fixes:
- CSRF on POST /tokens/generate (API token hijack)
- CSRF on POST /logout (forced session termination)
- Missing CSRF protection on all other mutating endpoints
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Address PR review feedback on CSRF protection
- Set CSRF cookie on 403 rejection responses so clients can retry
- Add max_age (14 days) to CSRF cookie matching session cookie lifetime
- Guard document access in csrf.ts for SSR/Node compatibility
- Add console.warn when CSRF cookie is missing for easier debugging
- Add comment clarifying MCP exempt prefix pattern
- Add comprehensive unit tests for CSRF middleware (12 test cases)
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Fix E2E tests: seed CSRF token in API request helpers
The E2E API helpers (postRequest, deleteRequest, patchRequest) now
make a lightweight GET to /auth-status first to obtain the csrf_token
cookie, then include it as X-CSRF-Token header on the actual request.
This ensures E2E tests pass with the new CSRF middleware.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Address PR #432 review: fix missing CSRF headers and improvements
- Add csrfHeaders() to POST /graphs/{id}/refresh in Index.tsx
- Add csrfHeaders() to POST /database in DatabaseModal.tsx
- Refactor CSRFMiddleware.dispatch() to single return path
- Change console.warn to console.debug in csrf.ts
- Cache CSRF token per APIRequestContext in E2E helpers
- Add DELETE/PATCH and secure-flag tests
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Update @falkordb/canvas version to v0.0.40 (#440)
* fix: update @falkordb/canvas version to 0.0.34 in package.json and package-lock.json
* fix: update @falkordb/canvas version to 0.0.35 in package.json and package-lock.json
* fix: update @falkordb/canvas version to 0.0.36 in package.json and package-lock.json
* fix: update @falkordb/canvas version to 0.0.40 in package.json and package-lock.json
* fix: update @falkordb/canvas version to 1.51.1 in package-lock.json
---------
Co-authored-by: Guy Korland <gkorland@gmail.com>
* fix(e2e): pass authenticated request context to API calls and browser pages
- Add defaultRequestContext field to ApiCalls class, set via constructor
- All API methods now use the default context for auth (session cookies + CSRF)
- Tests use Playwright's request fixture which inherits storageState from config
- Pass storageState path to BrowserWrapper.createNewPage for authenticated browser sessions
- Revert outer test.describe.serial() to test.describe() to prevent cascade failures
(inner Database Deletion Tests remain serial as needed)
Fixes unauthenticated API requests that caused 401 errors in Firefox E2E tests.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix: update @falkordb/canvas version to 0.0.41 in package.json and package-lock.json
* Bump fastapi from 0.133.0 to 0.135.0 (#446)
* Bump fastapi from 0.133.0 to 0.135.0
Bumps [fastapi](https://github.com/fastapi/fastapi) from 0.133.0 to 0.135.0.
- [Release notes](https://github.com/fastapi/fastapi/releases)
- [Commits](https://github.com/fastapi/fastapi/compare/0.133.0...0.135.0)
---
updated-dependencies:
- dependency-name: fastapi
dependency-version: 0.135.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
* fix(e2e): read CSRF token from storageState when Set-Cookie is absent
When the Playwright request fixture is initialised from a storageState
that already carries a csrf_token cookie, the server does not emit a
new Set-Cookie header. getCsrfToken() would then return undefined,
causing every state-changing API call to fail with 403 'CSRF token
missing or invalid'.
Fall back to reading the token from the context's storageState() when
the Set-Cookie header does not contain it.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Guy Korland <gkorland@gmail.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Bump actions/upload-artifact from 6 to 7 (#444)
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 6 to 7.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/v6...v7)
---
updated-dependencies:
- dependency-name: actions/upload-artifact
dependency-version: '7'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Guy Korland <gkorland@gmail.com>
* Bump the npm-minor-patch group in /app with 5 updates (#443)
* Bump the npm-minor-patch group in /app with 5 updates
Bumps the npm-minor-patch group in /app with 5 updates:
| Package | From | To |
| --- | --- | --- |
| [@falkordb/canvas](https://github.com/FalkorDB/falkordb-canvas) | `0.0.40` | `0.0.41` |
| [@tanstack/react-query](https://github.com/TanStack/query/tree/HEAD/packages/react-query) | `5.90.19` | `5.90.21` |
| [preact](https://github.com/preactjs/preact) | `10.28.3` | `10.28.4` |
| [react-hook-form](https://github.com/react-hook-form/react-hook-form) | `7.71.1` | `7.71.2` |
| [autoprefixer](https://github.com/postcss/autoprefixer) | `10.4.23` | `10.4.27` |
Updates `@falkordb/canvas` from 0.0.40 to 0.0.41
- [Release notes](https://github.com/FalkorDB/falkordb-canvas/releases)
- [Commits](https://github.com/FalkorDB/falkordb-canvas/compare/v0.0.40...v0.0.41)
Updates `@tanstack/react-query` from 5.90.19 to 5.90.21
- [Release notes](https://github.com/TanStack/query/releases)
- [Changelog](https://github.com/TanStack/query/blob/main/packages/react-query/CHANGELOG.md)
- [Commits](https://github.com/TanStack/query/commits/@tanstack/react-query@5.90.21/packages/react-query)
Updates `preact` from 10.28.3 to 10.28.4
- [Release notes](https://github.com/preactjs/preact/releases)
- [Commits](https://github.com/preactjs/preact/compare/10.28.3...10.28.4)
Updates `react-hook-form` from 7.71.1 to 7.71.2
- [Release notes](https://github.com/react-hook-form/react-hook-form/releases)
- [Changelog](https://github.com/react-hook-form/react-hook-form/blob/master/CHANGELOG.md)
- [Commits](https://github.com/react-hook-form/react-hook-form/compare/v7.71.1...v7.71.2)
Updates `autoprefixer` from 10.4.23 to 10.4.27
- [Release notes](https://github.com/postcss/autoprefixer/releases)
- [Changelog](https://github.com/postcss/autoprefixer/blob/main/CHANGELOG.md)
- [Commits](https://github.com/postcss/autoprefixer/compare/10.4.23...10.4.27)
---
updated-dependencies:
- dependency-name: "@falkordb/canvas"
dependency-version: 0.0.41
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: npm-minor-patch
- dependency-name: "@tanstack/react-query"
dependency-version: 5.90.21
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: npm-minor-patch
- dependency-name: preact
dependency-version: 10.28.4
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: npm-minor-patch
- dependency-name: react-hook-form
dependency-version: 7.71.2
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: npm-minor-patch
- dependency-name: autoprefixer
dependency-version: 10.4.27
dependency-type: direct:development
update-type: version-update:semver-patch
dependency-group: npm-minor-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
* Update root package-lock.json for app dependency bumps
The root package-lock.json must be kept in sync with app/package.json
changes since root package.json references app via file: protocol.
