Skip to content

build(deps): bump starlette from 1.0.0 to 1.3.1 in /src/ContentProcessor#614

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/src/ContentProcessor/starlette-1.0.1
Open

build(deps): bump starlette from 1.0.0 to 1.3.1 in /src/ContentProcessor#614
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/src/ContentProcessor/starlette-1.0.1

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 4, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Bumps starlette from 1.0.0 to 1.3.1.

Release notes

Sourced from starlette's releases.

Version 1.3.1

What's Changed

Full Changelog: Kludex/starlette@1.3.0...1.3.1

Version 1.3.0

What's Changed

New Contributors

Full Changelog: Kludex/starlette@1.2.1...1.3.0

Version 1.2.1

What's Changed

New Contributors

Full Changelog: Kludex/starlette@1.2.0...1.2.1

Version 1.2.0

What's Changed

Full Changelog: Kludex/starlette@1.1.0...1.2.0

Version 1.1.0

... (truncated)

Changelog

Sourced from starlette's changelog.

1.3.1 (June 12, 2026)

Fixed

  • Enforce max_fields and max_part_size in FormParser #3329.
  • Enforce FormParser limits in parser callbacks #3331.

1.3.0 (June 11, 2026)

Added

  • Add httpx2 to the full extra #3323.
  • Annotate the URLPath protocol parameter with Literal #3285.

Fixed

  • Build request.url from structured components #3326.
  • Clamp oversized suffix ranges in FileResponse #3307.
  • Catch OSError alongside MultiPartException when closing temp files #3191.
  • Avoid collapsing exception groups raised from user code #2830.
  • Use removeprefix to strip the weak ETag indicator in is_not_modified #3193.
  • Fix IndexError in URL.replace() on a URL with no authority #3317.
  • Adjust testclient typing and warnings #3322.

1.2.1 (May 31, 2026)

Fixed

  • Use httpx2 for type checking in the testclient module #3304.
  • Add assert error for requires() when the request parameter is not a Request type #3298.

1.2.0 (May 28, 2026)

Added

  • Support httpx2 in the test client #3291.

1.1.0 (May 23, 2026)

Added

  • Use "application/octet-stream" as the FileResponse media type fallback #3283.

Fixed

  • Only dispatch standard HTTP verbs in HTTPEndpoint #3286.
  • Reject absolute paths in StaticFiles.lookup_path #3287.

1.0.1 (May 21, 2026)

... (truncated)

Commits
  • 8ebffd0 Version 1.3.1 (#3330)
  • 25b8e17 Enforce FormParser limits in parser callbacks (#3331)
  • dba1c4b Enforce max_fields and max_part_size in FormParser (#3329)
  • 45e51dc Use StarletteDeprecationWarning instead of DeprecationWarning (#3119)
  • 5f8610c Version 1.3.0 (#3327)
  • 167b585 Build request.url from structured components (#3326)
  • 3730925 Use removeprefix to strip weak ETag indicator in is_not_modified (#3193)
  • e6f7ad1 avoid collapsing exception groups from user code (#2830)
  • 115228f Annotate URLPath protocol parameter with Literal (#3285)
  • 113f193 docs: replace inline ASGI server list with link to canonical implemen… (#3204)
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code labels Jun 4, 2026
Copilot AI review requested due to automatic review settings June 4, 2026 17:51
@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Jun 4, 2026
@dependabot dependabot Bot requested review from dgp10801 and nchandhi as code owners June 4, 2026 17:51
@dependabot dependabot Bot added the python:uv Pull requests that update python:uv code label Jun 4, 2026
Copilot AI reviewed Jun 4, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

@dependabot
build(deps): bump starlette from 1.0.0 to 1.3.1 in /src/ContentProcessor
8447449 
Bumps [starlette](https://github.com/Kludex/starlette) from 1.0.0 to 1.3.1.
- [Release notes](https://github.com/Kludex/starlette/releases)
- [Changelog](https://github.com/Kludex/starlette/blob/main/docs/release-notes.md)
- [Commits](Kludex/starlette@1.0.0...1.3.1)

---
updated-dependencies:
- dependency-name: starlette
  dependency-version: 1.0.1
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot changed the title chore(deps): bump starlette from 1.0.0 to 1.0.1 in /src/ContentProcessor build(deps): bump starlette from 1.0.0 to 1.3.1 in /src/ContentProcessor Jun 16, 2026
@dependabot dependabot Bot force-pushed the dependabot/uv/src/ContentProcessor/starlette-1.0.1 branch from a911723 to 8447449 Compare June 16, 2026 12:46
@Ayaz-Microsoft Ayaz-Microsoft mentioned this pull request Jun 17, 2026
Open
Ayaz-Microsoft added a commit that referenced this pull request Jun 17, 2026
@Ayaz-Microsoft
chore: upgrade vulnerable packages (Python + NPM)
c8f710b 
Upgrades security-critical packages across ContentProcessor, ContentProcessorWorkflow, and ContentProcessorWeb modules.

