Skip to content

fix(deps): update dependency starlette to v0.40.0 [security] #6

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

fix(deps): update dependency starlette to v0.40.0 [security] #6

wants to merge 1 commit into from

Conversation

@renovate
Copy link

@renovate renovate bot commented May 15, 2025

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
starlette (changelog) ==0.13.8 -> ==0.40.0 age adoption passing confidence
starlette (changelog) ==0.14.2 -> ==0.40.0 age adoption passing confidence
starlette (changelog) ==0.36.3 -> ==0.40.0 age adoption passing confidence
starlette (changelog) >= 0.13, <0.15 -> >=0.40.0, <0.41 age adoption passing confidence

MultipartParser denial of service with too many fields or files

CVE-2023-30798 / GHSA-74m5-2c7w-9w3x / PYSEC-2023-48

More information

Details

Impact

The MultipartParser using the package python-multipart accepts an unlimited number of multipart parts (form fields or files).

Processing too many parts results in high CPU usage and high memory usage, eventually leading to an OOM process kill.

This can be triggered by sending too many small form fields with no content, or too many empty files.

For this to take effect application code has to:

  • Have python-multipart installed and
  • call request.form()
    • or via another framework like FastAPI, using form field parameters or UploadFile parameters, which in turn calls request.form().
Patches

The vulnerability is solved in Starlette 0.25.0 by making the maximum fields and files customizable and with a sensible default (1000).

Applications will be secure by just upgrading their Starlette version to 0.25.0 (or FastAPI to 0.92.0).

If application code needs to customize the new max field and file number, there are new request.form() parameters (with the default values):

  • max_files=1000
  • max_fields=1000
Workarounds

Applications that don't install python-multipart or that don't use form fields are safe.

In older versions, it's also possible to instead of calling request.form() call request.stream() and parse the form data in internal code.

In most cases, the best solution is to upgrade the Starlette version.

References

This was reported in private by @​das7pad via internal email. He also coordinated the fix across multiple frameworks and parsers.

The details about how multipart/form-data is structured and parsed are in the RFC 7578.

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

CVE-2023-30798 / GHSA-74m5-2c7w-9w3x / PYSEC-2023-48

More information

Details

There MultipartParser usage in Encode's Starlette python framework before versions 0.25.0 allows an unauthenticated and remote attacker to specify any number of form fields or files which can cause excessive memory usage resulting in denial of service of the HTTP service.

Severity

Unknown

References

This data is provided by OSV and the PyPI Advisory Database (CC-BY 4.0).

Starlette has Path Traversal vulnerability in StaticFiles

CVE-2023-29159 / GHSA-v5gw-mw7f-84px / PYSEC-2023-83

More information

Details

Summary

When using StaticFiles, if there's a file or directory that starts with the same name as the StaticFiles directory, that file or directory is also exposed via StaticFiles which is a path traversal vulnerability.

Details

The root cause of this issue is the usage of os.path.commonprefix():
https://github.com/encode/starlette/blob/4bab981d9e870f6cee1bd4cd59b87ddaf355b2dc/starlette/staticfiles.py#L172-L174

As stated in the Python documentation (https://docs.python.org/3/library/os.path.html#os.path.commonprefix) this function returns the longest prefix common to paths.

When passing a path like /static/../static1.txt, os.path.commonprefix([full_path, directory]) returns ./static which is the common part of ./static1.txt and ./static, It refers to /static/../static1.txt because it is considered in the staticfiles directory. As a result, it becomes possible to view files that should not be open to the public.

The solution is to use os.path.commonpath as the Python documentation explains that os.path.commonprefix works a character at a time, it does not treat the arguments as paths.

