fix: remediate CVEs for quay-unstructured-api

Bump starlette (1.0.0 -> 1.1.0), lxml (6.1.0 -> 6.1.1), and
python-multipart (0.0.27 -> 0.0.29) to resolve 5 SLA-breached CVEs:

- CVE-2025-62727 (starlette, HIGH)
- CVE-2025-54121 (starlette, MEDIUM)
- CVE-2026-41066 (lxml, HIGH)
- CVE-2026-40347 (python-multipart, MEDIUM)
- CVE-2025-12781 (python-3.12 apk, MEDIUM — resolved by rebuild)

Adds constraint-dependencies for starlette and lxml (transitive deps)
to prevent version regression. Bumps python-multipart minimum in
direct dependencies.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: lawrence-u10d

CHANGELOG.md

@@ -1,3 +1,12 @@
+## 0.1.7
+
+### Security
+
+- **Bump starlette** to >=1.1.0 to remediate CVE-2025-62727 (HIGH) and CVE-2025-54121 (MEDIUM).
+- **Bump lxml** to >=6.1.1 to remediate CVE-2026-41066 (HIGH).
+- **Bump python-multipart** to >=0.0.29 to remediate CVE-2026-40347 (MEDIUM).
+- **Rebuild** to pick up latest python-3.12 apk, resolving CVE-2025-12781 (MEDIUM).
+
 ## 0.1.6
 
 ### Security

prepline_general/api/__version__.py

@@ -1 +1 @@
-__version__ = "0.1.6"  # pragma: no cover
+__version__ = "0.1.7"  # pragma: no cover

pyproject.toml

@@ -6,7 +6,7 @@ requires-python = ">=3.12"
 dependencies = [
     "unstructured[all-docs] >=0.18.31, <1.0.0",
     "fastapi >=0.128.4, <1.0.0",
-    "python-multipart >=0.0.18",
+    "python-multipart >=0.0.29",
     "uvicorn >=0.40.0, <1.0.0",
     "backoff >=2.2.1, <3.0.0",
     "pandas >=3.0.0, <4.0.0",
@@ -43,6 +43,10 @@ path = "prepline_general/api/__version__.py"
 constraint-dependencies = [
     # pdfminer.six 20260107 includes performance fix
     "pdfminer-six==20260107",
+    # starlette >=1.1.0 fixes CVE-2025-62727 (HIGH) and CVE-2025-54121 (MEDIUM)
+    "starlette>=1.1.0",
+    # lxml >=6.1.1 fixes CVE-2026-41066 (HIGH)
+    "lxml>=6.1.1",
 ]
 
 [[tool.uv.index]]