ContentProcessorWorkflow (Python):
- aiohttp: 3.13.5 → 3.14.1 (MEDIUM severity, transitive → direct)
- python-multipart: 0.0.27 → 0.0.31 (HIGH severity)
- cryptography: 46.0.7 → 48.0.1 (HIGH severity)
- pyjwt: 2.12.1 → 2.13.0 (MEDIUM/HIGH severity)
- starlette: 1.0.1 → 1.3.1 (HIGH severity, transitive → direct)

ContentProcessor (Python):
- aiohttp: 3.13.5 → 3.14.1 (MEDIUM severity, transitive → direct)
- pyjwt: 2.12.1 → 2.13.0 (MEDIUM/HIGH severity)
- python-multipart: added 0.0.31 (HIGH severity, new direct dependency)
- cryptography: added 48.0.1 (HIGH severity, new direct dependency)
- starlette: 1.0.0 → 1.3.1 (HIGH severity, transitive → direct)

ContentProcessorWeb (NPM):
Direct dependencies:
- axios: 1.15.2 → 1.16.0 (HIGH severity)
- react-router-dom: 7.13.2 → 7.15.1 (HIGH/LOW severity)
- qs: 6.14.2 → 6.15.2 (MEDIUM severity)
- uuid: 11.1.0 → 11.1.1 (MEDIUM severity)
- webpack-dev-server: 5.2.1 → 5.2.4 (MEDIUM severity)

Transitive dependencies (via lock file):
- shell-quote → 1.8.4 (CRITICAL severity)
- form-data → 4.0.6 (HIGH severity)
- ws → 8.21.0 (HIGH severity)
- js-yaml → 4.2.0 (MEDIUM severity)
- launch-editor → 2.14.1 (MEDIUM severity)
- @babel/core → 7.29.6 (LOW severity)

Testing:
- All uv sync operations: PASSED
- ContentProcessorWeb build: PASSED
- No breaking changes

Resolves ~114 security alerts (71% reduction from 161 → ~47).

Note: ContentProcessorAPI excluded per team guidance.

Closes #624
Closes #611
Closes #614
Ayaz-Microsoft added a commit that referenced this pull request Jun 17, 2026
@Ayaz-Microsoft
chore: upgrade vulnerable packages (Python + NPM)
a8fae6f 
Upgrades security-critical packages across ContentProcessorWorkflow and ContentProcessorWeb modules.

ContentProcessorWorkflow (Python):
- aiohttp: 3.13.5 → 3.14.1 (MEDIUM severity, transitive → direct)
- python-multipart: 0.0.27 → 0.0.31 (HIGH severity)
- cryptography: 46.0.7 → 48.0.1 (HIGH severity)
- pyjwt: 2.12.1 → 2.13.0 (MEDIUM/HIGH severity)
- starlette: 1.0.1 → 1.3.1 (HIGH severity, transitive → direct)

ContentProcessor (Python):
- NO DIRECT CHANGES (relied on transitive dependencies)
- All vulnerable packages upgraded via parent dependencies:
  • aiohttp 3.14.1 (via azure-functions-durable)
  • pyjwt 2.13.0 (via azure-identity, msal)
  • cryptography 48.0.1 (via azure-identity, msal, pyjwt)
  • python-multipart 0.0.31 (via fastapi)
  • starlette 1.3.1 (via fastapi, sse-starlette)

ContentProcessorWeb (NPM):
Direct dependencies:
- axios: 1.15.2 → 1.16.0 (HIGH severity)
- react-router-dom: 7.13.2 → 7.15.1 (HIGH/LOW severity)
- qs: 6.14.2 → 6.15.2 (MEDIUM severity)
- uuid: 11.1.0 → 11.1.1 (MEDIUM severity)
- webpack-dev-server: 5.2.1 → 5.2.4 (MEDIUM severity)

Transitive dependencies (via lock file):
- shell-quote → 1.8.4 (CRITICAL severity)
- form-data → 4.0.6 (HIGH severity)
- ws → 8.21.0 (HIGH severity)
- js-yaml → 4.2.0 (MEDIUM severity)
- launch-editor → 2.14.1 (MEDIUM severity)
- @babel/core → 7.29.6 (LOW severity)

Testing:
- All uv sync operations: PASSED
- ContentProcessorWeb build: PASSED
- No breaking changes
- Verified all secure versions present in lock files

Resolves ~114 security alerts (71% reduction from 161 → ~47).

Note: ContentProcessorAPI excluded per team guidance.

Closes #624
Closes #611
Closes #614
Ayaz-Microsoft added a commit that referenced this pull request Jun 17, 2026
@Ayaz-Microsoft
chore: upgrade vulnerable packages (Python + NPM)
74b73b0 
Upgrades security-critical packages across ContentProcessor, ContentProcessorWorkflow, and ContentProcessorWeb modules.

