From 363a8d95ba5429f361a6c604838905194684cad0 Mon Sep 17 00:00:00 2001
From: Luis Tomas Bolivar <ltomasbo@redhat.com>
Date: Fri, 29 May 2026 07:54:15 +0200
Subject: [PATCH] fix(deps): bump starlette and fastapi to address
 CVE-2026-48710

Starlette prior to 1.0.1 did not validate the HTTP Host header before
reconstructing request.url, allowing a malformed header to bypass
security restrictions based on request.url.path. Bump starlette to
>=1.0.1 and fastapi to >=0.133.0 (the minimum version compatible with
starlette >=1.0.1).

Fixes #5893
---
 pyproject.toml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pyproject.toml b/pyproject.toml
index 657920e2c7..a8c414b6ba 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -36,7 +36,7 @@ dependencies = [
   "aiosqlite>=0.21",
   "authlib>=1.6.6,<2",
   "click>=8.1.8,<9",
-  "fastapi>=0.124.1,<1",
+  "fastapi>=0.133.0,<1",
   "google-auth[pyopenssl]>=2.47",
   "google-genai>=2.4,<3",
   "graphviz>=0.20.2,<1",
@@ -51,7 +51,7 @@ dependencies = [
   # go/keep-sorted start
   "pyyaml>=6.0.2,<7",
   "requests>=2.32.4,<3",
-  "starlette>=0.49.1,<1",
+  "starlette>=1.0.1,<2",
   "tenacity>=9,<10",
   "typing-extensions>=4.5,<5",
   "tzlocal>=5.3,<6",