Skip to content

Bump starlette from 1.0.1 to 1.3.1#25

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/starlette-1.3.1
Open

Bump starlette from 1.0.1 to 1.3.1#25
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/starlette-1.3.1

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 17, 2026

Copy link
Copy Markdown
Contributor

Bumps starlette from 1.0.1 to 1.3.1.

Release notes

Sourced from starlette's releases.

Version 1.3.1

What's Changed

Full Changelog: Kludex/starlette@1.3.0...1.3.1

Version 1.3.0

What's Changed

New Contributors

Full Changelog: Kludex/starlette@1.2.1...1.3.0

Version 1.2.1

What's Changed

New Contributors

Full Changelog: Kludex/starlette@1.2.0...1.2.1

Version 1.2.0

What's Changed

Full Changelog: Kludex/starlette@1.1.0...1.2.0

Version 1.1.0

... (truncated)

Changelog

Sourced from starlette's changelog.

1.3.1 (June 12, 2026)

Fixed

  • Enforce max_fields and max_part_size in FormParser #3329.
  • Enforce FormParser limits in parser callbacks #3331.

1.3.0 (June 11, 2026)

Added

  • Add httpx2 to the full extra #3323.
  • Annotate the URLPath protocol parameter with Literal #3285.

Fixed

  • Build request.url from structured components #3326.
  • Clamp oversized suffix ranges in FileResponse #3307.
  • Catch OSError alongside MultiPartException when closing temp files #3191.
  • Avoid collapsing exception groups raised from user code #2830.
  • Use removeprefix to strip the weak ETag indicator in is_not_modified #3193.
  • Fix IndexError in URL.replace() on a URL with no authority #3317.
  • Adjust testclient typing and warnings #3322.

1.2.1 (May 31, 2026)

Fixed

  • Use httpx2 for type checking in the testclient module #3304.
  • Add assert error for requires() when the request parameter is not a Request type #3298.

1.2.0 (May 28, 2026)

Added

  • Support httpx2 in the test client #3291.

1.1.0 (May 23, 2026)

Added

  • Use "application/octet-stream" as the FileResponse media type fallback #3283.

Fixed

  • Only dispatch standard HTTP verbs in HTTPEndpoint #3286.
  • Reject absolute paths in StaticFiles.lookup_path #3287.
Commits
  • 8ebffd0 Version 1.3.1 (#3330)
  • 25b8e17 Enforce FormParser limits in parser callbacks (#3331)
  • dba1c4b Enforce max_fields and max_part_size in FormParser (#3329)
  • 45e51dc Use StarletteDeprecationWarning instead of DeprecationWarning (#3119)
  • 5f8610c Version 1.3.0 (#3327)
  • 167b585 Build request.url from structured components (#3326)
  • 3730925 Use removeprefix to strip weak ETag indicator in is_not_modified (#3193)
  • e6f7ad1 avoid collapsing exception groups from user code (#2830)
  • 115228f Annotate URLPath protocol parameter with Literal (#3285)
  • 113f193 docs: replace inline ASGI server list with link to canonical implemen… (#3204)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [starlette](https://github.com/Kludex/starlette) from 1.0.1 to 1.3.1.
- [Release notes](https://github.com/Kludex/starlette/releases)
- [Changelog](https://github.com/Kludex/starlette/blob/main/docs/release-notes.md)
- [Commits](Kludex/starlette@1.0.1...1.3.1)

---
updated-dependencies:
- dependency-name: starlette
  dependency-version: 1.3.1
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code labels Jun 17, 2026
@siiway-code-review

siiway-code-review Bot commented Jun 17, 2026

Copy link
Copy Markdown

Summary by Claude Review

Security:

  • Pulls in upstream starlette fixes enforcing max_fields and max_part_size limits in FormParser (and in parser callbacks), reducing risk of resource-exhaustion via multipart form uploads

Chores:

  • Bump starlette from 1.0.1 to 1.3.1 in requirements.txt

Reviewer's Guide by Claude Review

This is a Dependabot-style dependency bump that upgrades starlette from 1.0.1 to 1.3.1 in the pinned requirements.txt. The new version pulls in several upstream fixes between 1.1.0 and 1.3.1, including hardening of FormParser limits (max_fields/max_part_size), clamping of oversized suffix ranges in FileResponse, an IndexError fix in URL.replace(), an ETag weak-indicator stripping fix, and avoidance of collapsing exception groups raised from user code. Hashes have been updated accordingly. Reviewers should confirm compatibility with the project's FastAPI version (starlette is a transitive dep via fastapi) and verify CI passes, since starlette minor bumps occasionally introduce subtle behavior changes (e.g. exception-group propagation, testclient typing changes).

File-Level Changes

File Changes
requirements.txt Updated pinned starlette version from 1.0.1 to 1.3.1 and refreshed the two sha256 hash entries for the new release.

Overall Comments

  • Verify that the FastAPI version currently pinned in requirements.txt declares a version range compatible with starlette 1.3.1. Starlette has historically been tightly coupled to specific FastAPI releases, and a minor starlette bump without an accompanying FastAPI bump can silently violate FastAPI's starlette<X upper bound at install time or surface runtime regressions.
  • The 1.2.x line changed exception-group handling (PR #2830, 'avoid collapsing exception groups from user code'). If any middleware or endpoint code in this project relies on starlette flattening ExceptionGroups into the first inner exception, error-handling behavior may change. Worth running the full integration/e2e test suite, not just unit tests.
  • Consider whether starlette should be listed explicitly in requirements.in (or equivalent source file) rather than only appearing pinned as a transitive dep ('# via fastapi'). Bumping a transitive in the lockfile without an upstream constraint change can be overwritten on the next pip-compile run.
  • No tests were added or updated. For a dependency-only bump this is expected, but please confirm CI green before merging.
Prompt for AI Agents
Please address the comments from this code review:

## Overall Comments
- Verify that the FastAPI version currently pinned in requirements.txt declares a version range compatible with starlette 1.3.1. Starlette has historically been tightly coupled to specific FastAPI releases, and a minor starlette bump without an accompanying FastAPI bump can silently violate FastAPI's `starlette<X` upper bound at install time or surface runtime regressions.
- The 1.2.x line changed exception-group handling (PR #2830, 'avoid collapsing exception groups from user code'). If any middleware or endpoint code in this project relies on starlette flattening ExceptionGroups into the first inner exception, error-handling behavior may change. Worth running the full integration/e2e test suite, not just unit tests.
- Consider whether starlette should be listed explicitly in requirements.in (or equivalent source file) rather than only appearing pinned as a transitive dep ('# via fastapi'). Bumping a transitive in the lockfile without an upstream constraint change can be overwritten on the next pip-compile run.
- No tests were added or updated. For a dependency-only bump this is expected, but please confirm CI green before merging.

Reviewed by Claude Review

@siiway-code-review siiway-code-review Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security: Pulls in upstream starlette fixes enforcing max_fields and max_part_size limits in FormParser (and in parser callbacks), reducing risk of resource-exhaustion via multipart form uploads; Chores: Bump starlette from 1.0.1 to 1.3.1 in requirements.txt

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants