Fix sqlite

[moshemorad]

No description provided.

[coderabbitai]

Walkthrough

This PR performs a version bump release with security updates. It upgrades sqlite packages in the Dockerfile to address CVE-2025-6965, updates FastAPI dependency to version 0.121.3, and increments Helm chart version and image tag from 0.3.4 to 0.3.5.

Changes

Cohort / File(s)	Summary
Enforcer dependencies enforcer/Dockerfile, enforcer/requirements.txt	Upgrades sqlite-libs and sqlite to 3.51.2-r0 for CVE-2025-6965 mitigation; bumps FastAPI from 0.115.12 to 0.121.3.
Helm chart versioning helm/krr-enforcer/Chart.yaml, helm/krr-enforcer/values.yaml	Increments chart version and appVersion to 0.3.5; updates image tag to 0.3.5.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• [ROB-1911] close cve in enforcer CVE-2025-6965 #464: Addresses CVE-2025-6965 by upgrading sqlite/sqlite-libs packages in the enforcer Dockerfile.
• Enforcer version 0.3.5 #488: Updates helm/krr-enforcer/Chart.yaml, values.yaml, and enforcer/requirements.txt to bump enforcer chart/app image versions.
• ROB-1413 remove old enforce to libexpat1 #432: Modifies Dockerfile package installation steps for CVE mitigation.

Suggested reviewers

• arikalon1
• Sheeproid

🚥 Pre-merge checks | ✅ 1 | ❌ 3

❌ Failed checks (1 warning, 2 inconclusive)

Check name	Status	Explanation	Resolution
Merge Conflict Detection	⚠️ Warning	❌ Merge conflicts detected (7 files): ⚔️ .github/workflows/pytest-on-push.yml (content) ⚔️ enforcer/Dockerfile (content) ⚔️ enforcer/requirements.txt (content) ⚔️ helm/krr-enforcer/values.yaml (content) ⚔️ poetry.lock (content) ⚔️ pyproject.toml (content) ⚔️ requirements.txt (content) These conflicts must be resolved before merging into main.	Resolve conflicts locally and push changes to this branch.
Title check	❓ Inconclusive	The title 'Fix sqlite' is vague and generic, using non-descriptive language that doesn't clearly convey the specific nature of the changes beyond mentioning sqlite.	Improve the title to be more specific about the change, such as 'Update sqlite and fastapi dependencies for security and feature updates' or similar.
Description check	❓ Inconclusive	No pull request description was provided by the author, making it impossible to assess whether the description relates to the changeset.	Add a description explaining the purpose of the changes, including details about the sqlite fix, fastapi update, and version bump rationale.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix_sqlite

⚔️ Resolve merge conflicts (beta)

• Auto-commit resolved conflicts to branch fix_sqlite
• Create stacked PR with resolved conflicts
• Post resolved changes as copyable diffs in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@enforcer/requirements.txt`:
- Line 1: The pinned FastAPI dependency (fastapi==0.121.3) is compatible with
Pydantic 2.6.1 but Pydantic 2.6 changed datetime path parameter parsing; run the
test suite that covers any route handlers taking datetime path params and
validate behavior, then if tests fail update the route parameter handling to
explicitly parse/validate datetimes (e.g., convert from str using
datetime.fromisoformat or use pydantic.BaseModel request validation) in the
affected endpoint functions or add explicit type conversion middleware; search
for handlers that accept datetime/path parameters (routes or functions that
declare parameter type datetime) and adjust them to normalize input or add tests
asserting the expected parsing behavior.

🧹 Nitpick comments (1)

enforcer/Dockerfile (1)

7-9: Pin the Alpine base image version to ensure APK pins remain available.

The exact pin sqlite=3.51.2-r0 is only available in Alpine 3.23 repositories. While python:3.12-alpine currently resolves to Alpine 3.23, the unversioned tag can advance to future Alpine versions that no longer carry this exact revision. To keep the build stable and reproducible, explicitly pin the base image to python:3.12-alpine3.23 (or set apk_repositories to target a specific Alpine version).

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

find . -name "requirements.txt" -type f | head -20

Repository: robusta-dev/krr

Length of output: 105

---

🌐 Web query:

FastAPI 0.121.3 release notes breaking changes

💡 Result:

FastAPI 0.121.3 does not list any “Breaking Changes” in the official release notes (it’s a refactor/upgrade/docs patch release). The changes recorded are:

• Refactor: make the result of Depends() and Security() hashable (workaround for other tools interacting with internals). [1]
• Dependency upgrade constraint: bump Starlette requirement to <0.51.0 (so environments using Starlette >=0.51.0 may hit a version-resolution conflict when upgrading FastAPI). [1]
• Docs-only updates (missing hash in docs, typos, FastAPI Cloud docs). [1]

Sources: [1]

---

🏁 Script executed:

cat enforcer/requirements.txt

Repository: robusta-dev/krr

Length of output: 198

---

🌐 Web query:

uvicorn 0.27.1 Starlette version dependency

💡 Result:

uvicorn==0.27.1 has no dependency on Starlette (no starlette version constraint at all). Its core dependencies are click>=7.0, h11>=0.8, and typing-extensions>=4.0 (only for Python < 3.11). The optional standard extra adds packages like httptools, uvloop, watchfiles, and websockets, but still not Starlette. [1]

Starlette is an ASGI framework that you run on an ASGI server like Uvicorn, but it’s not required by Uvicorn itself. [2]

Sources: [1] [2]

---

🌐 Web query:

FastAPI 0.121.3 pydantic 2.6.1 compatibility

💡 Result:

FastAPI 0.121.3 is compatible with Pydantic 2.6.1.

• FastAPI 0.121.3 declares pydantic>=1.7.4,<3.0.0 with exclusions for a few older/early releases (e.g. !=2.0.0, !=2.1.0), and Pydantic 2.6.1 is not excluded, so it satisfies FastAPI’s declared requirement. [1]
• FastAPI’s docs also state that newer Pydantic versions are tested for compatibility with FastAPI. [2]

Note: there was at least one reported behavior change/bug around datetime parsing in path params after upgrading to Pydantic 2.6 in FastAPI apps; if you rely on strict datetime path validation, run your test suite carefully. [3]

Sources: [1] [2] [3]

---

Test datetime path parameter validation with Pydantic 2.6.1.

FastAPI 0.121.3 is compatible with your pinned Pydantic 2.6.1 and Uvicorn 0.27.1 (no breaking changes). However, Pydantic 2.6 introduced a behavior change in datetime parsing for path parameters. If your code relies on datetime path validation, run tests to confirm the behavior matches your expectations.

🤖 Prompt for AI Agents

In `@enforcer/requirements.txt` at line 1, The pinned FastAPI dependency
(fastapi==0.121.3) is compatible with Pydantic 2.6.1 but Pydantic 2.6 changed
datetime path parameter parsing; run the test suite that covers any route
handlers taking datetime path params and validate behavior, then if tests fail
update the route parameter handling to explicitly parse/validate datetimes
(e.g., convert from str using datetime.fromisoformat or use pydantic.BaseModel
request validation) in the affected endpoint functions or add explicit type
conversion middleware; search for handlers that accept datetime/path parameters
(routes or functions that declare parameter type datetime) and adjust them to
normalize input or add tests asserting the expected parsing behavior.