Without this update, npm ci at the root fails with lockfile mismatch.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Guy Korland <gkorland@gmail.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* perf(ci): accelerate Playwright CI from ~16min to ~5min (#448)
* perf(ci): accelerate Playwright CI from ~16min to ~5min
- Increase CI workers from 1 to 4 (matches ubuntu-latest vCPUs)
- Skip Firefox in CI, run Chromium only (halves test count)
- Reduce retries from 2 to 1 (still catches transient failures)
- Add pip, npm, and Playwright browser caching
- Replace hardcoded sleep 20 with health-check polling
- Install only Chromium browser (not Firefox) in CI
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix(ci): fix YAML indentation and use docker compose --wait
Replace inline Python health-check with docker compose --wait flag
which natively waits for service healthchecks to pass.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix(ci): remove pip cache (incompatible with pipenv setup)
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix(ci): keep 2 retries for flaky AI-dependent chat tests
Chat tests that interact with the AI processing endpoint need 2 retries
to handle intermittent timeouts, especially under parallel execution.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix(ci): key npm cache on both root and app lockfiles
The setup-node npm cache was only keyed on the root package-lock.json.
Add cache-dependency-path to include app/package-lock.json so the cache
invalidates when frontend dependencies change.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix(ci): add pip caching with Pipfile.lock dependency path
The setup-python cache: 'pip' was removed earlier because it failed
without cache-dependency-path (defaults to requirements*.txt). Re-add
it with cache-dependency-path: Pipfile.lock so pip downloads are cached
between runs.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix: update comment to reflect hard-coded worker count
The comment said 'Use all available vCPUs' but the config hard-codes 4
workers. Update to accurately describe the intentional pinning.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Bump litellm from 1.81.15 to 1.82.0 (#445)
Bumps [litellm](https://github.com/BerriAI/litellm) from 1.81.15 to 1.82.0.
- [Release notes](https://github.com/BerriAI/litellm/releases)
- [Commits](https://github.com/BerriAI/litellm/commits)
---
updated-dependencies:
- dependency-name: litellm
dependency-version: 1.82.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Guy Korland <gkorland@gmail.com>
* Bump the npm_and_yarn group across 1 directory with 2 updates (#447)
* Bump the npm_and_yarn group across 1 directory with 2 updates
Bumps the npm_and_yarn group with 2 updates in the /app directory: [minimatch](https://github.com/isaacs/minimatch) and [rollup](https://github.com/rollup/rollup).
Updates `minimatch` from 3.1.2 to 3.1.5
- [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md)
- [Commits](https://github.com/isaacs/minimatch/compare/v3.1.2...v3.1.5)
Updates `rollup` from 4.55.1 to 4.59.0
- [Release notes](https://github.com/rollup/rollup/releases)
- [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md)
- [Commits](https://github.com/rollup/rollup/compare/v4.55.1...v4.59.0)
---
updated-dependencies:
- dependency-name: minimatch
dependency-version: 3.1.5
dependency-type: indirect
dependency-group: npm_and_yarn
- dependency-name: rollup
dependency-version: 4.59.0
dependency-type: indirect
dependency-group: npm_and_yarn
...
Signed-off-by: dependabot[bot] <support@github.com>
* ci: retrigger CI after transient test failure
The previous Playwright test run had database connectivity issues in CI
(Docker container readiness timing). All infrastructure steps passed but
database connection tests returned success:false. Retriggering to verify.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Guy Korland <gkorland@gmail.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Bump version from 0.0.14 to 0.1.0 (#450)
* Initial plan
* chore: bump version from 0.0.14 to 0.1.0
Co-authored-by: gkorland <753206+gkorland@users.noreply.github.com>
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: gkorland <753206+gkorland@users.noreply.github.com>
Co-authored-by: Guy Korland <gkorland@gmail.com>
* Change npm install to npm ci for consistency (#454)
Change npm install to npm ci for consistency
* fix: update @falkordb/canvas version to 0.0.44 in package.json and package-lock.json
* Implement feature X to enhance user experience and fix bug Y in module Z
* chore: update dependencies and remove unused packages
- Removed unused Rollup binaries for various platforms.
- Updated `minimatch` from version 9.0.5 to 9.0.9.
- Updated `@types/estree` to version 1.0.8.
- Updated `ajv` to version 6.14.0 and added its dependencies.
- Removed several unused packages including `balanced-match`, `concat-map`, `fast-deep-equal`, and others.
- Added new Rollup binaries for version 4.59.0 across multiple platforms.
