Dependency constraint prevents patched Starlette release for CVE-2026-48710

[josemariacampo]

The current dependency specification in pyproject.toml restricts Starlette to versions below 1.0.0:

"starlette>=0.37.0,<1.0.0; python_version>='3.8'",

A security issue tracked as CVE-2026-48710 has been fixed in Starlette 1.0.1, but the current upper bound prevents downstream users from upgrading to a patched version through normal dependency resolution.

References

• https://www.cve.org/CVERecord?id=CVE-2026-48710
• https://app.opencve.io/cve/CVE-2026-48710