PoC

In order to reproduce the issue, you need to create the following structure:

├── static
│   ├── index.html
├── static_disallow
│   ├── index.html
└── static1.txt

And run the Starlette app with:

import uvicorn
from starlette.applications import Starlette
from starlette.routing import Mount
from starlette.staticfiles import StaticFiles

routes = [
    Mount("/static", app=StaticFiles(directory="static", html=True), name="static"),
]

app = Starlette(routes=routes)

if __name__ == "__main__":
    uvicorn.run(app, host="0.0.0.0", port=8000)

And running the commands:

curl --path-as-is 'localhost:8000/static/../static_disallow/'
curl --path-as-is 'localhost:8000/static/../static1.txt'

The static1.txt and the directory static_disallow are exposed.

Impact

Confidentiality is breached: An attacker may obtain files that should not be open to the public.

Credits

Security researcher Masashi Yamane of LAC Co., Ltd reported this vulnerability to JPCERT/CC Vulnerability Coordination Group and they contacted us to coordinate a patch for the security issue.

Severity

  • CVSS Score: 3.7 / 10 (Low)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

CVE-2023-29159 / GHSA-v5gw-mw7f-84px / PYSEC-2023-83

More information

Details

Directory traversal vulnerability in Starlette versions 0.13.5 and later and prior to 0.27.0 allows a remote unauthenticated attacker to view files in a web service which was built using Starlette.

Severity

Unknown

References

This data is provided by OSV and the PyPI Advisory Database (CC-BY 4.0).

Starlette Denial of service (DoS) via multipart/form-data

CVE-2024-47874 / GHSA-f96h-pmfr-66vw

More information

Details

Summary

Starlette treats multipart/form-data parts without a filename as text form fields and buffers those in byte strings with no size limit. This allows an attacker to upload arbitrary large form fields and cause Starlette to both slow down significantly due to excessive memory allocations and copy operations, and also consume more and more memory until the server starts swapping and grinds to a halt, or the OS terminates the server process with an OOM error. Uploading multiple such requests in parallel may be enough to render a service practically unusable, even if reasonable request size limits are enforced by a reverse proxy in front of Starlette.

PoC
from starlette.applications import Starlette
from starlette.routing import Route

async def poc(request):
    async with request.form():
        pass

app = Starlette(routes=[
    Route('/', poc, methods=["POST"]),
])
curl http://localhost:8000 -F 'big=</dev/urandom'
Impact

This Denial of service (DoS) vulnerability affects all applications built with Starlette (or FastAPI) accepting form requests.

Severity

  • CVSS Score: 0.0 / 10 (None)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

encode/starlette (starlette)

v0.40.0: Version 0.40.0

Compare Source

This release fixes a Denial of service (DoS) via multipart/form-data requests.

You can view the full security advisory:
GHSA-f96h-pmfr-66vw

Fixed

  • Add max_part_size to MultiPartParser to limit the size of parts in multipart/form-data
    requests fd038f3.

v0.39.2: Version 0.39.2

Compare Source

Fixed

  • Allow use of request.url_for when only "app" scope is available #​2672.
  • Fix internal type hints to support python-multipart==0.0.12 #​2708.

Full Changelog: Kludex/starlette@0.39.1...0.39.2

v0.39.1: Version 0.39.1

Compare Source

Fixed

  • Avoid regex re-compilation in responses.py and schemas.py #​2700.
  • Improve performance of get_route_path by removing regular expression usage #​2701.
  • Consider FileResponse.chunk_size when handling multiple ranges #​2703.
  • Use token_hex for generating multipart boundary strings #​2702.

Full Changelog: Kludex/starlette@0.39.0...0.39.1

v0.39.0: Version 0.39.0

Compare Source

Added

  • Add support for HTTP Range to FileResponse #​2697

Full Changelog: Kludex/starlette@0.38.6...0.39.0

v0.38.6: Version 0.38.6

Compare Source

Fixed

  • Close unclosed MemoryObjectReceiveStream in TestClient #​2693.