ContentProcessorWorkflow (Python):
- aiohttp: 3.13.5 → 3.14.1 (MEDIUM severity, transitive → direct)
- python-multipart: 0.0.27 → 0.0.31 (HIGH severity)
- cryptography: 46.0.7 → 48.0.1 (HIGH severity)
- pyjwt: 2.12.1 → 2.13.0 (MEDIUM/HIGH severity)
- starlette: 1.0.1 → 1.3.1 (HIGH severity, transitive → direct)

ContentProcessor (Python):
- pyjwt: 2.12.1 → 2.13.0 (MEDIUM/HIGH severity)
- Other vulnerable packages upgraded via transitive dependencies:
  • aiohttp 3.14.1 (via azure-functions-durable)
  • cryptography 48.0.1 (via azure-identity, msal, pyjwt)
  • python-multipart 0.0.31 (via fastapi)
  • starlette 1.3.1 (via fastapi, sse-starlette)

ContentProcessorWeb (NPM):
Direct dependencies:
- axios: 1.15.2 → 1.16.0 (HIGH severity)
- react-router-dom: 7.13.2 → 7.15.1 (HIGH/LOW severity)
- qs: 6.14.2 → 6.15.2 (MEDIUM severity)
- uuid: 11.1.0 → 11.1.1 (MEDIUM severity)
- webpack-dev-server: 5.2.1 → 5.2.4 (MEDIUM severity)

Transitive dependencies (via lock file):
- shell-quote → 1.8.4 (CRITICAL severity)
- form-data → 4.0.6 (HIGH severity)
- ws → 8.21.0 (HIGH severity)
- js-yaml → 4.2.0 (MEDIUM severity)
- launch-editor → 2.14.1 (MEDIUM severity)
- @babel/core → 7.29.6 (LOW severity)

Testing:
- All uv sync operations: PASSED
- ContentProcessorWeb build: PASSED
- No breaking changes
- Verified all secure versions present in lock files

Resolves ~114 security alerts (71% reduction from 161 → ~47).

Note: ContentProcessorAPI excluded per team guidance.

Closes #624
Closes #611
Closes #614
Ayaz-Microsoft added a commit that referenced this pull request Jun 17, 2026
@Ayaz-Microsoft
chore: upgrade vulnerable packages (Python + NPM)
6c6ad96 
Upgrades security-critical packages across ContentProcessor, ContentProcessorWorkflow, and ContentProcessorWeb modules.

ContentProcessorWorkflow (Python):
- aiohttp: 3.13.5 → 3.14.1 (MEDIUM severity, transitive → direct)
- python-multipart: 0.0.27 → 0.0.31 (HIGH severity)
- cryptography: 46.0.7 → 48.0.1 (HIGH severity)
- pyjwt: 2.12.1 → 2.13.0 (MEDIUM/HIGH severity)
- starlette: 1.0.1 → 1.3.1 (HIGH severity, transitive → direct)

ContentProcessor (Python):
- pyjwt: 2.12.1 → 2.13.0 (MEDIUM/HIGH severity)
- Other vulnerable packages upgraded via transitive dependencies:
  • aiohttp 3.14.1 (via azure-functions-durable)
  • cryptography 48.0.1 (via azure-identity, msal, pyjwt)
  • python-multipart 0.0.31 (via fastapi)
  • starlette 1.3.1 (via fastapi, sse-starlette)

ContentProcessorWeb (NPM):
Direct dependencies:
- axios: 1.15.2 → 1.16.0 (HIGH severity)
- react-router-dom: 7.13.2 → 7.15.1 (HIGH/LOW severity)
- qs: 6.14.2 → 6.15.2 (MEDIUM severity)
- uuid: 11.1.0 → 11.1.1 (MEDIUM severity)
- webpack-dev-server: 5.2.1 → 5.2.4 (MEDIUM severity)

Transitive dependencies (via lock file):
- shell-quote → 1.8.4 (CRITICAL severity)
- form-data → 4.0.6 (HIGH severity)
- ws → 8.21.0 (HIGH severity)
- js-yaml → 4.2.0 (MEDIUM severity)
- launch-editor → 2.14.1 (MEDIUM severity)
- @babel/core → 7.29.6 (LOW severity)

Testing:
- All uv sync operations: PASSED
- ContentProcessorWeb build: PASSED
- No breaking changes
- Verified all secure versions present in lock files

Resolves ~114 security alerts (71% reduction from 161 → ~47).

Note: ContentProcessorAPI excluded per team guidance.

Closes #624
Closes #611
Closes #614
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@Avijit-Microsoft Avijit-Microsoft Awaiting requested review from Avijit-Microsoft Avijit-Microsoft is a code owner

@Roopan-Microsoft Roopan-Microsoft Awaiting requested review from Roopan-Microsoft Roopan-Microsoft is a code owner

@aniaroramsft aniaroramsft Awaiting requested review from aniaroramsft aniaroramsft is a code owner

@toherman-msft toherman-msft Awaiting requested review from toherman-msft toherman-msft is a code owner

@nchandhi nchandhi Awaiting requested review from nchandhi nchandhi is a code owner

@dgp10801 dgp10801 Awaiting requested review from dgp10801 dgp10801 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant