Skip to content

fix(deps): floor starlette >=1.3.1 (GHSA-82w8-qh3p-5jfq)#38

Merged
saagpatel merged 1 commit into
mainfrom
fix/sec-deps-cve-2026-06-28
Jun 28, 2026
Merged

fix(deps): floor starlette >=1.3.1 (GHSA-82w8-qh3p-5jfq)#38
saagpatel merged 1 commit into
mainfrom
fix/sec-deps-cve-2026-06-28

Conversation

@saagpatel

Copy link
Copy Markdown
Owner

Security fix: GHSA-82w8-qh3p-5jfq

Package: starlette
Before: 1.0.0 (via transitive fastapi dep)
After: >=1.3.1 (1.3.1 resolved)

What changed

Added starlette>=1.3.1 as an explicit direct dependency in pyproject.toml to floor the version above the CVE-affected range.

Note on lockfile: uv.lock is in .git/info/exclude and is not committed in this repo. A lockfile-only diff would have no durable effect, so the version floor is enforced via pyproject.toml instead. The upgraded lock was verified locally (starlette 1.0.0 -> 1.3.1).

Test result

197 tests passed (uv run pytest -q, 3.27s)

Audit reference

SecondBrain/wiki/audits/code-health-2026-06-27.md

starlette was resolving to 1.0.0 via fastapi; CVE GHSA-82w8-qh3p-5jfq
requires >=1.3.1. Added as an explicit direct dependency to enforce the
floor durably in pyproject.toml (uv.lock is not committed in this repo).

Verified: starlette 1.0.0 -> 1.3.1 in uv.lock; 197 tests passed.
@saagpatel saagpatel merged commit f75cbd1 into main Jun 28, 2026
4 checks passed
@saagpatel saagpatel deleted the fix/sec-deps-cve-2026-06-28 branch June 28, 2026 08:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant