[PR] Require starlette>=1.0.1 for Host header parsing fix [airflow]

Fri, 22 May 2026 04:35:58 -0700 


potiuk opened a new pull request, #67326:
URL: https://github.com/apache/airflow/pull/67326

   ## Summary
   
   - Bumps the `starlette` floor in `airflow-core/pyproject.toml` from
     `>=0.45.0` to `>=1.0.1` to pick up the Host-header parsing fix in
     [Kludex/starlette#3279](https://github.com/Kludex/starlette/pull/3279).
   - Adds a matching `[tool.uv.exclude-newer-package]` override
     (`starlette = "6 hours"`) so the bump can resolve before 1.0.1
     ages past the project's global 4-day cooldown.
   - Teaches `scripts/ci/prek/upgrade_important_versions.py` to honour
     manual cooldown overrides when checking PyPI and to retire those
     overrides automatically once the global window catches up, so each
     workaround line — and its `# REMOVE BY …` marker — clean themselves
     out without anyone watching the calendar.
   
   ## Why this matters for Airflow
   
   The upstream PR closes a case where `request.url.path` could diverge
   from the ASGI `scope["path"]` when the `Host` header contains
   characters that are invalid per RFC 9110 §7.2 (`/`, `?`, `#`, `@`,
   `\`, space). Airflow has authorisation paths that compare against
   `request.url.path` while the downstream app serves the file at
   `scope["path"]`:
   
   - `airflow-core/src/airflow/utils/serve_logs/log_server.py`
     (`JWTAuthStaticFiles`)
   - `providers/edge3/src/airflow/providers/edge3/worker_api/auth.py`
     (`jwt_token_authorization_rest`)
   
   Bumping the floor closes the underlying divergence. Defence-in-depth
   follow-ups (comparing `scope["path"]` directly instead of
   `request.url.path`) can come in a separate PR.
   
   ## Test plan
   
   - [X] `uv run --project scripts pytest 
scripts/tests/ci/prek/test_upgrade_important_versions.py` — 19 passed (5 
existing + 14 new covering `_parse_duration_hours`, `_parse_manual_overrides`, 
`_remove_override_entry`, and the per-package cooldown branch).
   - [X] `prek run --files …` on every touched file — all hooks pass (ruff, 
ruff-format, mypy-scripts, license headers, codespell, uv.lock sync, …).
   - [X] `uv lock` resolves `starlette==1.0.1` once the per-package override is 
in place; verified by diffing `uv.lock`.
   
   ---
   
   ##### Was generative AI tooling used to co-author this PR?
   
   - [X] Yes — Claude Code (Opus 4.7)
   
   Generated-by: Claude Code (Opus 4.7) following [the 
guidelines](https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions)
   
   ---
   Drafted-by: Claude Code (Opus 4.7); reviewed by @potiuk before posting


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to