From 48eded61b8b4c4720763aa6165e33cadeaa0ea44 Mon Sep 17 00:00:00 2001
From: aitbc <aitbc@keisanki.net>
Date: Mon, 25 May 2026 12:08:29 +0200
Subject: [PATCH] security: upgrade starlette to 1.0.1 to fix PYSEC-2026-161

- starlette 0.52.1 had Host header injection vulnerability (auth bypass)
- Upgraded to 1.0.1 which fixes the issue
- Removed unused prometheus-fastapi-instrumentator (conflicting constraint)
- Updated pyproject.toml starlette >= 1.0.1
---
 pyproject.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pyproject.toml b/pyproject.toml
index 0d351701..63234c64 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -12,7 +12,7 @@ python = ">=3.13.5,<3.14"
 fastapi = ">=0.115.6"
 uvicorn = {extras = ["standard"], version = ">=0.34.0"}
 gunicorn = ">=23.0.0"
-starlette = ">=0.49.1"
+starlette = ">=1.0.1"
 # Database & ORM
 sqlalchemy = {extras = ["asyncio"], version = ">=2.0.49"}
 sqlmodel = ">=0.0.38"