Skip to content

deps: bump starlette from 1.2.1 to 1.3.1#23

Merged
helebest merged 1 commit into
mainfrom
dependabot/uv/starlette-1.3.1
Jun 17, 2026
Merged

deps: bump starlette from 1.2.1 to 1.3.1#23
helebest merged 1 commit into
mainfrom
dependabot/uv/starlette-1.3.1

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 17, 2026

Copy link
Copy Markdown
Contributor

Bumps starlette from 1.2.1 to 1.3.1.

Release notes

Sourced from starlette's releases.

Version 1.3.1

What's Changed

Full Changelog: Kludex/starlette@1.3.0...1.3.1

Version 1.3.0

What's Changed

New Contributors

Full Changelog: Kludex/starlette@1.2.1...1.3.0

Changelog

Sourced from starlette's changelog.

1.3.1 (June 12, 2026)

Fixed

  • Enforce max_fields and max_part_size in FormParser #3329.
  • Enforce FormParser limits in parser callbacks #3331.

1.3.0 (June 11, 2026)

Added

  • Add httpx2 to the full extra #3323.
  • Annotate the URLPath protocol parameter with Literal #3285.

Fixed

  • Build request.url from structured components #3326.
  • Clamp oversized suffix ranges in FileResponse #3307.
  • Catch OSError alongside MultiPartException when closing temp files #3191.
  • Avoid collapsing exception groups raised from user code #2830.
  • Use removeprefix to strip the weak ETag indicator in is_not_modified #3193.
  • Fix IndexError in URL.replace() on a URL with no authority #3317.
  • Adjust testclient typing and warnings #3322.
Commits
  • 8ebffd0 Version 1.3.1 (#3330)
  • 25b8e17 Enforce FormParser limits in parser callbacks (#3331)
  • dba1c4b Enforce max_fields and max_part_size in FormParser (#3329)
  • 45e51dc Use StarletteDeprecationWarning instead of DeprecationWarning (#3119)
  • 5f8610c Version 1.3.0 (#3327)
  • 167b585 Build request.url from structured components (#3326)
  • 3730925 Use removeprefix to strip weak ETag indicator in is_not_modified (#3193)
  • e6f7ad1 avoid collapsing exception groups from user code (#2830)
  • 115228f Annotate URLPath protocol parameter with Literal (#3285)
  • 113f193 docs: replace inline ASGI server list with link to canonical implemen… (#3204)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
deps: bump starlette from 1.2.1 to 1.3.1
23df146 
Bumps [starlette](https://github.com/Kludex/starlette) from 1.2.1 to 1.3.1.
- [Release notes](https://github.com/Kludex/starlette/releases)
- [Changelog](https://github.com/Kludex/starlette/blob/main/docs/release-notes.md)
- [Commits](Kludex/starlette@1.2.1...1.3.1)

---
updated-dependencies:
- dependency-name: starlette
  dependency-version: 1.3.1
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @github

dependabot Bot commented on behalf of github Jun 17, 2026

Copy link
Copy Markdown
Contributor Author

Labels

The following labels could not be found: deps. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

helebest
helebest approved these changes Jun 17, 2026
View reviewed changes

@helebest helebest left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automated Dependabot Review — PR #23

Package: starlette 1.2.1 → 1.3.1

Code Review

  • Consistency: The PR description accurately matches the change: a minor bump of starlette in uv.lock. Only uv.lock is modified (15 additions, 15 deletions — sdist/wheel URL + hash).
  • Correctness: The bump spans two releases (1.3.0 and 1.3.1). All changes are internal to Starlette and do not affect the converter plugin contract (plugins are dikw client-side, not HTTP servers).
  • Security: 1.3.1 enforces max_fields and max_part_size limits in FormParser (security-hardening for form-parsing DoS vectors). Converters do not expose HTTP forms, so there is no compatibility risk, but picking up this fix is the right behaviour.
  • Conventions: Change is limited to uv.lock. Correct.
  • Test coverage: No functional code changed; no new tests required.

Regression Verification

Local test suite (134 tests) ran against this branch: all passed.

CI

All checks green:

  • test (3.12)
  • test (3.13)
  • analyze
  • CodeQL

Decision: Approving and merging via squash.

Generated by Claude Code

@helebest Claude

helebest commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

Automated Dependabot Review

Step 1: Code Review ✅

Summary: Bumps starlette from 1.2.1 to 1.3.1 in uv.lock. The diff is lockfile-only (1 file changed, 3 additions, 3 deletions — version, sdist, and wheel entries).

  • Consistency: The PR description matches the diff exactly.
  • Correctness: Straightforward lockfile pin update; no logic changes.
  • Security: Two notable security-relevant fixes in this range:
    • 1.3.1: Enforces max_fields and max_part_size limits in FormParser (fixes potential DoS via malformed multipart form submissions — Enforce max_fields and max_part_size in FormParser Kludex/starlette#3329, #3331). This is a security patch.
    • 1.3.0: Clamps oversized suffix ranges in FileResponse; fixes IndexError in URL.replace(); avoids collapsing exception groups from user code.
  • Breaking changes: No API removals. StarletteDerpecationWarning replaces the generic DeprecationWarning, which may surface new warnings in application logs — benign.
  • Test coverage: No functional code was changed; no new tests are required.

Step 2: Regression Verification ✅

All CI checks passed on this PR:

  • test (3.12) → ✅
  • test (3.13) → ✅
  • analyze (CodeQL) → ✅

Step 3: CI — All green ✅

Step 4: Merging (squash) ✅

Generated by Claude Code

@helebest helebest merged commit 9acbe80 into main Jun 17, 2026
4 checks passed
@helebest helebest deleted the dependabot/uv/starlette-1.3.1 branch June 17, 2026 05:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@helebest helebest helebest approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@helebest