* Move the project from Pipfile to pyproject (#409)
* Initial plan
* Migrate from Pipfile to pyproject.toml with uv
- Created pyproject.toml with all dependencies from Pipfile
- Updated Makefile to use uv instead of pipenv
- Updated GitHub Actions workflows (tests.yml, pylint.yml, playwright.yml)
- Updated Dockerfile to use uv
- Updated setup_e2e_tests.sh script
- Updated README.md documentation
- Updated .github/copilot-instructions.md
Co-authored-by: gkorland <753206+gkorland@users.noreply.github.com>
* Generate uv.lock and remove Pipfile
- Generated uv.lock file with all dependencies
- Removed Pipfile and Pipfile.lock
- Updated pyproject.toml with hatch build config for api package
Co-authored-by: gkorland <753206+gkorland@users.noreply.github.com>
* Fix CI: use 'python -m' for pytest and pylint with uv
- Updated .github/workflows/tests.yml to use 'uv run python -m pytest'
- Updated .github/workflows/pylint.yml to use 'uv run python -m pylint'
- Updated Makefile test and lint commands to use 'python -m' syntax
- Updated README.md and copilot-instructions.md with correct commands
- Updated setup_e2e_tests.sh with correct pytest command
This fixes the CI failures where uv couldn't find pytest/pylint executables.
Co-authored-by: gkorland <753206+gkorland@users.noreply.github.com>
* Add 'uv' and 'pyproject' to spellcheck wordlist
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Fix test_simple_integration: update conftest.py to use uv instead of pipenv
The test fixture was still launching the app via 'pipenv run uvicorn',
causing FileNotFoundError in CI where pipenv is no longer installed.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Fix Playwright CI: stop background server before post-job cleanup
The background 'uv run uvicorn' process was staying alive during
setup-uv's cache pruning step, causing a 5-minute timeout and
exit code 2 despite all 33 tests passing. Save the server PID
via GITHUB_OUTPUT and terminate it in the cleanup step.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Allow GHSA-w8v5-vhqr-4h9v in dependency review (no fix available)
diskcache@5.6.3 is a transitive dependency via graphiti-core.
CVE-2025-69872 (unsafe pickle deserialization) has no patched
version upstream yet. Allow-listed to unblock the PR.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Update dependabot to use uv package ecosystem
Replace 'pip' with 'uv' so Dependabot manages pyproject.toml + uv.lock
natively instead of looking for Pipfile/requirements.txt.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Upgrade graphiti-core to 0.28.1 and remove diskcache workaround
graphiti-core 0.28.1 no longer depends on diskcache, which had a
moderate vulnerability (GHSA-w8v5-vhqr-4h9v). Switch from the git
fork to the PyPI release and remove the dependency-review allow-list.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Fix Docker build: copy README.md for hatchling metadata
hatchling requires README.md during 'uv sync' to validate the
project metadata. Copy it alongside pyproject.toml and uv.lock.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: anthropic-code-agent[bot] <242468646+Claude@users.noreply.github.com>
Co-authored-by: gkorland <753206+gkorland@users.noreply.github.com>
Co-authored-by: Guy Korland <gkorland@gmail.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Move project to pyproject (#471)
* Initial plan
* Migrate from Pipfile to pyproject.toml with uv
- Created pyproject.toml with all dependencies from Pipfile
- Updated Makefile to use uv instead of pipenv
- Updated GitHub Actions workflows (tests.yml, pylint.yml, playwright.yml)
- Updated Dockerfile to use uv
- Updated setup_e2e_tests.sh script
- Updated README.md documentation
- Updated .github/copilot-instructions.md
Co-authored-by: gkorland <753206+gkorland@users.noreply.github.com>
* Generate uv.lock and remove Pipfile
- Generated uv.lock file with all dependencies
- Removed Pipfile and Pipfile.lock
- Updated pyproject.toml with hatch build config for api package
Co-authored-by: gkorland <753206+gkorland@users.noreply.github.com>
* Fix CI: use 'python -m' for pytest and pylint with uv
- Updated .github/workflows/tests.yml to use 'uv run python -m pytest'
- Updated .github/workflows/pylint.yml to use 'uv run python -m pylint'
- Updated Makefile test and lint commands to use 'python -m' syntax
- Updated README.md and copilot-instructions.md with correct commands
- Updated setup_e2e_tests.sh with correct pytest command
This fixes the CI failures where uv couldn't find pytest/pylint executables.
Co-authored-by: gkorland <753206+gkorland@users.noreply.github.com>
* Add 'uv' and 'pyproject' to spellcheck wordlist
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Fix test_simple_integration: update conftest.py to use uv instead of pipenv
The test fixture was still launching the app via 'pipenv run uvicorn',
causing FileNotFoundError in CI where pipenv is no longer installed.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Fix Playwright CI: stop background server before post-job cleanup
The background 'uv run uvicorn' process was staying alive during
setup-uv's cache pruning step, causing a 5-minute timeout and
exit code 2 despite all 33 tests passing. Save the server PID
via GITHUB_OUTPUT and terminate it in the cleanup step.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Allow GHSA-w8v5-vhqr-4h9v in dependency review (no fix available)
diskcache@5.6.3 is a transitive dependency via graphiti-core.
CVE-2025-69872 (unsafe pickle deserialization) has no patched
version upstream yet. Allow-listed to unblock the PR.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Update dependabot to use uv package ecosystem
Replace 'pip' with 'uv' so Dependabot manages pyproject.toml + uv.lock
natively instead of looking for Pipfile/requirements.txt.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Upgrade graphiti-core to 0.28.1 and remove diskcache workaround
graphiti-core 0.28.1 no longer depends on diskcache, which had a
moderate vulnerability (GHSA-w8v5-vhqr-4h9v). Switch from the git
fork to the PyPI release and remove the dependency-review allow-list.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Fix Docker build: copy README.md for hatchling metadata
hatchling requires README.md during 'uv sync' to validate the
project metadata. Copy it alongside pyproject.toml and uv.lock.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Fix Docker: add .dockerignore and venv PATH for uvicorn
- Add .dockerignore to prevent host .venv from being copied into the
container (which overwrites the uv-installed packages).
