chore: bundle Dependabot bumps + starlette CVE fix, cut v0.19.3

CHANGELOG.md

@@ -6,6 +6,20 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/).
 
 ## [Unreleased]
 
+## [0.19.3] - 2026-05-28
+
+### Security
+
+- **`starlette` bumped to 1.1.0** to clear **PYSEC-2026-161** (fixed in 1.0.1). `starlette` is pulled in transitively via `fastapi`; the CI `security` gate audits `requirements.lock`, so the fix is a `starlette==1.1.0` pin there. `fastapi` 0.136.3 declares `starlette>=0.46.0` with no upper bound, so the 1.x bump is in-range. Dependabot does not open PRs for undeclared transitive dependencies, so this was pinned directly as part of the lockfile regeneration.
+
+### Changed
+
+- **Dependency bumps** via Dependabot (bundled, superseding #89, #90, #91, #92):
+  - `fastapi` 0.136.1 → 0.136.3 (#89) — stricter underscore-header validation when `convert_underscores=True`
+  - `uvicorn` >=0.47.0 → >=0.48.0 (#91) — `ssl_ciphers` defaults to OpenSSL, `ProxyHeadersMiddleware` ignores duplicate forwarding headers
+  - `idna` >=3.15 → >=3.16 (#90) — floor raised to match the lockfile pin already in place from #87
+  - `pytest-asyncio` 1.3.0 → 1.4.0 (#92, dev) — deprecates overriding the `event_loop_policy` fixture in favour of the new `pytest_asyncio_loop_factories` hook; current test suite does not override it
+
 ## [0.19.2] - 2026-05-22
 
 ### Security

app/__init__.py

@@ -1 +1 @@
-__version__ = "0.19.2"
+__version__ = "0.19.3"

requirements-dev.txt

@@ -3,4 +3,4 @@ ruff>=0.15.14,<1
 bandit>=1.9.4,<2
 pip-audit>=2.10.0,<3
 pytest>=9.0.3,<10
-pytest-asyncio>=1.3.0,<2
+pytest-asyncio>=1.4.0,<2

requirements.lock

@@ -1,28 +1,32 @@
-# Pinned dependencies for reproducible production builds.
-# Generated from requirements.txt — update by running:
-#   pip install -r requirements.txt && pip freeze > requirements.lock
-annotated-types==0.7.0
-anyio==4.12.1
-certifi==2026.1.4
-click==8.1.6
-Deprecated==1.3.1
-fastapi==0.129.0
-h11==0.16.0
-httpcore==1.0.9
-httptools==0.7.1
-httpx==0.28.1
-idna==3.16
-limits==5.8.0
-pydantic==2.12.5
-pydantic-settings==2.13.0
-python-dotenv==1.2.2
-PyYAML==6.0.1
-redis==7.4.0
-slowapi==0.1.9
-starlette==0.52.1
-typing_extensions==4.15.0
-uvicorn==0.40.0
-uvloop==0.22.1
-watchfiles==1.1.1
-websockets==16.0
-wrapt==2.1.1
+# Pinned dependencies for reproducible production builds.
+# Generated from requirements.txt — update by running:
+#   pip install -r requirements.txt && pip freeze > requirements.lock
+annotated-doc==0.0.4
+annotated-types==0.7.0
+anyio==4.13.0
+certifi==2026.5.20
+click==8.4.1
+Deprecated==1.3.1
+fastapi==0.136.3
+h11==0.16.0
+httpcore==1.0.9
+httptools==0.8.0
+httpx==0.28.1
+idna==3.16
+limits==5.8.0
+packaging==26.2
+pydantic==2.13.4
+pydantic-settings==2.14.1
+pydantic_core==2.46.4
+python-dotenv==1.2.2
+PyYAML==6.0.3
+redis==7.4.0
+slowapi==0.1.9
+starlette==1.1.0
+typing-inspection==0.4.2
+typing_extensions==4.15.0
+uvicorn==0.48.0
+uvloop==0.22.1
+watchfiles==1.2.0
+websockets==16.0
+wrapt==2.2.1

requirements.txt

@@ -1,10 +1,10 @@
-fastapi>=0.136.1,<1
-uvicorn[standard]>=0.47.0,<1
+fastapi>=0.136.3,<1
+uvicorn[standard]>=0.48.0,<1
 httpx>=0.28.1,<1
 pydantic>=2.13.4,<3
 pydantic-settings>=2.14.1,<3
 slowapi>=0.1.9,<1
 limits[redis]>=5.8.0
 python-dotenv>=1.2.2,<2
 # Transitive (via httpx); pinned to clear CVE-2026-45409
-idna>=3.15,<4
+idna>=3.16,<4