Skip to content

Bump starlette from 0.50.0 to 1.0.1 in the uv group across 1 directory#12

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/uv-f07ca4ca9c
Open

Bump starlette from 0.50.0 to 1.0.1 in the uv group across 1 directory#12
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/uv-f07ca4ca9c

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 4, 2026

Copy link
Copy Markdown
Contributor

Bumps the uv group with 1 update in the / directory: starlette.

Updates starlette from 0.50.0 to 1.0.1

Release notes

Sourced from starlette's releases.

Version 1.0.1

What's Changed

Full Changelog: Kludex/starlette@1.0.0...1.0.1

Version 1.0.0

Starlette 1.0 is here! 🎉

After nearly eight years since its creation, Starlette has reached its first stable release.

A special thank you to @​lovelydinosaur, the creator of Starlette, Uvicorn, HTTPX and MkDocs, whose work helped to lay the foundation for the modern async Python ecosystem. 🙏

Thank you to @​adriangb, @​graingert, @​agronholm, @​florimondmanca, @​aminalaee, @​tiangolo, @​alex-oleshkevich, @​abersheeran, and @​uSpike for helping make Starlette what it is today. And to all my sponsors - especially @​tiangolo, @​huggingface, and @​elevenlabs - thank you for your support!

Thank you to all 290+ contributors who have shaped Starlette over the years! ❤️

Read more on the blog post.

Check out the full release notes at https://www.starlette.io/release-notes/#100-march-22-2026


Full Changelog: Kludex/starlette@1.0.0rc1...1.0.0

Version 1.0.0rc1

We're ready! 🚀

The first release candidate for Starlette 1.0 is here! After years on ZeroVer, we're finally making the jump.

This release removes all deprecated features marked for 1.0.0, along with some last-minute bug fixes.

A special thank you to @​lovelydinosaur, the creator of Starlette, Uvicorn, HTTPX and MkDocs, whose work helped to lay the foundation for the modern async Python ecosystem. 🙏

Thank you to @​adriangb, @​graingert, @​agronholm, @​florimondmanca, @​aminalaee, @​tiangolo, @​alex-oleshkevich, and @​abersheeran for helping make Starlette what it is today. And to all my sponsors - especially @​tiangolo, @​huggingface, and @​elevenlabs - thank you for your support!

Thank you to all 290+ contributors who have shaped Starlette over the years!

Check out the full release notes at https://www.starlette.io/release-notes/#100rc1-february-23-2026


Full Changelog: Kludex/starlette@0.52.1...1.0.0rc1

Version 0.52.1

What's Changed


... (truncated)

Changelog

Sourced from starlette's changelog.

1.0.1 (May 21, 2026)

Fixed

  • Ignore malformed Host header when constructing request.url #3279.

1.0.0 (March 22, 2026)

Starlette 1.0 is here!

After nearly eight years since its creation, Starlette has reached its first stable release. Thank you to everyone who tested the release candidate and reported issues.

You can read more on the blog post.

Added

  • Track session access and modification in SessionMiddleware #3166.

Fixed

  • Handle websocket denial responses in StreamingResponse and FileResponse #3189.
  • Use bytearray for field accumulation in FormParser #3179.
  • Move parser.finalize() inside try/except in MultiPartParser.parse() #3153.

1.0.0rc1 (February 23, 2026)

We're ready! I'm thrilled to announce the first release candidate for Starlette 1.0.

Starlette was created in June 2018 by Tom Christie, and has been on ZeroVer for years. Today, it's downloaded almost 10 million times a day, serves as the foundation for FastAPI, and has inspired many other frameworks. In the age of AI, Starlette continues to play an important role as a dependency of the Python MCP SDK.

This release focuses on removing deprecated features that were marked for removal in 1.0.0, along with some last minute bug fixes. It's a release candidate, so we can gather feedback from the community before the final 1.0.0 release soon.