- Add /app/.venv/bin to PATH so uvicorn and other entry points
installed by uv sync are available to start.sh.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: anthropic-code-agent[bot] <242468646+Claude@users.noreply.github.com>
Co-authored-by: gkorland <753206+gkorland@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Clean up remaining pipenv/poetry references after uv migration (#472)
- Remove 'pipenv'/'Pipenv' from spellcheck wordlist (no longer used)
- Update docs/postgres_loader.md: replace poetry/pip install with uv add
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* feat: Configurable model usage (#386)
* init
* merge-staging
* update-model-usage
* fix: resolve pylint lint errors across PR files
Strip trailing whitespace from agents, config, and settings modules.
Suppress too-many-statements in app_factory.py factory function.
Fix no-else-return, too-many-return-statements, and unused argument
in settings.py route handler.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* refactor: extract shared LLM completion helper to eliminate duplicate code
Extract run_completion() into utils.py and use it across all agent
modules. Resolves pylint R0801 duplicate-code warning that was causing
CI build failures.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix: resolve review issues and add Ollama/Cohere provider support
- Add LLM_PROVIDER field to replace binary AZURE_FLAG for provider routing
- Add Ollama and Cohere provider support (cherry-picked from #452)
- Add _with_prefix() helper to eliminate duplicated prefix logic
- Fix Anthropic embedding fallback: fail-fast instead of silent Azure fallback
- Fix double-prefix bug in chat.ts (gemini/gemini/... no longer happens)
- Fix useEffect clobbering saved model name on Settings page load
- Forward custom credentials through confirm flow for destructive operations
- Add localStorage persistence for vendor/model settings (API key stays session-only)
- Remove stack trace leak from /validate-api-key error responses
- Add ollama/cohere to supported vendors in text2sql and settings routes
- Replace unnecessary hasattr with direct Pydantic field access
- Update .env.example with precedence docs, Ollama and Cohere examples
- Remove duplicate SettingsModal (consolidated into Settings page)
Co-authored-by: Udaykumar Dhokia <udaykumar-dhokia@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* fix: resolve pylint and CodeQL CI failures
- Rename SUPPORTED_VENDORS to snake_case (pylint C0103)
- Break long line in settings.py (pylint C0301)
- Remove exception details from log to prevent info exposure (CodeQL)
- Sanitize vendor in log message to prevent log injection
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: sanitize user input in log to prevent log injection
Add _sanitize_for_log() helper that strips \r, \n, and \t from
user-provided values before logging, preventing log injection attacks.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* Fix review comments: CSRF headers, buildApiUrl, type safety, docs
- useApiKeyValidation: add csrfHeaders() and buildApiUrl(), strip
double-prefix from model name before sending to backend
- ChatInterface: use ConfirmRequest type instead of `any`
- Settings: use `import type` for AIVendor
- README: update provider priority to include Ollama/Cohere, fix
Anthropic embeddings note (ValueError, not Azure fallback)
- .env.example: fix misleading fallback comments
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* Add Ollama and Cohere to spellcheck wordlist
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Guy Korland <gkorland@gmail.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Udaykumar Dhokia <udaykumar-dhokia@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* chore: consolidate Dependabot PRs and resolve staging conflicts (#473)
* Initial plan
* Consolidate all 10 open Dependabot PRs into a single update targeting staging
Covers:
- Bump fastapi from ~=0.124.0 to ~=0.135.1 (PR #468)
- Bump @hookform/resolvers from ^3.10.0 to ^5.2.2 (PR #465)
- Bump react-router-dom from ^6.30.1 to ^7.13.1 (PR #463)
- Bump lucide-react from ^0.462.0 to ^0.577.0 (PR #462)
- Bump postcss from ^8.5.6 to ^8.5.8 (PR #470)
- Bump actions/cache from v4 to v5 in playwright.yml (PR #456)
- Bump docker/login-action from v3 to v4 in publish-docker.yml (PR #457)
- Bump docker/metadata-action from v5 to v6 in publish-docker.yml (PR #458)
- Bump docker/build-push-action from v6 to v7 in publish-docker.yml (PR #460)
- Bump rojopolis/spellcheck-github-actions from 0.58.0 to 0.59.0 in spellcheck.yml (PR #459)
Co-authored-by: gkorland <753206+gkorland@users.noreply.github.com>
* Add workflow to close superseded Dependabot PRs (#456-#470) as duplicates of #473
Co-authored-by: gkorland <753206+gkorland@users.noreply.github.com>
* Add workflow_dispatch trigger so maintainers can manually run close-superseded-prs workflow
Co-authored-by: gkorland <753206+gkorland@users.noreply.github.com>
* Delete .github/workflows/close-superseded-prs.yml
* Apply suggestion from @Copilot
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* Remove obsolete BrowserRouter future prop for react-router-dom v7
Co-authored-by: gkorland <753206+gkorland@users.noreply.github.com>
* Refresh root package lock for CI
Co-authored-by: gkorland <753206+gkorland@users.noreply.github.com>
* Resolve staging conflicts
Co-authored-by: gkorland <753206+gkorland@users.noreply.github.com>
* Apply suggestion from @Copilot
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: gkorland <753206+gkorland@users.noreply.github.com>
Co-authored-by: Guy Korland <gkorland@gmail.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* fix: replace unnecessary dynamic import of vendorConfig with static import (#474)
vendorConfig.ts is already statically imported by SettingsContext, useApiKeyValidation,
Settings, and chat service, so the dynamic import() in ChatInterface.tsx provided no
code-splitting benefit and triggered a Vite build warning.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* docs: add AGENTS.md project guide and CLAUDE.md symlink (#477)
Provide a single-file onboarding reference covering architecture, tech stack,
directory layout, build/test/lint commands, code conventions, environment
variables, and CI/CD workflows. CLAUDE.md symlinks to AGENTS.md so both
AI coding assistants and contributors find the same guide.
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* feat: add support for postgres schema selection (#475)
* feat: add support for postgres schema selection
Add support for selecting a PostgreSQL schema instead of always using
'public'. The schema is extracted from the connection URL's options
parameter (search_path), following PostgreSQL's native libpq format.
