Starlette versions 0.8.3-1.0.0 are vulnerable to improper Host header
validation when reconstructing request.url, which can cause
request.url.path to differ from the actual requested path and bypass
path-based security checks. Patched in 1.0.1.
Bumps fastapi to 0.134.0 since 0.121.x pins starlette<0.50.0.
https://claude.ai/code/session_01P9NtqqFN9dVW1c5Uno6oRC
pytest-asyncio 0.23 is incompatible with pytest 9 (it calls the removed
Package.obj attribute, causing an INTERNALERROR during collection).
Bump to ~= 1.1 and set asyncio_default_fixture_loop_scope to silence the
1.x deprecation warning.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
`deptry` [1] is a tool to check for unused and missing dependencies in
Python projects.
By running it, we already found that `pydantic` should be added as a
direct dependency, that `types-*` packages can be moved to the `dev`
group, and that `user-agents` is no longer used and can be removed.
Ideally, a future PR can include the `trunk` related configuration to
run `deptry` automatically.
[1] https://deptry.com/
This change introduces OpenTelemetry dependencies, and uses
`opentelemetry-instrument` auto-instrumentation to allow users to
configure OpenTelemetry settings via environment variables [1].
The only custom environment variable added is
`OTEL_SERVICE_NAME_PREFIX`, which allows users to set a prefix to the
service names included by RomM to differentiate between `api`, `worker`,
and `watcher` services.
The instrumentation of RQ workers and file watcher will be added in
subsequent pull requests.
[1] https://opentelemetry.io/docs/specs/otel/configuration/sdk-environment-variables/
The `watchfiles` library supports event batching, which allows us to
process multiple filesystem changes in a single run.
This change also avoids database calls in the watcher as much as
possible.
The `emoji` library has been removed, in favor of using constants for
the few emojis used in the codebase. This reduces memory usage, and
avoids calling `emojize` for Python to discover where to replace emojis
in pre-defined strings.
This change replaces our custom `scheduler.py` script with the
`rqscheduler` command, allowing us to run the RQ scheduler as a
separate, low-memory process, by avoiding the need to maintain
the Python app in memory.
* Remove `scheduler.py` script.
* Move initialization of scheduled tasks to `worker.py`.
* Update `docker/init_scripts/init` to start the `rqscheduler`
command instead of the custom script.
* Fix scheduled tasks' `func` paths to the new project structure.
* Temporarily use a fork of `rq-scheduler` to support
username and SSL settings in the `rqscheduler` command.
The latest minor version `0.116` of FastAPI changes the `standard` extra
to include extra dependencies to deploy to FastAPI Cloud, which we don't
need.
This change moves to the new `standard-no-fastapi-cloud-cli` extra,
which maintains the previous set of dependencies.
