⬆️ Bump ormar from 0.20.2 to 0.23.1

[dependabot]

Bumps ormar from 0.20.2 to 0.23.1.

Release notes

Sourced from ormar's releases.

Fix high vulnerability with kwargs injection

0.23.1

‼️🚨 High vulnerability fixed – please upgrade ASAP

• In this version of ormar a high severity vulnerability (CVE-2026-27953) in model initialization was patched. The vulnerability allowed injection of __pk_only__ and __excluded__ parameters through user-supplied **kwargs (e.g. JSON request bodies). Passing __pk_only__=True bypassed all Pydantic validation, and __excluded__ could nullify arbitrary fields. Thanks @​Mistz1 for reporting!
• Affected versions:
  • All versions prior to 0.23.1

Fix critical vulnerability, drop Python 3.9, bugfixes

0.23.0

‼️🚨 Critical vulnerability fixed – please upgrade ASAP

• In this version of ormar the critical vulnerability (CVE-2026-26198) in aggregate functions was patched - thanks @​AAtomical for reporting. The vulnerability was caused by the way ormar generated SQL queries for aggregate functions, allowing arbitrary SQL execution through user input.
• Affected versions:
  • 0.9.9 - 0.12.2
  • 0.20.0b1 - 0.22.0 (latest)

✨ Breaking changes

• Drop support for Python 3.9

🐛 Fixes

• Fix selecting data with nested models with json fields #1530
• Fix prefetching JSON list field throwing TypeError - thanks @​jannyware-inc #1402

Drop databases package and use sqlalchemy async instead

0.22.0

🐛 Breaking changes

• Migration from databases library to native async SQLAlchemy

  Version 0.22.0 migrates from the databases library to native async SQLAlchemy using ormar's DatabaseConnection wrapper. This provides better integration with SQLAlchemy's async ecosystem and improved transaction handling and avoid dependency on archived databases library.

• Import changes

  Replace databases import with DatabaseConnection from ormar:

  # ormar < 0.22
  import databases
  database = databases.Database("sqlite:///db.sqlite")
  ormar >= 0.22
  from ormar import DatabaseConnection
  database = DatabaseConnection("sqlite+aiosqlite:///db.sqlite")

... (truncated)

Changelog

Sourced from ormar's changelog.

0.23.1

‼️🚨 High vulnerability fixed – please upgrade ASAP

• In this version of ormar a high severity vulnerability (CVE-2026-27953) in model initialization was patched. The vulnerability allowed injection of __pk_only__ and __excluded__ parameters through user-supplied **kwargs (e.g. JSON request bodies). Passing __pk_only__=True bypassed all Pydantic validation, and __excluded__ could nullify arbitrary fields. Thanks @​Mistz1 for reporting!
• Affected versions:
  • All versions prior to 0.23.1

0.23.0

‼️🚨 Critical vulnerability fixed – please upgrade ASAP

• In this version of ormar the critical vulnerability (CVE-2026-26198) in aggregate functions was patched - thanks @​AAtomical for reporting. The vulnerability was caused by the way ormar generated SQL queries for aggregate functions, allowing arbitrary SQL execution through user input.
• Affected versions:
  • 0.9.9 - 0.12.2
  • 0.20.0b1 - 0.22.0 (latest)

✨ Breaking changes

• Drop support for Python 3.9

🐛 Fixes

• Fix selecting data with nested models with json fields #1530
• Fix prefetching JSON list field throwing TypeError - thanks @​jannyware-inc #1402

0.22.0

✨ Breaking changes

• Migration from databases library to native async SQLAlchemy

  Version 0.22.0 migrates from the databases library to native async SQLAlchemy using ormar's DatabaseConnection wrapper. This provides better integration with SQLAlchemy's async ecosystem and improved transaction handling and avoid dependency on archived databases library.

• Import changes

  Replace databases import with DatabaseConnection from ormar:

  # ormar < 0.22
  import databases
  database = databases.Database("sqlite:///db.sqlite")
  ormar >= 0.22
  from ormar import DatabaseConnection
  database = DatabaseConnection("sqlite+aiosqlite:///db.sqlite")

... (truncated)

Commits

• 7f22aa2 Fix/remove kwargs injection (#1582)
• 8e144d0 Update codspeed benchmark (#1576)
• fa59cdf build(deps-dev): bump ruff from 0.15.2 to 0.15.4 (#1570)
• 8340862 bump pytest-asyncio and pytest, use ruff for formatting too, fix ordering of ...
• 900f9c4 build(deps-dev): bump fastapi from 0.133.0 to 0.133.1 (#1568)
• 62aaead build(deps-dev): bump fastapi from 0.132.0 to 0.133.0 (#1567)
• e992dfa build(deps): bump sqlalchemy from 2.0.46 to 2.0.47 (#1566)
• 7f8d57f build(deps-dev): bump mkdocs-material from 9.7.2 to 9.7.3 (#1565)
• c8f540c build(deps-dev): bump types-requests (#1564)
• 3446b0b build(deps-dev): bump fastapi from 0.131.0 to 0.132.0 (#1563)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.