Full Changelog: Kludex/starlette@0.38.5...0.38.6

v0.38.5: Version 0.38.5

Compare Source

Fixed

  • Schedule BackgroundTasks from within BaseHTTPMiddleware #​2688.
    This behavior was removed in 0.38.3, and is now restored.

Full Changelog: Kludex/starlette@0.38.4...0.38.5

v0.38.4: Version 0.38.4

Compare Source

Fixed

  • Ensure accurate root_path removal in get_route_path function #​2600

Full Changelog: Kludex/starlette@0.38.3...0.38.4

v0.38.3: Version 0.38.3

Compare Source

Added
Fixed
  • Don't poll for disconnects in BaseHTTPMiddleware via StreamingResponse #​2620.

Full Changelog: Kludex/starlette@0.38.2...0.38.3

v0.38.2: Version 0.38.2

Compare Source

Fixed

  • Fix routing.get_name() not to assume all routines have __name__ #​2648

Full Changelog: Kludex/starlette@0.38.1...0.38.2

v0.38.1: Version 0.38.1

Compare Source

Removed

  • Revert "Add support for ASGI pathsend extension" #​2649.

Full Changelog: Kludex/starlette@0.38.0...0.38.1

v0.38.0: Version 0.38.0

Compare Source

Added

  • Allow use of memoryview in StreamingResponse and Response #​2576
    and #​2577.
  • Send 404 instead of 500 when filename requested is too long on StaticFiles #​2583.

Changed

  • Fail fast on invalid Jinja2Template instantiation parameters #​2568.
  • Check endpoint handler is async only once #​2536.

Fixed

  • Add proper synchronization to WebSocketTestSession #​2597.

Full Changelog: Kludex/starlette@0.37.2...0.38.0

v0.37.2: Version 0.37.2

Compare Source

Added
  • Add bytes to _RequestData type #​2510.
Fixed
  • Revert "Turn scope["client"] to None on TestClient (#​2377)" #​2525.
  • Remove deprecated app argument passed to httpx.Client on the TestClient #​2526.

Full Changelog: Kludex/starlette@0.37.1...0.37.2

v0.37.1: Version 0.37.1

Compare Source

Fixed

  • Warn instead of raise for missing env file on Config #​2485.

Full Changelog: Kludex/starlette@0.37.0...0.37.1

v0.37.0: Version 0.37.0

Compare Source

Added

  • Support the WebSocket Denial Response ASGI extension #​2041.

Full Changelog: Kludex/starlette@0.36.3...0.37.0

v0.36.3: Version 0.36.3

Compare Source

Fixed
  • Create anyio.Event on async context #​2459.

Full Changelog: Kludex/starlette@0.36.2...0.36.3

v0.36.2: Version 0.36.2

Compare Source

Fixed
  • Upgrade python-multipart to 0.0.7 13e5c26.
  • Avoid duplicate charset on Content-Type #​2443.

Full Changelog: Kludex/starlette@0.36.1...0.36.2

v0.36.1: Version 0.36.1

Compare Source

Fixed
  • Check if "extensions" in scope before checking the extension #​2438.

Full Changelog: Kludex/starlette@0.36.0...0.36.1

v0.36.0: Version 0.36.0

Compare Source

Added
  • Add support for ASGI pathsend extension #​2435.
  • Cancel WebSocketTestSession on close #​2427.
  • Raise WebSocketDisconnect when WebSocket.send() excepts IOError #​2425.
  • Raise FileNotFoundError when the env_file parameter on Config is not valid #​2422.

Full Changelog: Kludex/starlette@0.35.1...0.36.0

v0.35.1: Version 0.35.1

Compare Source

Fixed
  • Stop using the deprecated "method" parameter in FileResponse inside of StaticFiles #​2406.
  • Make typing-extensions optional again #​2409.

Full Changelog: Kludex/starlette@0.35.0...0.35.1

v0.35.0: Version 0.35.0

Compare Source

Added
  • Add *args to Middleware and improve its type hints #​2381.
Fixed
  • Use Iterable instead Iterator on iterate_in_threadpool #​2362.
Changes
  • Handle root_path to keep compatibility with mounted ASGI applications and WSGI #​2400.
  • Turn scope["client"] to None on TestClient #​2377.

Full Changelog: Kludex/starlette@0.34.0...0.35.0

v0.34.0: Version 0.34.0

Compare Source

Added
  • Use ParamSpec for run_in_threadpool #​2375.
  • Add UploadFile.__repr__ #​2360.
Fixed
  • Merge URLs properly on TestClient #​2376.
  • Take weak ETags in consideration on StaticFiles #​2334.
Deprecated
  • Deprecate FileResponse(method=...) parameter #​2366.

Full Changelog: Kludex/starlette@0.33.0...0.34.0

v0.33.0: Version 0.33.0

Compare Source

Added
  • Add middleware per Route/WebSocketRoute #​2349.
  • Add middleware per Router #​2351.
Fixed
  • Do not overwrite "path" and "root_path" scope keys #​2352.
  • Set ensure_ascii=False on json.dumps() for WebSocket.send_json() #​2341.

v0.32.0.post1: Version 0.32.0.post1

Compare Source

Fixed
  • Revert mkdocs-material from 9.1.17 to 9.4.7 #​2326.

v0.32.0: Version 0.32.0

Compare Source

Added
  • Send reason on WebSocketDisconnect #​2309.
  • Add domain parameter to SessionMiddleware #​2280.
Changed
  • Inherit from HTMLResponse instead of Response on _TemplateResponse #​2274.
  • Restore the Response.render type annotation to its pre-0.31.0 state #​2264.

Full Changelog: Kludex/starlette@0.31.1...0.32.0

v0.31.1: Version 0.31.1

Compare Source

Fixed
  • Fix import error when exceptiongroup isn't available #​2231.
  • Set url_for global for custom Jinja environments #​2230.

Full Changelog: Kludex/starlette@0.31.0...0.31.1

v0.31.0: Version 0.31.0

Compare Source

Added
  • Officially support Python 3.12 #​2214.
  • Support AnyIO 4.0 #​2211.
  • Strictly type annotate Starlette (strict mode on mypy) #​2180.
Fixed
  • Don't group duplicated headers on a single string when using the TestClient #​2219.

Full Changelog: Kludex/starlette@0.30.0...0.31.0

v0.30.0: Version 0.30.0

Compare Source

Removed

v0.29.0: Version 0.29.0

Compare Source

Added
  • Add follow_redirects parameter to TestClient #​2207.
  • Add __str__ to HTTPException and WebSocketException #​2181.
  • Warn users when using lifespan together with on_startup/on_shutdown #​2193.
  • Collect routes from Host to generate the OpenAPI schema #​2183.
  • Add request argument to TemplateResponse #​2191.
Fixed
  • Stop body_stream in case more_body=False on BaseHTTPMiddleware #​2194.

Full Changelog: Kludex/starlette@0.28.0...0.29.0

v0.28.0: Version 0.28.0

Compare Source

Changed
  • Reuse Request's body buffer for call_next in BaseHTTPMiddleware #​1692.
  • Move exception handling logic to Route #​2026.
Added
  • Add env parameter to Jinja2Templates, and deprecate **env_options #​2159.
  • Add clear error message when httpx is not installed #​2177.
Fixed
  • Allow "name" argument on templates url_for() #​2127.

Full Changelog: Kludex/starlette@0.27.0...0.28.0

v0.27.0: Version 0.27.0

Compare Source

This release fixes a path traversal vulnerability in StaticFiles. You can view the full security advisory:
GHSA-v5gw-mw7f-84px

Added
Fixed
  • Replace commonprefix by commonpath on StaticFiles 1797de4.
  • Convert ImportErrors into ModuleNotFoundError #​2135.
  • Correct the RuntimeError message content in websockets #​2141.

