Skip to content

build(deps): add constraint for Starlette#547

Merged
bepri merged 1 commit into
mainfrom
work/deps/starlette
Jun 4, 2026
Merged

build(deps): add constraint for Starlette#547
bepri merged 1 commit into
mainfrom
work/deps/starlette

Conversation

@steinbro
Copy link
Copy Markdown
Member

@steinbro steinbro commented Jun 4, 2026

Pin the indirect dependency to a version not affected by BadHost CVE.

  • I've followed the contribution guidelines.
  • I've signed the CLA.
  • I've successfully run make lint && make test.
  • I've added or updated any relevant documentation.
  • In documents I changed, I added a meta description if one was missing.
  • I've updated the relevant release notes.

Copilot AI review requested due to automatic review settings June 4, 2026 16:19
Copilot AI reviewed Jun 4, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a minimum-version constraint for the indirect dependency Starlette to ensure dependency resolution avoids versions impacted by the referenced BadHost CVE.

Changes:

  • Add starlette>=1.0.1 to tool.uv.constraint-dependencies so --resolution=lowest won’t select older Starlette versions.
  • Update uv.lock constraints and resolve Starlette to 1.2.1.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

File Description
pyproject.toml Adds starlette>=1.0.1 to uv’s constraint list to enforce a safe minimum version during resolution.
uv.lock Records the new constraint and updates the locked Starlette package version accordingly.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread pyproject.toml
@steinbro steinbro requested a review from lengau June 4, 2026 16:32
@lengau lengau requested a review from bepri June 4, 2026 17:50
@bepri bepri merged commit ca8caba into main Jun 4, 2026
11 of 12 checks passed
@bepri bepri deleted the work/deps/starlette branch June 4, 2026 18:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@lengau lengau lengau approved these changes

@bepri bepri bepri approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@steinbro @lengau @bepri