[CVAT] Update deps, fix warnings (#2728)

* Update fastapi and sqlalchemy to mitigate DOS attacks

* Remove invalid subquery call

* Remove extra alembic hooks

* Fix foreign key overlap warnings

Author: zhiltsov-max

packages/examples/cvat/exchange-oracle/alembic.ini

@@ -64,7 +64,7 @@ sqlalchemy.url =
 # on newly generated revision scripts.  See the documentation for further
 # detail and examples
 
-hooks=ruff, ruff_format, types_update
+hooks=ruff, ruff_format
 
 ruff.type = exec
 ruff.executable = ruff

packages/examples/cvat/exchange-oracle/poetry.lock

@@ -8,7 +8,7 @@ packages = [{include = "exchange_oracle"}]
 
 [tool.poetry.dependencies]
 python = "^3.10,<3.13"
-fastapi = "^0.111.1"
+fastapi = {version = "^0.115.4", extras = ["standard"]}
 uvicorn = "^0.30.0"
 python-dotenv = "^1.0.0"
 psycopg2 = "^2.9.6"
@@ -32,6 +32,7 @@ fastapi-filter = "^1.1.0"
 fastapi-limiter = "^0.1.6"
 strenum = "^0.4.15"
 pyjwt = "^2.9.0"
+starlette = ">=0.40.0" # avoid the vulnerability with multipart/form-data
 
 
 [tool.poetry.group.dev.dependencies]

packages/examples/cvat/exchange-oracle/pyproject.toml

@@ -61,6 +61,7 @@ class Project(Base):
             ")"
         ),
         foreign_keys=[escrow_address, chain_id],
+        overlaps="escrow_validation",
     )
     escrow_validation: Mapped[EscrowValidation] = relationship(
         back_populates="projects",
@@ -73,6 +74,7 @@ class Project(Base):
             ")"
         ),
         foreign_keys=[escrow_address, chain_id],
+        overlaps="escrow_creation",
     )
 
     def __repr__(self) -> str:
@@ -129,6 +131,7 @@ class EscrowCreation(Base):
             ")"
         ),
         foreign_keys=[Project.escrow_address, Project.chain_id],
+        overlaps="projects, escrow_validation",
     )
 
     def __repr__(self) -> str:
@@ -157,6 +160,7 @@ class EscrowValidation(Base):
             ")"
         ),
         foreign_keys=[Project.escrow_address, Project.chain_id],
+        overlaps="projects, escrow_creation",
     )
 
 

packages/examples/cvat/exchange-oracle/src/models/cvat.py

@@ -412,7 +412,6 @@ def prepare_escrows_for_validation(
         .where(EscrowValidation.status == EscrowValidationStatuses.awaiting)
         .limit(limit)
         .order_by(EscrowValidation.attempts.asc())
-        .subquery()
     )
     update_stmt = (
         update(EscrowValidation)

packages/examples/cvat/exchange-oracle/src/services/cvat.py

@@ -68,7 +68,7 @@ sqlalchemy.url = driver://user:pass@localhost/dbname
 # on newly generated revision scripts.  See the documentation for further
 # detail and examples
 
-hooks=ruff, ruff_format, types_update
+hooks=ruff, ruff_format
 
 ruff.type = exec
 ruff.executable = ruff

packages/examples/cvat/recording-oracle/alembic.ini

@@ -8,7 +8,7 @@ packages = [{include = "recording_oracle"}]
 
 [tool.poetry.dependencies]
 python = "^3.10, <3.13"
-fastapi = "^0.111.1"
+fastapi = {version = "^0.115.4", extras = ["standard"]}
 uvicorn = "^0.22.0"
 python-dotenv = "^1.0.0"
 SQLAlchemy = "^2.0.17"
@@ -24,6 +24,7 @@ google-cloud-storage = "^2.14.0"
 datumaro = {git = "https://github.com/cvat-ai/datumaro.git", rev = "ff83c00c2c1bc4b8fdfcc55067fcab0a9b5b6b11"}
 human-protocol-sdk = "^3.0.4"
 hexbytes = ">=1.2.0" # required for to_0x_hex() function
+starlette = ">=0.40.0" # avoid the vulnerability with multipart/form-data
 
 [tool.poetry.group.dev.dependencies]
 hypothesis = "^6.82.6"