Changes:
- Add _parse_schema_from_url() to extract schema from connection URL
- Thread schema parameter through all extraction methods with 'public' default
- Add pg_namespace JOINs for correct cross-schema disambiguation
- Add schema input field in DatabaseModal (PostgreSQL only)
- Add comprehensive unit tests for URL schema parsing
- Update documentation with custom schema configuration guide
Based on PR #373 by sirudog with the following fixes:
- Fix pg_namespace JOIN order in extract_columns_info to prevent
duplicate rows when same-named tables exist across schemas
- Fix regex to require '=' separator (prevents mis-capture edge cases)
- Improve $user handling to loop through all schemas instead of only
checking first two positions
- Fix pylint line-too-long in test file
Co-authored-by: sirudog <1550561+sirudog@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix: make parse_schema_from_url public to fix CI pylint
Rename _parse_schema_from_url to parse_schema_from_url since the
method is already documented for external use and tested directly.
This eliminates W0212 (protected-access) warnings that cause CI
pylint to fail with exit code 4.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix: address review comments on PR #475
- Add constraint_schema qualifier to key_column_usage JOINs in
extract_columns_info to prevent cross-schema constraint name
collisions
- Sanitize schema input in DatabaseModal to strip non-identifier
characters before building the URL options
- Add edge case tests: empty tokens, blank quoted tokens, repeated
$user entries
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* chore: remove accidentally committed build artifacts
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix: address copilot reviewer comments on PR #475
- Fix regex to capture search_path values with spaces after commas
(e.g. $user, public) by matching up to next -c option or EOL
- Set session search_path explicitly after connecting so sample
queries resolve to the correct schema
- Use versionless PostgreSQL docs link (/docs/current/)
- Clarify case-sensitivity note for schema names in troubleshooting
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* chore: gitignore build artifacts
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix: replace ReDoS-vulnerable regex in parse_schema_from_url
Replace (.+?)(?=\s+-c|\s*$) with [^\s,]+(?:\s*,\s*[^\s,]+)* to
eliminate polynomial backtracking flagged by CodeQL. The new pattern
uses unambiguous character classes with no overlapping quantifiers.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix: validate schema input instead of silent sanitization, fix doc URL encoding
- DatabaseModal: Show validation error for invalid schema characters instead
of silently stripping them. Throw error on submit if invalid chars present.
- docs: URL-encode the example URL to prevent copy/paste connection failures.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix: revert doc URL to readable form to fix spellcheck
The URL-encoded form (-csearch_path%3Dmy_schema) inside the Liquid
capture block triggers spellcheck failures ('csearch', 'Dmy'). Reverted
to readable form since Python's urlparse handles both formats fine.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix: add missing tech terms to spellcheck wordlist
Add terms from AGENTS.md/CLAUDE.md (added in staging merge) to the
spellcheck wordlist: config, docstring, dotenv, ESLint, HSTS, init,
Middleware, monorepo, PRs, pylint, pytest, Radix, Zod, and error class
names. Also fix DockerHub capitalization.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix: ensure DB connection cleanup on error and add cursor type hints
- Wrap psycopg2 connection/cursor in try/finally so they are always
closed, even when extract_tables_info or extract_relationships raises
- Set conn/cursor to None after explicit close to avoid double-close
in the finally block
- Add Any type hints to cursor parameters on extract_tables_info,
extract_columns_info, extract_foreign_keys, extract_relationships,
and _execute_sample_query
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix: increase timeout for multi-step E2E chat tests
Mark three tests that perform multiple LLM round-trips with
test.slow() to triple their timeout (60s → 180s), preventing
spurious CI failures when LLM responses are slow:
- multiple sequential queries maintain conversation history
- switching databases clears chat history
- duplicate record shows user-friendly error message
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: sirudog <1550561+sirudog@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix: require SECRET_TOKEN at startup to prevent auth bypass (#476)
* fix: require SECRET_TOKEN at startup to prevent auth bypass
The original verify_token() allowed None == None when SECRET_TOKEN was
unset, silently disabling authentication. The server now refuses to
start without SECRET_TOKEN configured, and validate_user() accepts the
static token via constant-time comparison (hmac.compare_digest) as an
alternative to DB-backed OAuth tokens.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: add pylint disable for wrong-import-position in conftest.py
The imports must come after os.environ.setdefault() for SECRET_TOKEN,
which is intentionally non-standard. Suppress the C0413 warning.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix: add SECRET_TOKEN to Playwright CI workflow env
The 'Start FastAPI application' step was missing SECRET_TOKEN, causing
the app to crash at startup with RuntimeError since the PR made it
required.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix: address PR #455 review comments (#478)
- Pin uv version (0.7.12) and use --locked in CI workflows
- Fix Dockerfile: split uv sync into deps-only + project install
- Remove || true from make lint so pylint failures are not masked
- Move max-line-length to [tool.pylint.format] (canonical section)
- Fix docs: use 'uv sync' instead of 'uv add' for existing deps
- Remove dead initial LLM_PROVIDER/AZURE_FLAG assignments in config
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix: remove SECRET_TOKEN static API key requirement (#479)
Users create their own API tokens via /tokens/generate (stored in
FalkorDB), so the static SECRET_TOKEN env var is redundant. Removes:
- The SECRET_TOKEN module-level variable and hmac check in validate_user
- The hmac import (no longer needed)
- All references in .env.example, CI workflows, and test conftest
Reverts the hard requirement introduced in #476.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix: require authentication on validate-api-key endpoint (#481)
* fix: require authentication on validate-api-key endpoint
The POST /api/validate-api-key endpoint was missing the @token_required
decorator, allowing unauthenticated users to proxy LLM API calls through
the server. Add @token_required to match all other POST endpoints.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: suppress pylint unused-argument for decorated request param
The @token_required decorator consumes the request argument before the
function body, so pylint incorrectly flags it as unused.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: add 401 response to OpenAPI docs for validate-api-key
Add responses={401: UNAUTHORIZED_RESPONSE} to match the convention
used by all other @token_required endpoints.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* chore(deps): bump graphiti-core in the uv group across 1 directory (#480)
Bumps the uv group with 1 update in the / directory: [graphiti-core](https://github.com/getzep/graphiti).
