The Wire ยท Showcase
FASTAPI TIGHTENS CI SECURITY AS PYDANTIC EYES Pobservatory 0.29
By RepoJournal ยท Filed ยท About FastAPI & Pydantic
FastAPI stripped unnecessary unsafe checkout flags from workflows while dependency updates sweep both repos, but Pydantic's PyO3 upgrade remains blocked on jiter.
FastAPI's security posture just got sharper. The team removed `allow-unsafe-pr-checkout: true` directives that turned out to be unnecessary overhead [2] [4], a small but disciplined move that reflects maturation in their CI/CD thinking. That followed a broader github-actions refresh [3] bumping checkout to v7, setup-python to 6.3.0, and actions/cache to 6.1.0. On the dependency front, FastAPI landed 10 python-packages updates [1] including pytest 9.0.3 to 9.1.1, httpx2 2.3.0 to 2.4.0, and ruff 0.15.16 to 0.15.18, all routine maintenance that keeps the test suite sharp. Over in Pydantic land, the team is staging a PyO3 0.29 upgrade [6] but it's waiting on jiter/254 to ship first, so that one's not moving until upstream clears. Meanwhile, Pydantic's rust-deps group picked up six updates across pydantic-core [5], including regex 1.12.4, lru 0.18.0, and serde_json 1.0.150. These are the kinds of incremental wins that keep core performance tight.
Action items
- โ Monitor Pydantic jiter PR 254 - blocks PyO3 0.29 adoption pydantic/jiter [monitor]
- โ Merge FastAPI python-packages and github-actions bumps into next release cycle fastapi/fastapi [plan]
- โ Test Pydantic rust-deps updates, particularly lru 0.18.0, in your validation pipelines pydantic/pydantic [plan]
References
- [1] โฌ Bump the python-packages group across 1 directory with 10 updates โ fastapi/fastapi
- [2] ๐ท Remove not needed `allow-unsafe-pr-checkout: true` (#15876) fastapi/fastapi
- [3] โฌ Bump the github-actions group with 5 updates โ fastapi/fastapi
- [4] ๐ท Remove not needed `allow-unsafe-pr-checkout: true` โ fastapi/fastapi
- [5] Bump the rust-deps group across 1 directory with 6 updates โ pydantic/pydantic
- [6] Update to PyO3 0.29 โ pydantic/pydantic
FAQ
- What changed in FastAPI & Pydantic on July 1, 2026?
- FastAPI stripped unnecessary unsafe checkout flags from workflows while dependency updates sweep both repos, but Pydantic's PyO3 upgrade remains blocked on jiter.
- What should FastAPI & Pydantic teams do about it?
- Monitor Pydantic jiter PR 254 - blocks PyO3 0.29 adoption โข Merge FastAPI python-packages and github-actions bumps into next release cycle โข Test Pydantic rust-deps updates, particularly lru 0.18.0, in your validation pipelines
- Which FastAPI & Pydantic repositories shipped on July 1, 2026?
- fastapi/fastapi, pydantic/pydantic