The web and lsp extras exact-pin fastapi==0.120.1, which transitively pulls in starlette 0.49.3 (via FastAPI 0.120.1's starlette<0.50,>=0.40.0). starlette 0.49.3 is affected by PYSEC-2026-161 / GHSA-86qp-5c8j-p5mr — missing Host header validation poisons request.url.path, bypassing path-based security checks. Fixed in starlette 1.0.1.
Because the FastAPI pin is ==, downstream uv lock --upgrade cannot pull the patched starlette. FastAPI 0.136.3 (latest) only requires starlette>=0.46.0 with no upper cap, so bumping the pin unblocks the fix.
References:
The
webandlspextras exact-pinfastapi==0.120.1, which transitively pulls instarlette 0.49.3(via FastAPI 0.120.1'sstarlette<0.50,>=0.40.0). starlette 0.49.3 is affected by PYSEC-2026-161 / GHSA-86qp-5c8j-p5mr — missing Host header validation poisonsrequest.url.path, bypassing path-based security checks. Fixed in starlette 1.0.1.Because the FastAPI pin is
==, downstreamuv lock --upgradecannot pull the patched starlette. FastAPI 0.136.3 (latest) only requiresstarlette>=0.46.0with no upper cap, so bumping the pin unblocks the fix.References: