From 9a8c6ad609f8f29087066d318cd5e1673f838e89 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 13 Feb 2026 10:10:11 +0100
Subject: [PATCH] chore(libs/deps): bump the production-dependencies group
across 1 directory with 4 updates (#12056)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Bumps the production-dependencies group with 4 updates in the
/autogpt_platform/autogpt_libs directory:
[cryptography](https://github.com/pyca/cryptography),
[fastapi](https://github.com/fastapi/fastapi),
[launchdarkly-server-sdk](https://github.com/launchdarkly/python-server-sdk)
and [supabase](https://github.com/supabase/supabase-py).
Updates `cryptography` from 46.0.4 to 46.0.5
Changelog
Sourced from cryptography's
changelog.
46.0.5 - 2026-02-10
* An attacker could create a malicious public key that reveals portions
of your
private key when using certain uncommon elliptic curves (binary curves).
This version now includes additional security checks to prevent this
attack.
This issue only affects binary elliptic curves, which are rarely used in
real-world applications. Credit to **XlabAI Team of Tencent Xuanwu Lab
and
Atuin Automated Vulnerability Discovery Engine** for reporting the
issue.
**CVE-2026-26007**
* Support for ``SECT*`` binary elliptic curves is deprecated and will be
removed in the next release.
.. v46-0-4:
Commits
Updates `fastapi` from 0.128.0 to 0.128.7
Release notes
Sourced from fastapi's
releases.
0.128.7
Features
Refactors
- ♻️ Simplify reading files in memory, do it sequentially instead of
(fake) parallel. PR #14884
by
@tiangolo.
Docs
Internal
0.128.6
Fixes
Translations
Internal
0.128.5
Refactors
- ♻️ Refactor and simplify Pydantic v2 (and v1) compatibility internal
utils. PR #14862
by
@tiangolo.
Internal
- ✅ Add inline snapshot tests for OpenAPI before changes from Pydantic
v2. PR #14864
by
@tiangolo.
0.128.4
Refactors
- ♻️ Refactor internals, simplify Pydantic v2/v1 utils,
create_model_field, better types for
lenient_issubclass. PR #14860
by @tiangolo.
- ♻️ Simplify internals, remove Pydantic v1 only logic, no longer
needed. PR #14857
by
@tiangolo.
- ♻️ Refactor internals, cleanup unneeded Pydantic v1 specific logic.
PR #14856
by
@tiangolo.
... (truncated)
Commits
Updates `launchdarkly-server-sdk` from 9.14.1 to 9.15.0
Release notes
Sourced from launchdarkly-server-sdk's
releases.
v9.15.0
9.15.0
(2026-02-10)
Features
Bug Fixes
- Add context manager for clearer, safer locks (#396)
(beca0fa)
- Address potential race condition in FeatureStore update_availability
(#391)
(31cf487)
- Allow modifying fdv2 data source options independent of main config
(#403)
(d78079e)
- Mark copy_with_new_sdk_key method as deprecated (#353)
(e471ccc)
- Prevent immediate polling on recoverable error (#399)
(da565a2)
- Redis store is considered initialized when
$inited key
is written (e99a27d)
- Stop FeatureStoreClientWrapper poller on close (#397)
(468afdf)
- Update DataSystemConfig to accept list of synchronizers (#404)
(c73ad14)
- Update reason documentation with inExperiment value (#401)
(cbfc3dd)
- Update Redis to write missing
$inited key (e99a27d)
This PR was generated with Release Please.
See documentation.
Changelog
Sourced from launchdarkly-server-sdk's
changelog.
9.15.0
(2026-02-10)
⚠ BREAKING CHANGES
Note: The following breaking changes apply only to
FDv2 (Flag Delivery v2) early access features, which are not subject to
semantic versioning and may change without a major version bump.
- Update ChangeSet to always require a Selector (#405)
(5dc4f81)
- The
ChangeSetBuilder.finish() method now requires a
Selector parameter.
- Update DataSystemConfig to accept list of synchronizers (#404)
(c73ad14)
- The
DataSystemConfig.synchronizers field now accepts a
list of synchronizers, and the
ConfigBuilder.synchronizers() method accepts variadic
arguments.
Features
Bug Fixes
- Add context manager for clearer, safer locks (#396)
(beca0fa)
- Address potential race condition in FeatureStore update_availability
(#391)
(31cf487)
- Allow modifying fdv2 data source options independent of main config
(#403)
(d78079e)
- Mark copy_with_new_sdk_key method as deprecated (#353)
(e471ccc)
- Prevent immediate polling on recoverable error (#399)
(da565a2)
- Redis store is considered initialized when
$inited key
is written (e99a27d)
- Stop FeatureStoreClientWrapper poller on close (#397)
(468afdf)
- Update reason documentation with inExperiment value (#401)
(cbfc3dd)
- Update Redis to write missing
$inited key (e99a27d)
Commits
e542f73
chore(main): release 9.15.0 (#394)e471ccc
fix: Mark copy_with_new_sdk_key method as deprecated (#353)5dc4f81
feat: Update ChangeSet to always require a Selector (#405)f20fffe
chore: Remove dead code, clarify names, other cleanup (#398)c73ad14
fix: Update DataSystemConfig to accept list of synchronizers (#404)d78079e
fix: Allow modifying fdv2 data source options independent of main config
(#403)e99a27d
chore: Support persistent data store verification in contract tests (#402)cbfc3dd
fix: Update reason documentation with inExperiment value (#401)5a1adbb
chore: Update sdk_metadata features (#400)da565a2
fix: Prevent immediate polling on recoverable error (#399)- Additional commits viewable in compare
view
Updates `supabase` from 2.27.2 to 2.28.0
Release notes
Sourced from supabase's
releases.
