RepoJournal
FastAPI & Pydantic

FastAPI & Pydantic

FastAPI and the Pydantic + SQLModel async-Python stack

Pick a date

The Wire ยท Showcase

FASTAPI AND SQLMODEL PATCH CRITICAL GITHUB ACTIONS FLAW ACROSS THE STACK

By RepoJournal ยท Filed ยท About FastAPI & Pydantic

Both FastAPI and SQLModel just closed a privilege escalation hole in their CI/CD pipelines where fork pull requests could execute untrusted code in trusted contexts.

The vulnerability sits in GitHub Actions checkout configurations [1] [2] [3]. When `actions/checkout@v7` runs in `pull_request_target` contexts, it was pulling fork code instead of the base repository's trusted code, creating a window for attackers to inject malicious workflows. FastAPI fixed this across two critical workflows , and SQLModel deployed the same fix . This matters because `pull_request_target` is the exact context where you run sensitive operations like release automation and notification systems. Meanwhile, Pydantic is shipping a performance win: caching the `ModelPrivateAttr.default_factory_takes_validated_data` property [4] [6] to eliminate redundant checks during model initialization. The team also clarified YAML example documentation [5] [7] to mention PyYAML as an explicit dependency rather than burying it in prose.

Action items

References

  1. [1] ๐Ÿ‘ท Fix notify translations checkout target โ†— fastapi/fastapi
  2. [2] ๐Ÿ‘ท Fix latest-changes checkout target โ†— fastapi/fastapi
  3. [3] ๐Ÿ‘ท Fix latest-changes checkout target โ†— tiangolo/sqlmodel
  4. [4] Cache `ModelPrivateAttr.default_factory_takes_validated_data` property โ†— pydantic/pydantic
  5. [5] Mention PyYAML installation for YAML example โ†— pydantic/pydantic
  6. [6] Cache `ModelPrivateAttr.default_factory_takes_validated_data` property (#13390) pydantic/pydantic
  7. [7] Mention PyYAML installation for YAML example (#13400) pydantic/pydantic

FAQ

What changed in FastAPI & Pydantic on July 5, 2026?
Both FastAPI and SQLModel just closed a privilege escalation hole in their CI/CD pipelines where fork pull requests could execute untrusted code in trusted contexts.
What should FastAPI & Pydantic teams do about it?
Review your GitHub Actions workflows for pull_request_target checkout configurations - patch immediately if found โ€ข Upgrade Pydantic if you're doing heavy private attribute factory validation โ€ข Audit SQLModel CI/CD if you maintain a fork with custom workflows
Which FastAPI & Pydantic repositories shipped on July 5, 2026?
fastapi/fastapi, tiangolo/sqlmodel, pydantic/pydantic

Related across the cluster

For your repos

The showcase is a teaser.
Your wire is the product.

Same engine. Different stack. Below: what changes when the wire is yours.

Showcase wire

  • โ€ข14 famous open source orgs
  • โ€ขOne wire per day
  • โ€ขPublic, generic
  • โ€ขRead on the web, when you remember

Your wire

  • โ†’Up to 1,500 of your repos - orgs, deps, vendors
  • โ†’Morning and evening briefs
  • โ†’Action items routed to your team
  • โ†’Slack delivery, email, breaking-news CVE alerts

Want a hands-on demo first? Ask a current user for an invite link.