chore(deps): Update starlette package to fix high-level vulnerability

[tgasser-nv]

Description

Need to resolve Dependabot High vulnerability: https://github.com/NVIDIA-NeMo/Guardrails/security/dependabot/132 .

Ran the following steps:

1. Edit pyproject.toml and change starlette to use the safe version (>= 0.49.1)
2. Run poetry lock--no-update to resolve dependencies for this version without upgrading anything else.
3. Check pre-commit:

$ poetry run pre-commit run --all-files
check yaml...............................................................Passed
fix end of files.........................................................Passed
trim trailing whitespace.................................................Passed
isort (python)...........................................................Passed
black....................................................................Passed
Insert license in comments...............................................Passed
pyright..................................................................Passed

4. Run unit-tests

$ poetry run pytest -q
...................................................................................... [  4%]
...................................................................................... [  8%]
....................s................................................................. [ 12%]
....................................................sssssss.ss....ss.................. [ 16%]
...................................................................................... [ 20%]
.............................................................................sss...... [ 24%]
.s............s....................................................................... [ 28%]
..ss........ss...ss................................ss................s................ [ 32%]
...................................s............s..................................... [ 36%]
...................................................................................... [ 40%]
...................................................................................... [ 44%]
..............................sssss......sssssssssssssssss.........ssss............... [ 48%]
..................................................................s...........ss...... [ 52%]
............ssssssss.ssssssssss.....................................................s. [ 56%]
...s.....................................ssssssss..............sss...ss...ss.......... [ 60%]
...................sssssssssssss............................................/Users/tgasser/Library/Caches/pypoetry/virtualenvs/nemoguardrails-P0S6tdmr-py3.13/lib/python3.13/site-packages/_pytest/stash.py:108: RuntimeWarning: coroutine 'AsyncMockMixin._execute_mock_call' was never awaited
  del self._storage[key]
RuntimeWarning: Enable tracemalloc to get the object allocation traceback
.......... [ 64%]
......s............................................................................... [ 68%]
...............................sssssssss.........ss................................... [ 72%]
........................................................................sssssss....... [ 76%]
...................................................................................... [ 80%]
...s.................................................................................. [ 84%]
......................ss.............................................................. [ 88%]
...................................................................................... [ 92%]
...................................................................................... [ 96%]
.......................................................s.....................          [100%]
2013 passed, 129 skipped in 138.65s (0:02:18)

Related Issue(s)

• https://github.com/NVIDIA-NeMo/Guardrails/security/dependabot/132

Checklist

• I've read the CONTRIBUTING guidelines.
• I've updated the documentation if applicable.
• I've added tests if applicable.
• @mentions of the person or team responsible for reviewing proposed changes.

[greptile-apps]

Greptile Overview

Greptile Summary

Updated starlette package minimum version from 0.27.0 to 0.49.1 to address a security vulnerability, as indicated by the commit message.

Key Changes:

• Starlette constraint updated to >=0.49.1 in pyproject.toml
• Lock file updated with starlette 0.49.3 (actual resolved version)
• FastAPI upgraded from 0.116.1 to 0.121.0 (compatible with new starlette version)
• New transitive dependency annotated-doc 0.0.3 added (required by newer FastAPI)
• Minor formatting correction in the exclude list (spacing/indentation)

Compatibility Assessment:
The codebase uses starlette's StreamingResponse and StaticFiles in nemoguardrails/server/api.py:30-31. These are stable APIs that have remained consistent across starlette versions, so no breaking changes are expected. The version jump from 0.27.0 to 0.49.1 is significant (22 minor versions), but starlette maintains good backward compatibility for its core APIs.

Confidence Score: 5/5

• This PR is safe to merge - it's a straightforward security patch updating dependency constraints
• This is a clean security-focused dependency update with minimal risk. The change updates starlette to patch a vulnerability, and the APIs used by the codebase (StreamingResponse, StaticFiles) are stable across versions. FastAPI's automatic upgrade is compatible and expected. The lock file properly reflects the resolved dependencies with no conflicts.
• No files require special attention - this is a routine dependency security update

Important Files Changed

File Analysis

Filename	Score	Overview
pyproject.toml	5/5	Updated starlette minimum version from 0.27.0 to 0.49.1 to address security vulnerability, minor formatting fix in exclude list
poetry.lock	5/5	Lock file updated with starlette 0.49.3, fastapi 0.121.0, and new dependency annotated-doc 0.0.3

Sequence Diagram

sequenceDiagram
    participant Dev as Developer
    participant Poetry as Poetry
    participant PyPI as PyPI Registry
    participant App as NeMo Guardrails App
    
    Dev->>Poetry: Update starlette constraint to >=0.49.1
    Dev->>Poetry: Run poetry lock
    Poetry->>PyPI: Resolve starlette >=0.49.1
    PyPI-->>Poetry: Return starlette 0.49.3
    Poetry->>PyPI: Resolve fastapi dependencies
    PyPI-->>Poetry: Return fastapi 0.121.0
    Poetry->>PyPI: Resolve annotated-doc (new dependency)
    PyPI-->>Poetry: Return annotated-doc 0.0.3
    Poetry->>Poetry: Update poetry.lock
    Dev->>App: Deploy updated dependencies
    App->>App: Uses StreamingResponse & StaticFiles from starlette 0.49.3
    Note over App: Security vulnerability patched

Loading

_{1 file reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!