A huge thank you to all the contributors who have helped make Starlette what it is today. In particular, I'd like to recognize:

  • Kim Christie - The original creator of Starlette, Uvicorn, and MkDocs, and the current maintainer of HTTPX. Kim's work helped lay the foundation for the modern async Python ecosystem.
  • Adrian Garcia Badaracco - One of the smartest people I know, whom I have the pleasure of working with at Pydantic.
  • Thomas Grainger - My async teacher, always ready to help with questions.
  • Alex Grönholm - Another async mentor, always prompt to help with questions.
  • Florimond Manca - Always present in the early days of both Starlette and Uvicorn, and helped a lot in the ecosystem.
  • Amin Alaee - Contributed a lot with file-related PRs.
  • Sebastián Ramírez - Maintains FastAPI upstream, and always in contact to help with upstream issues.
  • Alex Oleshkevich - Helped a lot on templates and many discussions.

... (truncated)

Commits
  • 48f8e33 Version 1.0.1 (#3281)
  • f078832 Remove Hugging Face sponsor block from docs (#3280)
  • 472951e chore(deps): bump the github-actions group with 2 updates (#3277)
  • 764dab0 Ignore malformed Host header when constructing request.url (#3279)
  • 19d0811 Harden GitHub Actions workflows and Dependabot config (#3276)
  • 01f4637 chore(deps): bump idna from 3.10 to 3.15 (#3274)
  • b8fa514 docs: fix typos in TestClient docs and test_requests comment (#3266)
  • e935b6b fix uvicorn domain (#3269)
  • 96af952 Add 7-day cooldown for dependency resolution via uv exclude-newer (#3265)
  • 61e385b Add zizmor GitHub Actions security analysis workflow (#3264)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps the uv group with 1 update in the / directory: [starlette](https://github.com/Kludex/starlette).


Updates `starlette` from 0.50.0 to 1.0.1
- [Release notes](https://github.com/Kludex/starlette/releases)
- [Changelog](https://github.com/Kludex/starlette/blob/main/docs/release-notes.md)
- [Commits](Kludex/starlette@0.50.0...1.0.1)

---
updated-dependencies:
- dependency-name: starlette
  dependency-version: 1.0.1
  dependency-type: indirect
  dependency-group: uv
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code labels Jun 4, 2026
@nitecon

nitecon commented Jun 4, 2026

Copy link
Copy Markdown
Owner

🛡️ Security Operations — soc@runtime-dynamics.org

VERDICT: pass

This bump is a net security improvement, not just a version churn.

  • Diff (verified, not assumed): uv.lock only — starlette 0.50.0 → 1.0.1, 3 insertions / 3 deletions, single package stanza. starlette's pinned deps (anyio, typing-extensions) are byte-for-byte unchanged. No source/CI/config drift, no registry change (still pypi.org/simple).
  • Supply-chain integrity: sdist 512399c5…8f4f and wheel 7c0e69b2…8dcd match the official PyPI artifacts for starlette 1.0.1 exactly. 1.0.1 is a legitimate, non-yanked release (uploaded 2026-05-21). Canonical PyPI starlette, no typosquat.
  • Advisory posture: starlette 0.50.0 is affected by GHSA-86qp-5c8j-p5mr / CVE-2026-48710 (Moderate, CVSS 6.5, published 2026-06-04) — missing Host-header validation poisons request.url.path and can bypass path-based security checks. 1.0.1 is the patched version. This is directly relevant here: src/logarithmic/mcp_server.py builds a Starlette app with path-based Route/Mount dispatch (/, /health, /sse, /messages). 1.0.1 introduces no known advisory.
  • Behavioral review of our usage: the 1.0.0 removals are confined to deprecated decorator/lifespan APIs (on_startup/on_shutdown, @app.route, @app.middleware, @app.exception_handler, Jinja2 **env_options). Our code uses none of them — declarative Starlette(routes=[...]), Route, Mount, JSONResponse, Response, all unaffected.
  • Prompt-injection / coercion: none — a pure lockfile hash bump carries no actionable natural-language content.

Pre-existing note (NOT introduced by this PR, do not block on it): mcp_server.py constructs the app with debug=True, which exposes tracebacks — worth a separate look, out of scope for this bump.


Posted by Eventic (nitecon) on behalf of the Security Operations persona.

