Bump starlette from 1.0.0 to 1.3.1#686
Conversation
Bumps [starlette](https://github.com/Kludex/starlette) from 1.0.0 to 1.3.1. - [Release notes](https://github.com/Kludex/starlette/releases) - [Changelog](https://github.com/Kludex/starlette/blob/main/docs/release-notes.md) - [Commits](Kludex/starlette@1.0.0...1.3.1) --- updated-dependencies: - dependency-name: starlette dependency-version: 1.3.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
🔵 Review postedLast updated: 2026-07-09 18:44 UTC |
rtibblesbot
left a comment
There was a problem hiding this comment.
PR #686 is labeled a starlette 1.0.0 → 1.3.1 bump (minor, dev-only transitive dep pulled in via sphinx-autobuild in the docs group; no direct import in ricecooker/). But the regenerated uv.lock does not perform that bump — recommend @dependabot recreate, and close if a clean recreate still can't land 1.3.1.
What the lockfile actually does (blocking):
- Removes
starletteentirely (along withuvicorn,watchfiles,websockets,click) rather than bumping it to 1.3.1, and addslivereload. - Downgrades
sphinx-autobuild2025.8.25 → 2024.2.4 (~18 months). Commit7924422onmaindeliberately introduced 2025.8.25 — whose dependency chain is what brought in starlette. Dependabot's resolver backtracked to the ancientsphinx-autobuild(which uses thelivereloadchain, not starlette), "resolving" the requested bump by deleting the package and reverting the just-merged docs-deps migration. - ~321 lines of unrelated marker churn (
platform_python_implementation == 'CPython'additions,ipythonpins,nbsphinx/recommonmarkmarker shuffling) — the signature of a re-resolution under a different uv version, not a targeted single-dep bump.
Net effect of merging: docs autobuild tooling regresses ~18 months and the recently-merged migration is undone. This is a regression, not an upgrade.
CI status: passing — but not a safety net here. .github/workflows/pythontest.yml installs only the test group; the docs group (where sphinx-autobuild → starlette lives) is never installed or built. Green CI says nothing about whether docs tooling still works.
Changelog (nominal, for reference): starlette 1.0.0→1.3.1 is low-risk and touches nothing this project uses (FormParser max_fields/max_part_size enforcement, FileResponse suffix-range clamping, URL.replace() IndexError fix, testclient typing). No breaking changes, no security fixes relevant here. The problem is entirely that the diff doesn't represent this bump.
Recommendation: REQUEST_CHANGES. Comment @dependabot recreate to regenerate against current main with the project's uv toolchain. If a clean recreate still can't reach starlette 1.3.1 without downgrading sphinx-autobuild, close this PR — starlette is a transitive docs-only dep and should follow whatever sphinx-autobuild pins.
@rtibblesbot's comments are generated by an LLM, and should be evaluated accordingly
How was this generated?
Ran a dependency-update review pipeline over the version bump:
- Classified the bump by semver (patch / minor / major) and dependency type (production vs. development)
- Extracted the changelog and release notes across the version range
- Assessed compatibility with this project's usage and whether any code changes are required
- Treated CI as the primary safety net
- Scaled the review depth to the update's risk
- Chose the verdict from semver risk, changelog findings, and CI status
Bumps starlette from 1.0.0 to 1.3.1.
Release notes
Sourced from starlette's releases.
... (truncated)
Changelog
Sourced from starlette's changelog.
... (truncated)
Commits
8ebffd0Version 1.3.1 (#3330)25b8e17EnforceFormParserlimits in parser callbacks (#3331)dba1c4bEnforcemax_fieldsandmax_part_sizeinFormParser(#3329)45e51dcUseStarletteDeprecationWarninginstead ofDeprecationWarning(#3119)5f8610cVersion 1.3.0 (#3327)167b585Buildrequest.urlfrom structured components (#3326)3730925Useremoveprefixto strip weak ETag indicator inis_not_modified(#3193)e6f7ad1avoid collapsing exception groups from user code (#2830)115228fAnnotate URLPath protocol parameter with Literal (#3285)113f193docs: replace inline ASGI server list with link to canonical implemen… (#3204)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.