Python: Bump starlette from 0.47.1 to 1.3.1 in /python/samples/demos/mcp_with_oauth#14094
Conversation
Bumps [starlette](https://github.com/Kludex/starlette) from 0.47.1 to 1.3.1. - [Release notes](https://github.com/Kludex/starlette/releases) - [Changelog](https://github.com/Kludex/starlette/blob/main/docs/release-notes.md) - [Commits](Kludex/starlette@0.47.1...1.3.1) --- updated-dependencies: - dependency-name: starlette dependency-version: 1.3.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
github-actions
Bot
changed the title
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Automated Code Review
Reviewers: 5 | Confidence: 77%
✓ Correctness
This is a straightforward lock file update bumping starlette from 0.47.1 to 1.3.1. The starlette dependency is transitive (pulled in by sse-starlette/mcp). The APIs used in this demo (Starlette, Route, Request, Response subclasses, HTTPException) are all stable core APIs that remain unchanged across the 0.x→1.x transition. The lock file format is correct with valid hashes and URLs. No correctness issues found.
✓ Security Reliability
This is a straightforward lock file update bumping starlette from 0.47.1 to 1.3.1, which includes security fixes for FormParser limit enforcement (DoS mitigation). The lock file change itself is correct with proper integrity hashes and a trusted PyPI source. However, the
server/uv.lock(where starlette is directly used for HTTP request handling) was not updated and still pins starlette 0.47.1, meaning the security fixes don't reach the component that would benefit most from them.
✓ Test Coverage
This PR bumps starlette from 0.47.1 to 1.3.1 in a lock file for a demo/sample project (mcp_with_oauth). Starlette is a transitive dependency (not directly listed in pyproject.toml) and the demo has no tests. Since this is purely a lock file update for a sample project with no behavioral code changes in this repository, there are no test coverage concerns to flag.
✓ Failure Modes
This is a straightforward lock file update bumping starlette from 0.47.1 to 1.3.1 in a demo sample. The starlette APIs used in this project (Starlette, HTTPException, Request, Response, JSONResponse, HTMLResponse, RedirectResponse, Route) are all stable core APIs that remain available and unchanged in starlette 1.x. The lock file is auto-generated by uv and the hashes/URLs are consistent. No silent failure modes, swallowed exceptions, or operational issues are introduced by this change.
✗ Design Approach
This bump appears to target the wrong environment. The demo instructions run the authorization and resource servers from
python/samples/demos/mcp_with_oauth/server(README.md:16-20,README.md:34-40), and those server entry points are the code that actually imports Starlette (server/mcp_simple_auth/auth_server.py:22-26,server/mcp_simple_auth/legacy_as_server.py:22-24). But the checked-in lockfile for that server environment still pinsstarletteto0.47.1(server/uv.lock:621-626), so updating only the top-level sample lockfile does not change the dependency used by the server code path this PR is trying to affect.
Flagged Issues
- The PR updates
python/samples/demos/mcp_with_oauth/uv.lock, but the Starlette-using server is installed and run frompython/samples/demos/mcp_with_oauth/serverperREADME.md:16-20andREADME.md:34-40, and that separate environment still pinsstarletteto0.47.1inserver/uv.lock:621-626.
Automated review by dependabot[bot]'s agents
|
Flagged issue The PR updates Source: automated DevFlow PR review |
Bumps starlette from 0.47.1 to 1.3.1.
Release notes
Sourced from starlette's releases.
... (truncated)
Changelog
Sourced from starlette's changelog.
... (truncated)
Commits
8ebffd0Version 1.3.1 (#3330)25b8e17EnforceFormParserlimits in parser callbacks (#3331)dba1c4bEnforcemax_fieldsandmax_part_sizeinFormParser(#3329)45e51dcUseStarletteDeprecationWarninginstead ofDeprecationWarning(#3119)5f8610cVersion 1.3.0 (#3327)167b585Buildrequest.urlfrom structured components (#3326)3730925Useremoveprefixto strip weak ETag indicator inis_not_modified(#3193)e6f7ad1avoid collapsing exception groups from user code (#2830)115228fAnnotate URLPath protocol parameter with Literal (#3285)113f193docs: replace inline ASGI server list with link to canonical implemen… (#3204)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.