Skip to content

Commit c650171

Browse files
fix(deps): bump starlette to >=1.0.1 on Python 3.10+ to fix PYSEC-2026-161 (#423)
Starlette <=1.0.0 is vulnerable to a missing Host header validation that poisons request.url.path and bypasses path-based security checks (GHSA-86qp-5c8j-p5mr / PYSEC-2026-161). The fix only landed in 1.0.1, which requires Python >=3.10. Constraint is split by interpreter version so Python 3.8/3.9 users keep the existing 0.x line (no upstream fix available) while Python 3.10+ pulls the patched 1.x line. Co-authored-by: Daniel Lee <danielylee@google.com>
1 parent 715ba9a commit c650171

2 files changed

Lines changed: 6 additions & 2 deletions

File tree

pyproject.toml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -29,7 +29,8 @@ dependencies = [
2929
"gunicorn>=22.0.0; platform_system!='Windows'",
3030
"cloudevents>=1.11.0,<=1.12.0", # Must support python 3.8
3131
"Werkzeug>=0.14,<4.0.0",
32-
"starlette>=0.37.0,<1.0.0; python_version>='3.8'",
32+
"starlette>=0.37.0,<1.0.0; python_version>='3.8' and python_version<'3.10'",
33+
"starlette>=1.0.1,<2.0.0; python_version>='3.10'",
3334
"uvicorn>=0.18.0,<1.0.0; python_version>='3.8'",
3435
"uvicorn-worker>=0.2.0,<1.0.0; python_version>='3.8'",
3536
]

setup.py

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -58,7 +58,10 @@
5858
"Werkzeug>=0.14,<4.0.0",
5959
],
6060
extras_require={
61-
"async": ["starlette>=0.37.0,<1.0.0"],
61+
"async": [
62+
"starlette>=0.37.0,<1.0.0; python_version<'3.10'",
63+
"starlette>=1.0.1,<2.0.0; python_version>='3.10'",
64+
],
6265
},
6366
entry_points={
6467
"console_scripts": [

0 commit comments

Comments
 (0)