Full Changelog: Kludex/starlette@0.26.1...0.27.0

v0.26.1: Version 0.26.1

Compare Source

Fixed
  • Fix typing of Lifespan to allow subclasses of Starlette #​2077.

v0.26.0.post1: Version 0.26.0.post1

Compare Source

Fixed
  • Replace reference from Events to Lifespan on the mkdocs.yml #​2072.

v0.26.0: Version 0.26.0

Compare Source

Added
Changed
  • Change url_for signature to return a URL instance #​1385.
Fixed
  • Allow "name" argument on url_for() and url_path_for() #​2050.
Deprecated
  • Deprecate on_startup and on_shutdown events #​2070.

Full Changelog: Kludex/starlette@0.25.0...0.26.0

v0.25.0: Version 0.25.0

Compare Source

Fixed
  • Limit the number of fields and files when parsing multipart/form-data on the MultipartParser 8c74c2c and #​2036.

v0.24.0: Version 0.24.0

Compare Source

Added
  • Allow StaticFiles to follow symlinks #​1683.
  • Allow Request.form() as a context manager #​1903.
  • Add size attribute to UploadFile #​1405.
  • Add env_prefix argument to Config #​1990.
  • Add template context processors #​1904.
  • Support str and datetime on expires parameter on the Response.set_cookie method #​1908.
Changed
  • Lazily build the middleware stack #​2017.
  • Make the file argument required on UploadFile #​1413.
  • Use debug extension instead of custom response template extension #​1991.
Fixed
  • Fix url parsing of ipv6 urls on URL.replace #​1965.

v0.23.1: Version 0.23.1

Compare Source

Fixed
  • Only stop receiving stream on body_stream if body is empty on the BaseHTTPMiddleware #​1940.

v0.23.0: Version 0.23.0

Compare Source

Added
  • Add headers parameter to the TestClient #​1966.
Deprecated
  • Deprecate Starlette and Router decorators #​1897.
Fixed
  • Fix bug on FloatConvertor regex #​1973.

v0.22.0: Version 0.22.0

Compare Source

Changed
  • Bypass GZipMiddleware when response includes Content-Encoding #​1901.
Fixed
  • Remove unneeded unquote() from query parameters on the TestClient #​1953.
  • Make sure MutableHeaders._list is actually a list #​1917.
  • Import compatibility with the next version of AnyIO #​1936.

v0.21.0: Version 0.21.0

Compare Source

This release replaces the underlying HTTP client used on the TestClient (requests ➡️ httpx), and as those clients differ a bit on their API, your test suite will likely break. To make the migration smoother, you can use the bump-testclient tool.

Changed
  • Replace requests with httpx in TestClient #​1376.
Added
  • Add WebSocketException and support for WebSocket exception handlers #​1263.
  • Add middleware parameter to Mount class #​1649.
  • Officially support Python 3.11 #​1863.
  • Implement __repr__ for route classes #​1864.
Fixed
  • Fix bug on which BackgroundTasks were cancelled when using BaseHTTPMiddleware and client disconnected #​1715.

v0.20.4: Version 0.20.4

Compare Source

Fixed
  • Remove converter from path when generating OpenAPI schema #​1648.

v0.20.3: Version 0.20.3

Compare Source

Fixed
  • Revert "Allow StaticFiles to follow symlinks" #​1681.

v0.20.2: Version 0.20.2

Compare Source

Fixed
  • Fix regression on route paths with colons #​1675.
  • Allow StaticFiles to follow symlinks #​1337.

v0.20.1: Version 0.20.1

Compare Source

Fixed
  • Improve detection of async callables #​1444.
  • Send 400 (Bad Request) when boundary is missing #​1617.
  • Send 400 (Bad Request) when missing "name" field on Content-Disposition header #​1643.
  • Do not send empty data to StreamingResponse on BaseHTTPMiddleware #​1609.
  • Add __bool__ dunder for Secret #​1625.