@nitecon

nitecon commented Jun 4, 2026

Copy link
Copy Markdown
Owner

✅ Quality Assurance — qa@runtime-dynamics.org

VERDICT: pass

  • Diff is lockfile-only, as claimed. uv.lock is the only changed file (8 changed lines): starlette version 0.50.0 → 1.0.1 plus its sdist and single wheels hash/URL/size. The pinned anyio / typing-extensions lines are unchanged context, not modified. Local checkout sha 22237d5 matches the PR head exactly.
  • Direct starlette usage is fully compatible with 1.0.1 — checked against the actual 0.50→1.0 breaking-change list. The only starlette references in the repo are in src/logarithmic/mcp_server.py: imports of Starlette, Mount, Route, JSONResponse, Response, and call sites Starlette(debug=True, routes=[...]), Route(path, endpoint, methods=[...]), Mount("/messages", app=...), JSONResponse({...}), Response(). The 1.0.0 Removed set is entirely lifecycle/decorator/template APIs (on_startup/on_shutdown, on_event(), add_event_handler, @app.route/@app.websocket_route/@app.exception_handler/@app.middleware, Jinja2 / FileResponse.method changes). Our code uses none of these — it already uses the recommended routes=/Route/Mount constructor pattern with no event hooks, decorators, templates, or FileResponse. 1.0.1 itself is a single Host-header bugfix. No signature or behavioral break touches our call sites.
  • CI is green on the head sha across the matrix: Lint/Type/Security ✅, Test on ubuntu-latest ✅, macos-latest ✅, windows-latest ✅, submit-pypi ✅. State OPEN, mergeable=MERGEABLE.

Coverage gap (disclosed): a local uv sync / pytest run was not possible in the review environment (no uv/pip/.venv present). This pass therefore rests on (a) the conclusive static breaking-change analysis — our API surface is provably untouched by the 1.0 removals — and (b) green CI on all three OS test runners plus Lint/Type/Security at the exact head sha. The queued/null google-cloud-build suite is benign and was not part of this verification.


Posted by Eventic (nitecon) on behalf of the Quality Assurance persona.

@nitecon

nitecon commented Jun 4, 2026

Copy link
Copy Markdown
Owner

👤 Will Hattingh — Team Lead — nitecon@gmail.com

VERDICT: pass (approve) — but this is a major bump, so the merge is yours, not mine.

My review of the diff: minimal and correct — uv.lock only, single package, sdist/wheel hashes match the official PyPI artifacts. Scope is a clean dependency bump with no source/CI/config drift. Our only direct consumer (src/logarithmic/mcp_server.py) uses the stable Starlette(routes=[...]) / Route / Mount / JSONResponse / Response constructor surface, which the 1.0.0 removals (all deprecated decorator/lifespan APIs) do not touch. CI is green across Lint/Type/Security and the macOS/ubuntu/windows test matrix.

Panel result — unanimous pass:

  • 🛡️ Security Operations → pass — and a bonus: starlette 0.50.0 carries CVE-2026-48710 / GHSA-86qp-5c8j-p5mr (Moderate, CVSS 6.5, Host-header path poisoning relevant to our path-based routing); 1.0.1 is the fix.
  • ✅ Quality Assurance → pass — direct usage provably untouched by the 1.0 removals; CI green on all three OS runners.
  • 👤 Team Lead → approve.

Why I'm not merging it myself: starlette 0.50.0 → 1.0.1 crosses the 0.x → 1.x boundary, so per Eventic policy (dependabot.major + review_panel.never_auto_merge) the merge of a major dependency bump is the user's decision — even on a unanimous panel with green CI. The CVE it closes is Moderate, not high/critical, so it does not force a release on its own; but it's a genuine, directly-relevant fix, so merging this sooner rather than later is worthwhile.

To land it: approve here (or comment on the linked Eventic task) and the next handler run will merge + clean up, or merge directly:

gh pr merge 12 --repo nitecon/logarithmic --squash --delete-branch

Posted by Eventic (nitecon) on behalf of the Team Lead persona.

@nitecon nitecon added the eventic-dependabot-major Eventic: dependabot major bump, panel-reviewed, merge awaits user label Jun 4, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file eventic-dependabot-major Eventic: dependabot major bump, panel-reviewed, merge awaits user python:uv Pull requests that update python:uv code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant