Skip to content

[security] Bump starlette to 1.2.1 in aspire-with-python sample#1680

Open
IEvangelist wants to merge 1 commit into
mainfrom
dapine/security/bump-starlette-aspire-with-python
Open

[security] Bump starlette to 1.2.1 in aspire-with-python sample#1680
IEvangelist wants to merge 1 commit into
mainfrom
dapine/security/bump-starlette-aspire-with-python

Conversation

@IEvangelist
Copy link
Copy Markdown
Member

@IEvangelist IEvangelist commented Jun 5, 2026

Resolves the open Dependabot alert on samples/aspire-with-python/app/uv.lock:

Alert Severity Advisory Package Summary
#484 medium GHSA-86qp-5c8j-p5mr starlette Missing Host header validation poisons request.url.path, bypassing path-based security checks

starlette is a transitive dependency in this sample (pulled in via fastapi[standard]), so only the lockfile changes.

Change

  • starlette 0.49.3 -> 1.2.1 (patched in 1.0.1; bumped to latest)

Generated with:

uv lock --upgrade-package starlette

The resolver only updated starlette; no other package versions changed.

Co-authored-by: Copilot 223556219+Copilot@users.noreply.github.com

@IEvangelist
[security] Bump starlette to 1.2.1 in aspire-with-python sample
dd5403c 
Resolves Dependabot alert on samples/aspire-with-python/app/uv.lock:

- GHSA-86qp-5c8j-p5mr (medium) - Starlette has missing Host header

  validation that poisons request.url.path, bypassing path-based

  security checks

Fixed in starlette 1.0.1+. Bumped to latest 1.2.1.

starlette is a transitive dependency in this sample (pulled in via

fastapi[standard]), so only the lockfile changes. Generated with:

    uv lock --upgrade-package starlette

The resolver upgraded only starlette (0.49.3 -> 1.2.1); no other

package versions changed.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings June 5, 2026 11:13
Copilot AI reviewed Jun 5, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot wasn't able to review any files in this pull request.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@IEvangelist
Copy link
Copy Markdown
Member Author

IEvangelist commented Jun 6, 2026

Reviewed the security fix and the failing CI:

Change scope — single-file edit to samples/aspire-with-python/app/uv.lock bumping the transitive starlette dep from 0.49.31.2.1 (patched in 1.0.1, per GHSA-86qp-5c8j-p5mr). The resolver only touched starlette; no collateral version drift.

CIwindows-latest is green. ubuntu-latest fails on SamplesIntegrationTests.AppHostTests.{AppHostRunsCleanly,TestEndpointsReturnOk} for AspireJavaScript.AppHost because the angular resource fails to start. This failure is unrelated to the Python sample touched here and reproduces on main (e.g. run 26966407089 on main shows the same two tests failing for the same reason). Skipping a CI re-run since it would just hit the same pre-existing flake.

LGTM for the security fix. The angular flake on Linux should be tracked separately.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@IEvangelist