Bump starlette from 1.0.1 to 1.3.1#25
Conversation
Bumps [starlette](https://github.com/Kludex/starlette) from 1.0.1 to 1.3.1. - [Release notes](https://github.com/Kludex/starlette/releases) - [Changelog](https://github.com/Kludex/starlette/blob/main/docs/release-notes.md) - [Commits](Kludex/starlette@1.0.1...1.3.1) --- updated-dependencies: - dependency-name: starlette dependency-version: 1.3.1 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
Summary by Claude ReviewSecurity:
Chores:
Reviewer's Guide by Claude ReviewThis is a Dependabot-style dependency bump that upgrades starlette from 1.0.1 to 1.3.1 in the pinned requirements.txt. The new version pulls in several upstream fixes between 1.1.0 and 1.3.1, including hardening of FormParser limits (max_fields/max_part_size), clamping of oversized suffix ranges in FileResponse, an IndexError fix in URL.replace(), an ETag weak-indicator stripping fix, and avoidance of collapsing exception groups raised from user code. Hashes have been updated accordingly. Reviewers should confirm compatibility with the project's FastAPI version (starlette is a transitive dep via fastapi) and verify CI passes, since starlette minor bumps occasionally introduce subtle behavior changes (e.g. exception-group propagation, testclient typing changes). File-Level Changes
Overall Comments
Prompt for AI AgentsPlease address the comments from this code review:
## Overall Comments
- Verify that the FastAPI version currently pinned in requirements.txt declares a version range compatible with starlette 1.3.1. Starlette has historically been tightly coupled to specific FastAPI releases, and a minor starlette bump without an accompanying FastAPI bump can silently violate FastAPI's `starlette<X` upper bound at install time or surface runtime regressions.
- The 1.2.x line changed exception-group handling (PR #2830, 'avoid collapsing exception groups from user code'). If any middleware or endpoint code in this project relies on starlette flattening ExceptionGroups into the first inner exception, error-handling behavior may change. Worth running the full integration/e2e test suite, not just unit tests.
- Consider whether starlette should be listed explicitly in requirements.in (or equivalent source file) rather than only appearing pinned as a transitive dep ('# via fastapi'). Bumping a transitive in the lockfile without an upstream constraint change can be overwritten on the next pip-compile run.
- No tests were added or updated. For a dependency-only bump this is expected, but please confirm CI green before merging.Reviewed by Claude Review |
Bumps starlette from 1.0.1 to 1.3.1.
Release notes
Sourced from starlette's releases.
... (truncated)
Changelog
Sourced from starlette's changelog.
Commits
8ebffd0Version 1.3.1 (#3330)25b8e17EnforceFormParserlimits in parser callbacks (#3331)dba1c4bEnforcemax_fieldsandmax_part_sizeinFormParser(#3329)45e51dcUseStarletteDeprecationWarninginstead ofDeprecationWarning(#3119)5f8610cVersion 1.3.0 (#3327)167b585Buildrequest.urlfrom structured components (#3326)3730925Useremoveprefixto strip weak ETag indicator inis_not_modified(#3193)e6f7ad1avoid collapsing exception groups from user code (#2830)115228fAnnotate URLPath protocol parameter with Literal (#3285)113f193docs: replace inline ASGI server list with link to canonical implemen… (#3204)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.