fix: upgrade starlette to 1.1.0 (CVE-2026-48818)#1391
Conversation
Automated dependency upgrade by OrbisAI Security
starlette underpins the HTTP MCP transport (serve_http); graphify/serve.py imports it directly (Starlette/Middleware/Route) but it was only present transitively via mcp, with no version floor — so end users installing graphifyy[mcp] could resolve a vulnerable starlette even after a lockfile bump. Declare it in the mcp (and all) extras and floor at >=1.3.1, which carries the fixes for both CVEs (1.3.1 >= the 1.1.0 fix for CVE-2026-48818 and is the fix for CVE-2026-54283). Lock regenerated 1.0.0 -> 1.3.1. Supersedes the lock-only bumps in #1391 and #1396 (both targeted 1.3.1 from a stale base) with a pyproject floor that also protects end users. stdio MCP and CLI are unaffected. serve/MCP/HTTP tests pass on 1.3.1; full suite 2393 passed. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
Landed on |
|
Thanks for the detailed explanation and for taking the time to land a proper fix rather than just merging the lock bump! The pyproject floor is clearly the right call. I hadn't considered that end users installing Good catch on 1.3.1 covering CVE-2026-54283 as well. I'll make sure future PRs from our scanner target the latest patched release rather than the minimum that fixes the flagged CVE. |
get_community shows the community name (#1448); starlette floored >=1.3.1 for CVE-2026-48818 / CVE-2026-54283 (#1391, #1396); begin per-language extractor split into graphify/extractors/ (#1212); parallel community labeling via --max-concurrency / --batch-size (#1390); reflect dedups dead-ends/corrections; and the work-memory loop no longer depends on the git hook (reflect --if-stale). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Summary
Upgrade starlette from 1.0.0 to 1.1.0 to fix CVE-2026-48818.
Vulnerability
CVE-2026-48818uv.lockDescription: Starlette: SSRF and NTLM credential theft via UNC paths in StaticFiles on Windows
Evidence
Scanner confirmation: trivy rule
CVE-2026-48818flagged this pattern.Production code: This file is in the production codebase, not test-only code.
Threat Model Context
This is a Python library - vulnerabilities affect applications that import this code.
Changes
uv.lockVerification
This change addresses a pattern flagged by static analysis. The code path handles user-influenced input and the fix reduces the attack surface against both manual and automated exploitation.
Automated security fix by OrbisAI Security