[Bug]: Pinning werkzeug & starlette in root package leads to download and vulnerability

[LewisCowlesMotive]

Actual Behavior

poetry update openapi-core

led to

  - Downgrading starlette (0.46.2 -> 0.44.0)
  - Installing aioitertools (0.12.0)
  - Downgrading werkzeug (3.1.3 -> 3.1.1)
  - Updating openapi-core (0.19.4 -> 0.19.5)

I've checked and there are no CVEs on these releases of starlette or werkzeug (although including werkzeug in my non-flask app is upsetting)

Expected Behavior

I see other dependencies have a wildcard dependency, which makes them super compatible with other packages. For some reason my local poetry forces a dowgrade of starlette when I try to use openapi-core

Doing this to ensure that fast-api can remain spec-first and we don't accidentally automatically iterate towards trouble with code security scanning tooling such as snyk

Steps to Reproduce

poetry add openapi-tools

then I update the extras to contain

python = "~=3.11.4"
datadog-lambda = "^6"
fastapi = "^0.115.11"
mangum = "^0.17.0"
openapi-core = { version = "^0.19.4", extras = ["fastapi", "starlette"] }

This is because I use the starlette middleware within fastapi, as it overcomes some error handling that fast-api doesn't handle (TBH I don't understand that part as well as I should)

OpenAPI Core Version

0.19.5

OpenAPI Core Integration

starlette,fastapi

Affected Area(s)

dependencies

References

No response

Anything else we need to know?

N/A

Would you like to implement a fix?

Yes

[LewisCowlesMotive]

Please let me know if a fix would be accepted, prior to me spending time making a fix. 👍