Updates `graphiti-core` from 0.28.1 to 0.28.2
- [Release notes](https://github.com/getzep/graphiti/releases)
- [Commits](https://github.com/getzep/graphiti/compare/v0.28.1...v0.28.2)
---
updated-dependencies:
- dependency-name: graphiti-core
dependency-version: 0.28.2
dependency-type: direct:production
dependency-group: uv
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Guy Korland <gkorland@gmail.com>
* ci(workflows): pin GitHub Actions dependencies to commit SHAs (#503)
Pin all third-party GitHub Actions to their full commit SHA
instead of mutable version tags. This is a supply-chain security
best practice that prevents tag-mutation attacks.
Changed files: dependency-review.yml, playwright.yml, publish-docker.yml, pylint.yml, spellcheck.yml, tests.yml
Total actions pinned: 17
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* chore(deps): combine dependabot dependency updates (#504)
Python dependencies:
- uvicorn: 0.41.0 → 0.42.0
- litellm: 1.82.0 → 1.82.6
- authlib: 1.6.8 → 1.6.9
- fastmcp: 3.0.1 → 3.1.1
- pytest-asyncio: 1.2.0 → 1.3.0
GitHub Actions:
- astral-sh/setup-uv: v5.4.2 → v7.6.0
- rojopolis/spellcheck-github-actions: 0.59.0 → 0.60.0
NPM dependencies (app/):
- typescript-eslint: 8.53.0 → 8.57.0
- flatted: 3.3.3 → 3.4.2
- picomatch: 2.3.1 → 2.3.2 / 4.0.3 → 4.0.4
Replaces: #483, #484, #486, #487, #491, #493, #498, #499, #500, #501
Skipped major version bumps (require migration work):
- #488 vite 7→8, #489 react-dom 18→19
- #490 tailwind-merge 2→3, #492 tailwindcss 3→4
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix: address PR review comments
- Fix CSRF docstring to reflect actual cookie-setting behavior
- Normalize X-Forwarded-Proto (handle comma-separated, mixed-case)
- Fix comment typo in create_app
- Serialize CI workers to 1 to avoid shared-state flakiness
- Fix CSRF comment in e2e apiRequests helper
- Retry only successful final_result in connectDatabaseWithRetry
- Add .env creation step in Playwright CI workflow
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix(deps): upgrade pyjwt 2.11.0 → 2.12.1 (GHSA-752w-5fwx-jx9f)
PyJWT 2.11.0 accepts unknown `crit` header extensions in violation
of RFC 7515 §4.1.11, allowing security policy bypass.
Closes the dependency-review CI failure.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix(deps): upgrade requests 2.32.5 → 2.33.1 (GHSA-gc5v-m9x4-r6x2)
Insecure temp file reuse in extract_zipped_paths() utility.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix(deps): upgrade cryptography 46.0.5 → 46.0.6 (GHSA-m959-cc7f-wv43)
Incomplete DNS name constraint enforcement on peer names.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix(deps): upgrade pygments 2.19.2 → latest (GHSA-5239-wwwm-4pmq)
ReDoS via inefficient regex for GUID matching.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* ci(playwright): skip E2E tests for Dependabot PRs (#518)
* ci(playwright): skip E2E tests for Dependabot PRs
Dependabot PRs do not have access to repository secrets (AZURE_API_KEY,
AZURE_API_BASE, AZURE_API_VERSION) required by the LLM-dependent E2E
tests for database schema loading. This causes all Database Connection
and Chat Feature tests to fail with 'Failed to load database schema'.
Skip the Playwright job for Dependabot-authored PRs while preserving
full coverage on push events (merge to staging/main) where secrets are
available. Unit tests, pylint, dependency review, and spellcheck still
run for all PRs.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* docs(agents): note Playwright skip for Dependabot PRs
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* ci(spellcheck): add Dependabot to wordlist
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* chore(deps): bump fastapi from 0.135.1 to 0.135.2 (#509)
Bumps [fastapi](https://github.com/fastapi/fastapi) from 0.135.1 to 0.135.2.
- [Release notes](https://github.com/fastapi/fastapi/releases)
- [Commits](https://github.com/fastapi/fastapi/compare/0.135.1...0.135.2)
---
updated-dependencies:
- dependency-name: fastapi
dependency-version: 0.135.2
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Guy Korland <gkorland@gmail.com>
* chore(deps-dev): bump pytest from 8.4.2 to 9.0.2 (#508)
Bumps [pytest](https://github.com/pytest-dev/pytest) from 8.4.2 to 9.0.2.
- [Release notes](https://github.com/pytest-dev/pytest/releases)
- [Changelog](https://github.com/pytest-dev/pytest/blob/main/CHANGELOG.rst)
- [Commits](https://github.com/pytest-dev/pytest/compare/8.4.2...9.0.2)
---
updated-dependencies:
- dependency-name: pytest
dependency-version: 9.0.2
dependency-type: direct:development
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Guy Korland <gkorland@gmail.com>
* chore(deps): bump fastmcp in the uv group across 1 directory (#515)
Bumps the uv group with 1 update in the / directory: [fastmcp](https://github.com/PrefectHQ/fastmcp).
Updates `fastmcp` from 3.1.1 to 3.2.0
- [Release notes](https://github.com/PrefectHQ/fastmcp/releases)
- [Changelog](https://github.com/PrefectHQ/fastmcp/blob/main/docs/changelog.mdx)
- [Commits](https://github.com/PrefectHQ/fastmcp/compare/v3.1.1...v3.2.0)
---
updated-dependencies:
- dependency-name: fastmcp
dependency-version: 3.2.0
dependency-type: direct:production
dependency-group: uv
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Guy Korland <gkorland@gmail.com>
* chore(deps): bump the npm_and_yarn group across 1 directory with 3 updates (#516)
Bumps the npm_and_yarn group with 3 updates in the /app directory: [lodash-es](https://github.com/lodash/lodash), [picomatch](https://github.com/micromatch/picomatch) and [flatted](https://github.com/WebReflection/flatted).
