fix: pin starlette minimum version (#4065)

slister1001 · web-flow · commit 02f0656983bd · 2025-11-24T12:18:23.000-08:00
# Description Ensure Starlette dependency is at least version 0.49.1 in the `promptflow-core` package to address compatibility or security needs. This is done by explicitly adding `starlette = ">=0.49.1,<0.50.0"` under `[tool.poetry.dependencies]` in `src/promptflow-core/pyproject.toml`. Previously, the version of FastAPI in use (`0.120.1`) allowed a range of Starlette versions including older ones (e.g., 0.48.0). This resulted in environments with an outdated Starlette version, as shown by `deptree starlette -r`. This PR adds an explicit version constraint so that future `pip`/Poetry installs or updates will always have `starlette >= 0.49.1`. Relevant issue: [Starlette vulnerable to O(n^2) DoS via Range header merging in ``starlette.responses.FileResponse``](GHSA-7f5h-v6xp-fcq8) # All Promptflow Contribution checklist: - [x] **The pull request does not introduce [breaking changes].** - [x] **CHANGELOG is updated for new features, bug fixes or other significant changes.** - [x] **I have read the [contribution guidelines](https://github.com/microsoft/promptflow/blob/main/CONTRIBUTING.md).** - [x] **I confirm that all new dependencies are compatible with the MIT license.** - [x] **Create an issue and link to the pull request to get dedicated review from promptflow team. Learn more: [suggested workflow](../CONTRIBUTING.md#suggested-workflow).** ## General Guidelines and Best Practices - [x] Title of the pull request is clear and informative. - [x] There are a small number of commits, each of which have an informative message. This means that previously merged commits do not appear in the history of the PR. For more information on cleaning up the commits in your PR, [see this page](https://github.com/Azure/azure-powershell/blob/master/documentation/development-docs/cleaning-up-commits.md). ### Testing Guidelines - [x] Pull request includes test coverage for the included changes. ## Additional Details - Updated `pyproject.toml` in `src/promptflow-core` by adding ``` starlette = ">=0.49.1,<0.50.0" ``` - Verified with `deptree starlette -r` that the correct version is selected after the change.
diff --git a/src/promptflow-core/pyproject.toml b/src/promptflow-core/pyproject.toml
@@ -50,6 +50,7 @@ flask = ">=2.2.3,<4.0.0"  # Serving endpoint requirements
 python-dateutil = ">=2.1.0,<3.0.0"  # Contracts RunInfo
 # ========fastapi server dependencies========
 fastapi = ">=0.109.0,<1.0.0" # used to build fastapi server
+starlette = ">=0.49.1,<0.50.0"
 # ========azureml-serving dependencies========
 # AzureML connection dependencies
 azure-identity = { version = ">=1.12.0,<2.0.0", optional = true }
