build(deps): bump starlette from 0.50.0 to 1.3.1

[dependabot]

Bumps starlette from 0.50.0 to 1.3.1.

Release notes

Sourced from starlette's releases.

Version 1.3.1

What's Changed

• Use StarletteDeprecationWarning instead of DeprecationWarning by @​Kludex in Kludex/starlette#3119
• Enforce max_fields and max_part_size in FormParser by @​Kludex in Kludex/starlette#3329
• Enforce FormParser limits in parser callbacks by @​Kludex in Kludex/starlette#3331

Full Changelog: Kludex/starlette@1.3.0...1.3.1

Version 1.3.0

What's Changed

• Clamp oversized suffix ranges in FileResponse by @​jiyujie2006 in Kludex/starlette#3307
• Catch OSError alongside MultiPartException when closing temp files by @​N3XT3R1337 in Kludex/starlette#3191
• Add httpx2 to the full extra by @​Kludex in Kludex/starlette#3323
• Adjust testclient typing and warnings by @​waketzheng in Kludex/starlette#3322
• Fix IndexError in URL.replace() on a URL with no authority by @​LeSingh1 in Kludex/starlette#3317
• Annotate URLPath protocol parameter with Literal by @​Chang-LeHung in Kludex/starlette#3285
• avoid collapsing exception groups from user code by @​graingert in Kludex/starlette#2830
• Use removeprefix to strip weak ETag indicator in is_not_modified by @​gnosyslambda in Kludex/starlette#3193
• Build request.url from structured components by @​Kludex in Kludex/starlette#3326

New Contributors

• @​jiyujie2006 made their first contribution in Kludex/starlette#3307
• @​N3XT3R1337 made their first contribution in Kludex/starlette#3191
• @​leestana01 made their first contribution in Kludex/starlette#3319
• @​LeSingh1 made their first contribution in Kludex/starlette#3317
• @​EmmanuelNiyonshuti made their first contribution in Kludex/starlette#3204
• @​Chang-LeHung made their first contribution in Kludex/starlette#3285
• @​gnosyslambda made their first contribution in Kludex/starlette#3193

Full Changelog: Kludex/starlette@1.2.1...1.3.0

Version 1.2.1

What's Changed

• Use httpx2 for type checking in the testclient module by @​leifwar in Kludex/starlette#3304
• Add assert error for requires() when request param is not Request type by @​KeeganOP in Kludex/starlette#3298

New Contributors

• @​leifwar made their first contribution in Kludex/starlette#3304
• @​diskeu made their first contribution in Kludex/starlette#3243
• @​KeeganOP made their first contribution in Kludex/starlette#3298

Full Changelog: Kludex/starlette@1.2.0...1.2.1

Version 1.2.0

What's Changed

• Support httpx2 in the test client by @​Kludex in Kludex/starlette#3291

Full Changelog: Kludex/starlette@1.1.0...1.2.0

Version 1.1.0

... (truncated)

Changelog

Sourced from starlette's changelog.

1.3.1 (June 12, 2026)

Fixed

• Enforce max_fields and max_part_size in FormParser #3329.
• Enforce FormParser limits in parser callbacks #3331.

1.3.0 (June 11, 2026)

Added

• Add httpx2 to the full extra #3323.
• Annotate the URLPath protocol parameter with Literal #3285.

Fixed

• Build request.url from structured components #3326.
• Clamp oversized suffix ranges in FileResponse #3307.
• Catch OSError alongside MultiPartException when closing temp files #3191.
• Avoid collapsing exception groups raised from user code #2830.
• Use removeprefix to strip the weak ETag indicator in is_not_modified #3193.
• Fix IndexError in URL.replace() on a URL with no authority #3317.
• Adjust testclient typing and warnings #3322.

1.2.1 (May 31, 2026)

Fixed

• Use httpx2 for type checking in the testclient module #3304.
• Add assert error for requires() when the request parameter is not a Request type #3298.

1.2.0 (May 28, 2026)

Added

• Support httpx2 in the test client #3291.

1.1.0 (May 23, 2026)

Added

• Use "application/octet-stream" as the FileResponse media type fallback #3283.

Fixed

• Only dispatch standard HTTP verbs in HTTPEndpoint #3286.
• Reject absolute paths in StaticFiles.lookup_path #3287.

1.0.1 (May 21, 2026)

... (truncated)

Commits

• 8ebffd0 Version 1.3.1 (#3330)
• 25b8e17 Enforce FormParser limits in parser callbacks (#3331)
• dba1c4b Enforce max_fields and max_part_size in FormParser (#3329)
• 45e51dc Use StarletteDeprecationWarning instead of DeprecationWarning (#3119)
• 5f8610c Version 1.3.0 (#3327)
• 167b585 Build request.url from structured components (#3326)
• 3730925 Use removeprefix to strip weak ETag indicator in is_not_modified (#3193)
• e6f7ad1 avoid collapsing exception groups from user code (#2830)
• 115228f Annotate URLPath protocol parameter with Literal (#3285)
• 113f193 docs: replace inline ASGI server list with link to canonical implemen… (#3204)
• Additional commits viewable in compare view

---

Note

Medium Risk
Major Starlette bump on the shared HTTP stack (FastAPI + custom Starlette MCP apps) can change request, form, and routing behavior without code changes in this PR.

Overview
Updates uv.lock only: Starlette 0.50.0 → 1.3.1 and FastAPI 0.123.9 → 0.138.2 (FastAPI also picks up typing-inspection). No application source changes.

Starlette 1.x brings HTTP-layer fixes and behavior changes that can affect this repo’s FastAPI API surface and direct Starlette usage in MCP (sse_app / streamable_http_app, run_in_threadpool). Notable upstream changes include stricter FormParser limits, request.url built from structured components, StaticFiles rejecting absolute paths, and assorted FileResponse / URL handling fixes.

^{Reviewed by Cursor Bugbot for commit 296a040. Bugbot is set up for automated code reviews on this repo. Configure here.}

[jit-ci]

🛡️ Jit Security Scan Results

✅ No security findings were detected in this PR

---

^{Security scan by Jit}

[abrookins]

@dependabot rebase

[abrookins]

Reviewed the rebased FastAPI/Starlette lockfile update. Diff is uv.lock-only; the rebase updates starlette to 1.3.1 and FastAPI to 0.138.2. GitHub checks are green after rerunning the transient redis:latest working-memory index assertion. Local uv sync --locked and pytest tests/test_dependencies.py tests/test_api.py tests/test_mcp.py tests/test_auth.py tests/test_token_auth.py tests/test_client_api.py passed: 133 passed, 32 skipped.