v0.20.0: Version 0.20.0

Compare Source

Removed

v0.19.1: Version 0.19.1

Compare Source

Fixed
  • Fix inference of Route.name when created from methods #​1553.
  • Avoid TypeError on websocket.disconnect when code is None #​1574.
Deprecated
  • Deprecate WS_1004_NO_STATUS_RCVD and WS_1005_ABNORMAL_CLOSURE in favor of WS_1005_NO_STATUS_RCVD and WS_1006_ABNORMAL_CLOSURE, as the previous constants didn't match the WebSockets specs #​1580.

v0.19.0: Version 0.19.0

Compare Source

Added
  • Error handler will always run, even if the error happens on a background task #​761.
  • Add headers parameter to HTTPException #​1435.
  • Internal responses with 405 status code insert an Allow header, as described by RFC 7231 #​1436.
  • The content argument in JSONResponse is now required #​1431.
  • Add custom URL convertor register #​1437.
  • Add content disposition type parameter to FileResponse #​1266.
  • Add next query param with original request URL in requires decorator #​920.
  • Add raw_path to TestClient scope #​1445.
  • Add union operators to MutableHeaders #​1240.
  • Display missing route details on debug page #​1363.
  • Change anyio required version range to >=3.4.0,<5.0 #​1421 and #​1460.
  • Add typing-extensions>=3.10 requirement - used only on lower versions than Python 3.10 #​1475.
Fixed
  • Prevent BaseHTTPMiddleware from hiding errors of StreamingResponse and mounted applications #​1459.
  • SessionMiddleware uses an explicit path=..., instead of defaulting to the ASGI 'root_path' #​1512.
  • Request.client is now compliant with the ASGI specifications #​1462.
  • Raise KeyError at early stage for missing boundary #​1349.
Deprecated
  • Deprecate WSGIMiddleware in favor of a2wsgi #​1504.
  • Deprecate run_until_first_complete #​1443.

v0.18.0: Version 0.18.0

Compare Source

Added
  • Change default chunk size from 4Kb to 64Kb on FileResponse #​1345.
  • Add support for functools.partial in WebSocketRoute #​1356.
  • Add StaticFiles packages with directory #​1350.
  • Allow environment options in Jinja2Templates #​1401.
  • Allow HEAD method on HttpEndpoint #​1346.
  • Accept additional headers on websocket.accept message #​1361 and #​1422.
  • Add reason to WebSocket close ASGI event #​1417.
  • Add headers attribute to UploadFile #​1382.
  • Don't omit Content-Length header for Content-Length: 0 cases #​1395.
  • Don't set headers for responses with 1xx, 204 and 304 status code #​1397.
  • SessionMiddleware.max_age now accepts None, so cookie can last as long as the browser session #​1387.
Fixed
  • Tweak hashlib.md5() function on FileResponses ETag generation. The parameter usedforsecurity flag is set to False, if the flag is available on the system. This fixes an error raised on systems with FIPS enabled #​1366 and #​1410.
  • Fix path_params type on url_path_for() method i.e. turn str into Any #​1341.
  • Host now ignores port on routing #​1322.

v0.17.1: Version 0.17.1

Compare Source

Fixed
  • Fix IndexError in authentication requires when wrapped function arguments are distributed between *args and **kwargs #​1335.

v0.17.0: Version 0.17.0

Compare Source

Added
  • Response.delete_cookie now accepts the same parameters as Response.set_cookie #​1228.
  • Update the Jinja2Templates constructor to allow PathLike #​1292.
Fixed
  • Fix BadSignature exception handling in SessionMiddleware #​1264.
  • Change HTTPConnection.__getitem__ return type from str to typing.Any #​1118.
  • Change ImmutableMultiDict.getlist return type from typing.List[str] to typing.List[typing.Any] #​1235.
  • Handle OSError exceptions on StaticFiles #​1220.
  • Fix StaticFiles 404.html in HTML mode #​1314.
  • Prevent anyio.ExceptionGroup in error views under a BaseHTTPMiddleware #​1262.
Removed