Updates `lodash-es` from 4.17.23 to 4.18.1
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](https://github.com/lodash/lodash/compare/4.17.23...4.18.1)
Updates `picomatch` from 2.3.1 to 2.3.2
- [Release notes](https://github.com/micromatch/picomatch/releases)
- [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md)
- [Commits](https://github.com/micromatch/picomatch/compare/2.3.1...2.3.2)
Updates `picomatch` from 4.0.3 to 4.0.4
- [Release notes](https://github.com/micromatch/picomatch/releases)
- [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md)
- [Commits](https://github.com/micromatch/picomatch/compare/2.3.1...2.3.2)
Updates `flatted` from 3.3.3 to 3.4.2
- [Commits](https://github.com/WebReflection/flatted/compare/v3.3.3...v3.4.2)
---
updated-dependencies:
- dependency-name: lodash-es
dependency-version: 4.18.1
dependency-type: indirect
dependency-group: npm_and_yarn
- dependency-name: picomatch
dependency-version: 2.3.2
dependency-type: indirect
dependency-group: npm_and_yarn
- dependency-name: picomatch
dependency-version: 4.0.4
dependency-type: indirect
dependency-group: npm_and_yarn
- dependency-name: flatted
dependency-version: 3.4.2
dependency-type: indirect
dependency-group: npm_and_yarn
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Guy Korland <gkorland@gmail.com>
* chore(deps): bump the npm-minor-patch group in /app with 2 updates (#510)
Bumps the npm-minor-patch group in /app with 2 updates: [@falkordb/canvas](https://github.com/FalkorDB/falkordb-canvas) and [react-router-dom](https://github.com/remix-run/react-router/tree/HEAD/packages/react-router-dom).
Updates `@falkordb/canvas` from 0.0.44 to 0.0.45
- [Release notes](https://github.com/FalkorDB/falkordb-canvas/releases)
- [Commits](https://github.com/FalkorDB/falkordb-canvas/compare/v0.0.44...v0.0.45)
Updates `react-router-dom` from 7.13.1 to 7.13.2
- [Release notes](https://github.com/remix-run/react-router/releases)
- [Changelog](https://github.com/remix-run/react-router/blob/main/packages/react-router-dom/CHANGELOG.md)
- [Commits](https://github.com/remix-run/react-router/commits/react-router-dom@7.13.2/packages/react-router-dom)
---
updated-dependencies:
- dependency-name: "@falkordb/canvas"
dependency-version: 0.0.45
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: npm-minor-patch
- dependency-name: react-router-dom
dependency-version: 7.13.2
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: npm-minor-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Guy Korland <gkorland@gmail.com>
* chore(deps): bump the npm_and_yarn group across 1 directory with 3 updates (#519)
Bumps the npm_and_yarn group with 3 updates in the /app directory: [picomatch](https://github.com/micromatch/picomatch), [flatted](https://github.com/WebReflection/flatted) and [lodash](https://github.com/lodash/lodash).
Updates `picomatch` from 2.3.1 to 2.3.2
- [Release notes](https://github.com/micromatch/picomatch/releases)
- [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md)
- [Commits](https://github.com/micromatch/picomatch/compare/2.3.1...2.3.2)
Updates `picomatch` from 4.0.3 to 4.0.4
- [Release notes](https://github.com/micromatch/picomatch/releases)
- [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md)
- [Commits](https://github.com/micromatch/picomatch/compare/2.3.1...2.3.2)
Updates `flatted` from 3.3.3 to 3.4.2
- [Commits](https://github.com/WebReflection/flatted/compare/v3.3.3...v3.4.2)
Updates `lodash` from 4.17.23 to 4.18.1
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](https://github.com/lodash/lodash/compare/4.17.23...4.18.1)
---
updated-dependencies:
- dependency-name: picomatch
dependency-version: 2.3.2
dependency-type: indirect
dependency-group: npm_and_yarn
- dependency-name: picomatch
dependency-version: 4.0.4
dependency-type: indirect
dependency-group: npm_and_yarn
- dependency-name: flatted
dependency-version: 3.4.2
dependency-type: indirect
dependency-group: npm_and_yarn
- dependency-name: lodash
dependency-version: 4.18.1
dependency-type: indirect
dependency-group: npm_and_yarn
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Guy Korland <gkorland@gmail.com>
* fix(deps): regenerate package-lock.json and fix vulnerabilities
Regenerated the root lockfile to sync with current app/package.json
dependencies. Also ran npm audit fix to resolve:
- lodash Code Injection and Prototype Pollution (high severity)
- brace-expansion DoS (moderate severity)
- picomatch ReDoS and method injection (high severity)
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix(deps): bump litellm to ~=1.83.0 to fix critical vulnerabilities
Addresses:
- GHSA-jjhc-v7c2-5hh6: OIDC authentication bypass via cache key collision (critical)
- GHSA-53mr-6c8q-9789: Privilege escalation via unrestricted proxy config (high)
Both vulnerabilities are fixed in litellm 1.83.0+.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix(deps): upgrade aiohttp to 3.13.5 to fix security vulnerabilities
Addresses:
- GHSA-w2fm-2cpv-w7v5: unlimited trailer headers (moderate)
- GHSA-p998-jp59-783m: UNC SSRF/NTLMv2 credential theft (moderate)
- GHSA-m5qp-6w8w-w647: multipart header size bypass (moderate)
- GHSA-c427-h43c-vf67: duplicate Host headers (moderate)
- GHSA-hcc4-c3v8-rx92: DoS via unbounded DNS cache (low)
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* chore(deps): bump astral-sh/setup-uv from 7.6.0 to 8.0.0 (#525)
Bumps [astral-sh/setup-uv](https://github.com/astral-sh/setup-uv) from 7.6.0 to 8.0.0.
