Bump starlette version

[ME-researchgroup]

Hi!

Could you please bump starlette? It is currently locked at starlette = ">=0.17.1,<0.35.0"
There is a ReDoS vulnerability in versions of starlette lower than 36.2.

Thanks in advance!

[fralik]

You can see details here: https://github.com/encode/starlette/security/advisories/GHSA-93gm-qmq6-w238

[wch]

A quick summary of where things are at the moment:

• With the latest release of Posit Connect (2024.01.0), we can use any version of Starlette, including versions >=0.36.2
• With older releases of Posit Connect, it requires Starlette <0.35.0. We introduced that version requirement in Pin starlette version below 0.35 #1009.

If we were to require >=0.36.2, then those who are using older versions of Connect will be unable to run Shiny for Python apps. The upgrade cycle time for Connect in organizations is often longer, on the scale of 6-12 months.

We will update this issue as we decide how to move ahead.

[wch]

It looks like the underlying issue is in python-multipart (GHSA-2jv5-9r88-3w3p), and there was a fix here, which was released in version 0.0.7.

However, even though that change to python-multipart fixes the DoS issue, the Starlette advisory still exists and apparently can't be deleted (Kludex/python-multipart#75 (comment)). That means that if we add a python-multipart>=0.0.7 requirement to py-shiny, that will fix the security issue, but users might still think there a security issue is present.

So we can do the following:

• Add a python-multipart>=0.0.7 requirement
• Un-pin starlette
• In the rsconnect-python package, emit a message if Connect is <2024.01.0, and the user is deploying a py-shiny app with starlette>=0.35.0, saying that the app won't work, and they either need to upgrade Connect or downgrade starlette.