Skip to content

build(deps): bump starlette to 1.3.1 (+ fastapi to 0.138.0)#217

Merged
Tetramputechture merged 1 commit into
mainfrom
deps/starlette-1.3.1
Jun 22, 2026
Merged

build(deps): bump starlette to 1.3.1 (+ fastapi to 0.138.0)#217
Tetramputechture merged 1 commit into
mainfrom
deps/starlette-1.3.1

Conversation

@Tetramputechture

Copy link
Copy Markdown

Bumps starlette 0.50.0 → 1.3.1 in the root project, resolving 5 Dependabot alerts:

Alert Severity Advisory
OpenHands#614 / #627 HIGH GHSA-82w8-qh3p-5jfq request.form() limits ignored → DoS
OpenHands#609 / OpenHands#625 HIGH GHSA-wqp7-x3pw-xc5r SSRF + NTLM theft via UNC paths in StaticFiles (Windows)
OpenHands#608 / OpenHands#624 MODERATE GHSA-x746-7m8f-x49c arbitrary HTTP method dispatched to HTTPEndpoint via getattr
OpenHands#525 / OpenHands#532 MODERATE GHSA-86qp-5c8j-p5mr missing Host header validation poisons request.url.path
OpenHands#613 / OpenHands#626 LOW GHSA-jp82-jpqv-5vv3 unvalidated path poisons request.url.hostname

Coordinated change — please review / let CI run

  • starlette 0.50.0 → 1.3.1
  • fastapi 0.124.2 → 0.138.0 — required, because fastapi 0.124.2 pins starlette <0.51. fastapi ≥0.136 drops that upper bound (starlette>=0.46.0).
  • typing-inspection 0.4.1 → 0.4.2 — transitive cascade.

⚠️ fastapi jumps 0.124 → 0.138 (14 minor versions). FastAPI is pre-1.0, so although it's generally backward-compatible, this is more than a patch bump — CI / the test suite should validate before merge. (openhands-cli already runs starlette 1.3.1 as of #203.) Lock regenerated with Poetry 2.4.1 to match the repo.

🤖 Generated with Claude Code

Resolves 5 Dependabot alerts against starlette (root project):
- OpenHands#614/#627 (HIGH)  GHSA-82w8-qh3p-5jfq  form() limit DoS
- OpenHands#609/OpenHands#625 (HIGH)  GHSA-wqp7-x3pw-xc5r  SSRF/NTLM via UNC StaticFiles
- OpenHands#608/OpenHands#624 (MOD)   GHSA-x746-7m8f-x49c  arbitrary HTTP method dispatch
- OpenHands#525/OpenHands#532 (MOD)   GHSA-86qp-5c8j-p5mr  Host header path poisoning
- OpenHands#613/OpenHands#626 (LOW)   GHSA-jp82-jpqv-5vv3  authority host poisoning

starlette 0.50.0 -> 1.3.1. fastapi 0.124.2 capped starlette at <0.51, so it
is bumped to 0.138.0 (drops the starlette upper bound; requires starlette
>=0.46.0). typing-inspection 0.4.1 -> 0.4.2 follows as a transitive cascade.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@Tetramputechture
Tetramputechture merged commit 8c82b64 into main Jun 22, 2026
3 of 10 checks passed
@Tetramputechture
Tetramputechture deleted the deps/starlette-1.3.1 branch June 22, 2026 15:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant