fix(deps): pin starlette>=1.0.1 to fix BadHost (CVE-2026-48710)

[oleksandr-nc]

Summary

Remediates BadHost (CVE-2026-48710), a Host-header path-confusion vulnerability in Starlette ≤ 1.0.0 that can bypass path-based authorization. The fix lives in Starlette 1.0.1.

FastAPI does not cap Starlette (even latest 0.136.3 only requires starlette>=0.46.0), so bumping FastAPI alone does not guarantee a fixed Starlette, and an explicit floor is required. nc_py_api also imports starlette directly (_session.py, ex_app/integration_fastapi.py), so declaring it is correct regardless.

Changes

• pyproject.toml
  • add starlette>=1.0.1 (the BadHost fix)
  • raise fastapi>=0.133 (the first FastAPI release compatible with Starlette 1.0+)
• CHANGELOG.md: 0.30.2 section:
  • Security: the BadHost pin
  • Changed: download_directory_as_zip archive entry order is no longer guaranteed (server-side, per perf: remove unneeded sort in getFolderContentsById nextcloud/server#60225)

The version bump (_version.py to 0.30.2) is intentionally omitted here; it lands in the [publish] commit on main after merge.

Compatibility

• Keeps Python >=3.10 (FastAPI 0.133+ and Starlette 1.x both require >=3.10).
• Verified: under these constraints pip upgrades the vulnerable Starlette from 1.0.0 to 1.2.1; import nc_py_api succeeds.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds release notes for v0.30.2 and updates dependency constraints: pins starlette>=1.0.1 and raises fastapi>=0.133; CHANGELOG notes that download_directory_as_zip no longer guarantees archive entry ordering.

Changes

Release 0.30.2

Layer / File(s)	Summary
Release 0.30.2 changelog and dependency pins CHANGELOG.md, pyproject.toml	CHANGELOG.md adds the 0.30.2 release entry (Changed: non-guaranteed archive ordering; Security: starlette/fastapi pins). pyproject.toml updates dependencies: starlette>=1.0.1, fastapi>=0.133, python-dotenv>=1.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the primary change: pinning starlette>=1.0.1 to address CVE-2026-48710, which is the main security remediation in this PR.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/starlette-badhost-cve-2026-48710

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@CHANGELOG.md`:
- Line 13: Update the CHANGELOG entry that pins "starlette>=1.0.1" and claims
"fastapi >=0.133" by removing or correcting the unsupported FastAPI floor:
locate the sentence containing the FastAPI floor reference (`>=0.133`) and
either replace it with the exact FastAPI release that actually adopted Starlette
1.0+ (verify via PR `#14987` / FastAPI release notes) or change the wording to
state "a FastAPI release that includes Starlette 1.0+ support" / "ensure FastAPI
is a release compatible with Starlette 1.0+" so the rationale only claims the
verified mapping rather than the unsupported `>=0.133` number.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 9c40c4cc-11fa-4f42-bbef-2e3af1cc6afb

📥 Commits

Reviewing files that changed from the base of the PR and between 0847660 and 7b7a0cb.

📒 Files selected for processing (2)

• CHANGELOG.md
• pyproject.toml