v2.28.0
2.28.0
(2026-02-10)
Features
- storage: add list_v2 method to file_api client (#1377)
(259f4ad)
Bug Fixes
- auth: add missing is_sso_user, deleted_at,
banned_until to User model (#1375)
(7f84a62)
- realtime: ensure remove_channel removes channel
from channels dict (#1373)
(0923314)
- realtime: use pop with default in _handle_message
to prevent KeyError (#1388)
(baea26f)
- storage3: replace print() with warnings.warn() for
trailing slash notice (#1380)
(50b099f)
v2.27.3
2.27.3
(2026-02-03)
Bug Fixes
- deprecate python 3.9 in all packages (#1365)
(cc72ed7)
- ensure storage_url has trailing slash to prevent warning (#1367)
(4267ff1)
Changelog
Sourced from supabase's
changelog.
2.28.0
(2026-02-10)
Features
- storage: add list_v2 method to file_api client (#1377)
(259f4ad)
Bug Fixes
- auth: add missing is_sso_user, deleted_at,
banned_until to User model (#1375)
(7f84a62)
- realtime: ensure remove_channel removes channel
from channels dict (#1373)
(0923314)
- realtime: use pop with default in _handle_message
to prevent KeyError (#1388)
(baea26f)
- storage3: replace print() with warnings.warn() for
trailing slash notice (#1380)
(50b099f)
2.27.3
(2026-02-03)
Bug Fixes
- deprecate python 3.9 in all packages (#1365)
(cc72ed7)
- ensure storage_url has trailing slash to prevent warning (#1367)
(4267ff1)
Commits
59e3384
chore(main): release 2.28.0 (#1378)baea26f
fix(realtime): use pop with default in _handle_message to prevent
KeyError (#...259f4ad
feat(storage): add list_v2 method to file_api client (#1377)50b099f
fix(storage3): replace print() with warnings.warn() for trailing slash
notice...0923314
fix(realtime): ensure remove_channel removes channel from channels dict
(#1373)7f84a62
fix(auth): add missing is_sso_user, deleted_at, banned_until to User
model (#...57dd6e2
chore(deps): bump the uv group across 1 directory with 3 updates (#1369)c357def
chore(main): release 2.27.3 (#1368)4267ff1
fix: ensure storage_url has trailing slash to prevent warning (#1367)cc72ed7
fix: deprecate python 3.9 in all packages (#1365)- Additional commits viewable in compare
view
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore ` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore ` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore ` will
remove the ignore condition of the specified dependency and ignore
conditions
Greptile Overview
Greptile Summary
Dependency update bumps 4 packages in the production-dependencies group,
including a **critical security patch for `cryptography`**
(CVE-2026-26007) that prevents malicious public key attacks on binary
elliptic curves. The update also includes bug fixes for `fastapi`,
`launchdarkly-server-sdk`, and `supabase`.
- **cryptography** 46.0.4 → 46.0.5: patches CVE-2026-26007, deprecates
SECT* binary curves
- **fastapi** 0.128.0 → 0.128.7: bug fixes, improved error handling,
relaxed Starlette constraint
- **launchdarkly-server-sdk** 9.14.1 → 9.15.0: drops Python 3.9 support
(requires >=3.10), fixes race conditions
- **supabase** 2.27.2/2.27.3 → 2.28.0: realtime fixes, new User model
fields
The lock files correctly resolve all dependencies. Python 3.10+
requirement is already enforced in both packages. However, backend's
`pyproject.toml` still specifies `launchdarkly-server-sdk = "^9.14.1"`
while the lock file uses 9.15.0 (pulled from autogpt_libs dependency),
creating a minor version constraint inconsistency.
Confidence Score: 4/5
- This PR is safe to merge with one minor style suggestion
- Automated dependency update with critical security patch for
cryptography. All updates are backwards-compatible within semver
constraints. Lock files correctly resolve all dependencies. Python 3.10+
is already enforced. Only minor issue is version constraint
inconsistency in backend's pyproject.toml for launchdarkly-server-sdk,
which doesn't affect functionality but should be aligned for clarity.
- autogpt_platform/backend/pyproject.toml needs launchdarkly-server-sdk
version constraint updated to ^9.15.0