v0.16.0: Version 0.16.0

Compare Source

Added
Fixed
  • starlette.websockets.WebSocket instances are now hashable and compare by identity
    #​1039
  • A number of fixes related to running task groups in lifespan
    #​1213,
    #​1227
Deprecated/removed
  • The method starlette.templates.Jinja2Templates.get_env was removed
    #​1218
  • The ClassVar starlette.testclient.TestClient.async_backend was removed,
    the backend is now configured using constructor kwargs
    #​1211
  • Passing an Async Generator Function or a Generator Function to starlette.router.Router(lifespan_context=) is deprecated. You should wrap your lifespan in @contextlib.asynccontextmanager.
    #​1227
    #​1110

v0.15.0: Version 0.15.0

Compare Source

0.15.0

This release includes major changes to the low-level asynchronous parts of Starlette. As a result, Starlette now depends on AnyIO and some minor API changes have occurred. Another significant change with this release is the deprecation of built-in GraphQL support.

Added
  • Starlette now supports Trio as an async runtime via AnyIO - #​1157.
  • TestClient.websocket_connect() now must be used as a context manager.
  • Initial support for Python 3.10 - #​1201.
  • The compression level used in GZipMiddleware is now adjustable - #​1128.
Fixed
  • Several fixes to CORSMiddleware. See #​1111, #​1112, #​1113, #​1199.
  • Improved exception messages in the case of duplicated path parameter names - #​1177.
  • RedirectResponse now uses quote instead of quote_plus encoding for the Location header to better match the behaviour in other frameworks such as Django - #​1164.
  • Exception causes are now preserved in more cases - #​1158.
  • Session cookies now use the ASGI root path in the case of mounted applications - #​1147.
  • Fixed a cache invalidation bug when static files were deleted in certain circumstances - #​1023.
  • Improved memory usage of BaseHTTPMiddleware when handling large responses - #​1012 fixed via #​1157
Deprecated/removed
  • Built-in GraphQL support via the GraphQLApp class has been deprecated and will be removed in a future release. Please see #​619. GraphQL is not supported on Python 3.10.
  • The executor parameter to GraphQLApp was removed. Use executor_class instead.
  • The workers parameter to WSGIMiddleware was removed. This hasn't had any effect since Starlette v0.6.3.

v0.14.2: Version 0.14.2

Compare Source

Fixed
  • Fixed ServerErrorMiddleware compatibility with Python 3.9.1/3.8.7 when debug mode is enabled - #​1132.
  • Fixed unclosed socket ResourceWarnings when using the TestClient with WebSocket endpoints - #​1132.
  • Improved detection of async endpoints wrapped in functools.partial on Python 3.8+ - #​1106.

v0.14.1: Version 0.14.1

Compare Source

Removed
  • UJSONResponse was removed (this change was intended to be included in 0.14.0). Please see the documentation for how to implement responses using custom JSON serialization - #​1074.

v0.14.0: Version 0.14.0

Compare Source

Added
  • Starlette now officially supports Python3.9.
  • In StreamingResponse, allow custom async iterator such as objects from classes implementing __aiter__.
  • Allow usage of functools.partial async handlers in Python versions 3.6 and 3.7.
  • Add 418 I'm A Teapot status code.
Changed
  • Create tasks from handler coroutines before sending them to asyncio.wait.
  • Use format_exception instead of format_tb in ServerErrorMiddleware's debug responses.
  • Be more lenient with handler arguments when using the requires decorator.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@emdneto emdneto closed this May 15, 2025
@renovate
Copy link
Author

renovate bot commented May 15, 2025

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (==0.40.0). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.

@renovate renovate bot deleted the renovate/pypi-starlette-vulnerability branch May 15, 2025 12:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@emdneto