Upgrade pymssql 2.3.7 -> 2.3.13 to fix MSSQL monitor SIGSEGV

[adamsachs]

Ticket ENG-2893

Description Of Changes

Fixes SIGSEGV (signal 11) in the MSSQL discovery monitor Celery worker. The crash occurs during TLS negotiation when pymssql connects to MSSQL servers.

Root cause: pymssql 2.3.7 was being compiled from source (due to no-build-isolation-package in pyproject.toml) against the system FreeTDS 1.3.17 (Debian Bookworm). FreeTDS 1.3.17 has known segfault issues in TLS connection handling. The official pymssql wheels bundle a newer FreeTDS (1.4.27) that resolves this, but no-build-isolation-package forced a source build that linked against the older system library instead.

Fix:

• Upgrade pymssql from 2.3.7 to 2.3.13 (bundles FreeTDS 1.4.27)
• Remove pymssql from no-build-isolation-package so uv uses the official pre-built wheel with its bundled FreeTDS, rather than compiling from source against the system headers

This is the fides-side change. The companion fidesplus PR (ethyca/fidesplus#3214) handles the Docker build and a TensorFlow/OpenSSL library loading conflict on the encoders image.

Code Changes

• pyproject.toml: Bump pymssql==2.3.7 → pymssql==2.3.13 in [project.optional-dependencies] (mssql and all extras); remove pymssql from [tool.uv] no-build-isolation-package
• uv.lock: Auto-updated by uv lock to reflect the pymssql version change

Steps to Confirm

1. Build a fides image and verify pymssql uses bundled FreeTDS: python -c "import pymssql; print(pymssql.version_info())" should show freetds v1.4.27
2. Deploy with an MSSQL integration and run the discovery monitor — should complete without SIGSEGV
3. Run the MSSQL connection test — should succeed

Pre-Merge Checklist

• Issue requirements met
• All CI pipelines succeeded
• CHANGELOG.md updated
  • Updates unreleased work already in Changelog, no new entry necessary
• UX feedback:
  • No UX review needed
• Followup issues:
  • No followup issues
• Database migrations:
  • No migrations
• Documentation:
  • No documentation updates required

Summary by CodeRabbit

• Bug Fixes
  • Fixed a crash in MSSQL discovery monitoring.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
fides-plus-nightly	Ignored	Preview	Mar 10, 2026 2:54pm
fides-privacy-center	Ignored		Mar 10, 2026 2:54pm

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 298205ce-f084-4827-80f3-7da1644e6a96

📥 Commits

Reviewing files that changed from the base of the PR and between 9d24a80 and f9e9e25.

⛔ Files ignored due to path filters (1)

• uv.lock is excluded by !**/*.lock

📒 Files selected for processing (2)

• changelog/7609.yaml
• pyproject.toml

---

📝 Walkthrough

Walkthrough

This change upgrades the pymssql dependency from 2.3.7 to 2.3.13 to address an MSSQL discovery monitor SIGSEGV issue. The update includes a new changelog entry and removes pymssql from the no-build-isolation-package list in the build configuration.

Changes

Cohort / File(s)	Summary
Changelog Entry changelog/7609.yaml	New changelog entry documenting the pymssql upgrade (2.3.7 → 2.3.13) that bundles FreeTDS 1.4.27 to fix MSSQL discovery monitor SIGSEGV.
Dependency & Build Config pyproject.toml	Updated optional dependencies (mssql and all) to pin pymssql to 2.3.13, and removed pymssql from the no-build-isolation-package list (retaining only pyahocorasick and scylla-driver).

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐰 A hop and a bump, version up we go,
FreeTDS now flows, no more segfaults below,
pymssql 2.3.13 shines bright,
MSSQL discovery fixed just right! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically summarizes the main change: upgrading pymssql from 2.3.7 to 2.3.13 to fix an MSSQL monitor SIGSEGV issue.
Description check	✅ Passed	The PR description follows the template structure with all required sections completed: ticket reference, clear description of changes with root cause analysis, code changes listed, steps to confirm, and a comprehensive pre-merge checklist.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch asachs/ENG-2893_2

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Greptile Summary

This PR upgrades pymssql from 2.3.7 to 2.3.13 to resolve a SIGSEGV crash in MSSQL monitoring caused by TLS negotiation issues in the system-provided FreeTDS 1.3.17. The new version bundles FreeTDS 1.4.26 via its pre-built wheel, and pymssql is removed from no-build-isolation-package so that uv resolves the pre-built wheel instead of compiling from source against the older system headers.

• pyproject.toml: Version bumped to 2.3.13 in both mssql and all optional dependency groups; pymssql removed from no-build-isolation-package.
• uv.lock: Updated to reflect the new version, including updated wheel URLs/hashes and newly added cp314 (Python 3.14) wheels. The new Linux wheels use manylinux_2_27/manylinux_2_28 tags (glibc >= 2.27/2.28) rather than the old manylinux2014 (glibc >= 2.17) tags — Debian Bookworm (glibc 2.36) is fully compatible.
• The CHANGELOG.md was not updated; the pre-merge checklist item should be addressed.
• The Dockerfile still installs freetds-dev and freetds-bin with a comment attributing them to PyMSSQL — since the wheel now bundles FreeTDS, that comment is outdated and those packages may no longer be needed for pymssql (worth auditing).

Confidence Score: 5/5

• This PR is safe to merge — it is a targeted dependency upgrade to fix a known crash with a clear, well-understood root cause.
• The change is minimal and low-risk: a version bump of a single dependency, removal from a build configuration list, and the corresponding lock file update. The new wheel is compatible with the project's Debian Bookworm deployment target (glibc 2.36 >> required 2.28). The only minor concern is an outdated comment/potentially unnecessary system FreeTDS packages in the Dockerfile, which does not affect correctness.
• No files require special attention, though Dockerfile has an outdated comment about FreeTDS being needed for PyMSSQL that should be revisited.

Important Files Changed

Filename	Overview
pyproject.toml	Bumps pymssql from 2.3.7 to 2.3.13 in both mssql and all optional dependency groups, and removes pymssql from no-build-isolation-package so uv uses the pre-built wheel with bundled FreeTDS 1.4.26 instead of compiling from source against the older system headers.
uv.lock	Lock file updated to reflect pymssql 2.3.13. New wheels use manylinux_2_27/manylinux_2_28 tags (glibc >= 2.27/2.28) instead of the old manylinux2014 (glibc >= 2.17) tags, and add cp314 (Python 3.14) wheels. The win32 wheel present in 2.3.7 is absent in 2.3.13, but this is unlikely to affect this project. Debian Bookworm (glibc 2.36) is fully compatible with the new wheel tags.

Comments Outside Diff (1)

1. Dockerfile, line 9-26 (link)

   Outdated comment about FreeTDS/PyMSSQL

   The comment on line 9 (# Install auxiliary software and FreeTDS (used for PyMSSQL)) is now outdated. Since pymssql 2.3.13 ships with a bundled FreeTDS 1.4.26 inside the pre-built wheel, the system freetds-dev and freetds-bin packages are no longer required for pymssql to function correctly. If no other package in the project depends on the system FreeTDS at runtime, these apt packages could be removed from both the compile_image and backend stages to reduce image size and avoid any potential version confusion between the system FreeTDS (1.3.17 from Bookworm's repos) and the bundled FreeTDS (1.4.26).

   At minimum, the comment should be updated to reflect the new situation.

_{Last reviewed commit: bb3be68}

[johnewart]

👍🏼