- [Release notes](https://github.com/astral-sh/setup-uv/releases)
- [Commits](https://github.com/astral-sh/setup-uv/compare/37802adc94f370d6bfd71619e3f0bf239e1f3b78...cec208311dfd045dd5311c1add060b2062131d57)
---
updated-dependencies:
- dependency-name: astral-sh/setup-uv
dependency-version: 8.0.0
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* feat(snowflake): add Snowflake loader with key-pair auth and security hardening
Snowflake database loader:
- Full schema extraction (tables, columns, PKs, FKs, relationships)
- Key-pair authentication support (bypasses MFA)
- SHOW PRIMARY KEYS / SHOW IMPORTED KEYS for constraint discovery
- Identifier validation and parameterized queries for SQL injection prevention
- Connection timeouts (login: 30s, network: 60s)
Frontend:
- Snowflake option in DatabaseModal with manual/URL entry modes
- Key-pair auth UI (password/keypair toggle with PEM textarea)
- Custom API key/model passed through ChatService to backend
Security:
- @token_required on /validate-api-key endpoint
- Vendor-specific API key format validation
- Narrowed vendor allowlist for key validation
- Upgraded fastmcp 3.0.1→3.2.0, litellm→1.83+, aiohttp→3.13.5
Other fixes:
- load_dotenv() in config.py for reliable env loading
- Memory gracefully disabled for non-Azure/OpenAI providers
- Null-safe LLM description generation
- Anthropic config fails fast without embeddings
- python-dotenv as explicit dependency
Tests: 39 tests (20 Snowflake loader + 19 settings route)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(spellcheck): add DDL and DML to wordlist
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* refactor: remove redundant API key validation from text2sql
LLM providers already reject invalid keys with auth errors.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: use /settings prefix for settings router instead of /api
Consistent with other routers (/graphs, /tokens, /database).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: update test docstring to match /settings route path
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: restore staging code reverted during rebase
- Restore app_factory.py from staging (CSRF, proxy header handling)
with only our 2 changes (remove load_dotenv, /settings prefix)
- Restore PostgreSQL schema field in DatabaseModal
- Restore vendor prefix logic in ChatService.streamQuery
- Restore static getVendorPrefix import in ChatInterface
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* chore(deps): bump uvicorn from 0.42.0 to 0.44.0 (#536)
Bumps [uvicorn](https://github.com/Kludex/uvicorn) from 0.42.0 to 0.44.0.
- [Release notes](https://github.com/Kludex/uvicorn/releases)
- [Changelog](https://github.com/Kludex/uvicorn/blob/main/docs/release-notes.md)
- [Commits](https://github.com/Kludex/uvicorn/compare/0.42.0...0.44.0)
---
updated-dependencies:
- dependency-name: uvicorn
dependency-version: 0.44.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* chore(deps): bump fastmcp from 3.2.0 to 3.2.4 (#543)
Bumps [fastmcp](https://github.com/PrefectHQ/fastmcp) from 3.2.0 to 3.2.4.
- [Release notes](https://github.com/PrefectHQ/fastmcp/releases)
- [Changelog](https://github.com/PrefectHQ/fastmcp/blob/main/docs/changelog.mdx)
- [Commits](https://github.com/PrefectHQ/fastmcp/compare/v3.2.0...v3.2.4)
---
updated-dependencies:
- dependency-name: fastmcp
dependency-version: 3.2.4
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* Fix Docker build: align Python base to Debian trixie, pin FalkorDB image (#545)
* Initial plan
* Fix Docker build: align Python base to trixie and pin FalkorDB to v4.18.1
Agent-Logs-Url: https://github.com/FalkorDB/QueryWeaver/sessions/c0859d23-c001-47bd-8dc5-1285e253c7d0
Co-authored-by: gkorland <753206+gkorland@users.noreply.github.com>
* Update Dockerfile
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: gkorland <753206+gkorland@users.noreply.github.com>
Co-authored-by: Guy Korland <gkorland@gmail.com>
* fix(docker): resolve apt dependency errors on falkordb trixie base (#546)
The falkordb/falkordb:latest base image (Debian trixie) ships without
libtinfo6 and bash. The apt 3.0 solver refuses to install build-essential
and friends because util-linux PreDepends on libtinfo6, and the NodeSource
setup script requires bash.
Install libtinfo6 in a separate apt step so the solver can satisfy the
remaining packages, and add bash so the NodeSource installer can run.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Anchel135 <yakoveidelman1@gmail.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: gkorland <753206+gkorland@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: Anchel123 <110421452+Anchel123@users.noreply.github.com>
Co-authored-by: Claude <242468646+Claude@users.noreply.github.com>
Co-authored-by: Gal Shubeli <galshubeli93@gmail.com>
Co-authored-by: Udaykumar Dhokia <udaykumar-dhokia@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: sirudog <1550561+sirudog@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps fastmcp from 3.2.0 to 3.2.4.
Release notes
Sourced from fastmcp's releases.
... (truncated)
Commits
7d76074Stop pydantic 2.13 from leaking _WrappedResult docstring into tool output sch...b732a4aOverhaul apps docs (#3915)5c2ff1bchore: Update SDK documentation (#3914)f4f2ec0Deprecate ctx.elicit() without response_type (#3916)338b80cchore(deps): bump the uv group across 2 directories with 1 update (#3913)110cd3aAdd response_title and response_description to ctx.elicit() (#3912)3117846chore: Update SDK documentation (#3909)031c7e0Fix RetryMiddleware not retrying tool errors (#3858)200d79eEnable PERF and T20 ruff rules (#3845)82f310fAuthKit: auto-bind token audience to resource URL (RFC 8707) (#3905)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)