Skip to content

Bump starlette from 0.49.1 to 1.3.1#109

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/uv/starlette-1.3.1
Open

Bump starlette from 0.49.1 to 1.3.1#109
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/uv/starlette-1.3.1

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 17, 2026
edited by cubic-dev-ai Bot
Loading

Copy link
Copy Markdown
Contributor

Bumps starlette from 0.49.1 to 1.3.1.

Release notes

Sourced from starlette's releases.

Version 1.3.1

What's Changed

Full Changelog: Kludex/starlette@1.3.0...1.3.1

Version 1.3.0

What's Changed

New Contributors

Full Changelog: Kludex/starlette@1.2.1...1.3.0

Version 1.2.1

What's Changed

New Contributors

Full Changelog: Kludex/starlette@1.2.0...1.2.1

Version 1.2.0

What's Changed

Full Changelog: Kludex/starlette@1.1.0...1.2.0

Version 1.1.0

... (truncated)

Changelog

Sourced from starlette's changelog.

1.3.1 (June 12, 2026)

Fixed

  • Enforce max_fields and max_part_size in FormParser #3329.
  • Enforce FormParser limits in parser callbacks #3331.

1.3.0 (June 11, 2026)

Added

  • Add httpx2 to the full extra #3323.
  • Annotate the URLPath protocol parameter with Literal #3285.

Fixed

  • Build request.url from structured components #3326.
  • Clamp oversized suffix ranges in FileResponse #3307.
  • Catch OSError alongside MultiPartException when closing temp files #3191.
  • Avoid collapsing exception groups raised from user code #2830.
  • Use removeprefix to strip the weak ETag indicator in is_not_modified #3193.
  • Fix IndexError in URL.replace() on a URL with no authority #3317.
  • Adjust testclient typing and warnings #3322.

1.2.1 (May 31, 2026)

Fixed

  • Use httpx2 for type checking in the testclient module #3304.
  • Add assert error for requires() when the request parameter is not a Request type #3298.

1.2.0 (May 28, 2026)

Added

  • Support httpx2 in the test client #3291.

1.1.0 (May 23, 2026)

Added

  • Use "application/octet-stream" as the FileResponse media type fallback #3283.

Fixed

  • Only dispatch standard HTTP verbs in HTTPEndpoint #3286.
  • Reject absolute paths in StaticFiles.lookup_path #3287.

1.0.1 (May 21, 2026)

... (truncated)

Commits
  • 8ebffd0 Version 1.3.1 (#3330)
  • 25b8e17 Enforce FormParser limits in parser callbacks (#3331)
  • dba1c4b Enforce max_fields and max_part_size in FormParser (#3329)
  • 45e51dc Use StarletteDeprecationWarning instead of DeprecationWarning (#3119)
  • 5f8610c Version 1.3.0 (#3327)
  • 167b585 Build request.url from structured components (#3326)
  • 3730925 Use removeprefix to strip weak ETag indicator in is_not_modified (#3193)
  • e6f7ad1 avoid collapsing exception groups from user code (#2830)
  • 115228f Annotate URLPath protocol parameter with Literal (#3285)
  • 113f193 docs: replace inline ASGI server list with link to canonical implemen… (#3204)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Note

Medium Risk
Major-version bump on the HTTP/ASGI layer under FastAPI may change request parsing, URLs, and static/file behavior; compatibility should be validated with tests.

Overview
Updates the locked starlette dependency from 0.49.1 to 1.3.1 in uv.lock only (transitive via FastAPI; the project does not import Starlette directly).

This is a 0.x → 1.x jump, so runtime behavior of the ASGI stack can change even though application code is untouched. Notable upstream changes in this range include stricter form/multipart handling (FormParser max_fields / max_part_size), request.url built from structured components, StaticFiles rejecting absolute paths, and assorted fixes around FileResponse, exception groups, and the test client.

Reviewers should confirm FastAPI 0.136.1 remains compatible and run the existing test suite against endpoints that use forms, file uploads, or unusual URLs if those paths matter for this service.

Reviewed by Cursor Bugbot for commit d0c1bef. Bugbot is set up for automated code reviews on this repo. Configure here.

Summary by cubic

Upgrade starlette from 0.49.1 to 1.3.1 to harden multipart form parsing, fix URL and file response edge cases, and keep compatibility current. This improves request safety and reliability with minimal risk.

  • Dependencies

    • Bump starlette to 1.3.1.
    • Hardened form parsing (enforces max_fields and max_part_size).
    • Fixes for FileResponse ranges, temp file cleanup, and URL handling.
    • Test client and typing updates, including httpx2 support.

  • Migration

    • Run the test suite, focusing on multipart form uploads and static/file responses.
    • Verify URL manipulation and ETag behavior if used in custom logic.

Written for commit d0c1bef. Summary will update on new commits.

Review in cubic

@dependabot
Bump starlette from 0.49.1 to 1.3.1
d0c1bef 
Bumps [starlette](https://github.com/Kludex/starlette) from 0.49.1 to 1.3.1.
- [Release notes](https://github.com/Kludex/starlette/releases)
- [Changelog](https://github.com/Kludex/starlette/blob/main/docs/release-notes.md)
- [Commits](Kludex/starlette@0.49.1...1.3.1)

---
updated-dependencies:
- dependency-name: starlette
  dependency-version: 1.3.1
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code labels Jun 17, 2026
@dependabot dependabot Bot mentioned this pull request Jun 17, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants