Skip to content

Update Starlette to 0.49.1 in uv.lock #1559

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update Starlette to 0.49.1 in uv.lock #1559

wants to merge 1 commit into from
+3 −3

Conversation

@ColeMurray
Copy link

Summary

Updates the locked version of Starlette from 0.47.3 to 0.49.1 to address security vulnerabilities in earlier versions.

This PR updates only the uv.lock file without modifying the dependency constraints in pyproject.toml, avoiding any potential breaking changes for downstream consumers while still providing a secure default version for direct users of this repository.

Changes

  • Updated uv.lock to pin Starlette to version 0.49.1
  • No changes to pyproject.toml files (maintains >=0.27 constraint)

Rationale

This approach follows the principle of not pinning specific versions in library code to avoid breaking downstream consumers, while still ensuring that users who clone and install this repository directly will get the secure version by default.

Test Plan

  • Formatting checks pass (ruff format)
  • Linting checks pass (ruff check)
  • Type checking passes (pyright)
  • CI tests will run automatically

Related

@ColeMurray
Update Starlette to 0.49.1 in uv.lock
81aa2c4 
Updates the locked version of Starlette from 0.47.3 to 0.49.1 to address
security vulnerabilities in earlier versions. This update maintains
compatibility with the existing dependency constraint of >=0.27 without
requiring downstream consumers to update their pinned versions.
@ColeMurray ColeMurray force-pushed the update-starlette-lock-only branch from f28b0f7 to 81aa2c4 Compare October 31, 2025 02:25
@Kludex
Copy link
Member

Kludex commented Oct 31, 2025

Same as #1552.

@Kludex Kludex closed this Oct 31, 2025
@Kludex Kludex mentioned this pull request Oct 31, 2025
Closed
4 tasks
@ColeMurray
Copy link
Author

@Kludex the vulnerable starlette version is pinned in the uv.lock and is causing downstream consumers to pull it in as a transitive dependency.

Surely we aren't suggesting that everyone downstream of MCP should explicitly add the updated starlette version to resolve this since we're not willing to update the lock file, right?

@Kludex Kludex reopened this Nov 1, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ColeMurray @Kludex