chore(deps): bump the uv group across 1 directory with 2 updates

[dependabot]

Bumps the uv group with 2 updates in the / directory: pypdf and starlette.

Updates pypdf from 6.10.2 to 6.12.0

Release notes

Sourced from pypdf's releases.

Version 6.12.0, 2026-05-21

What's new

Security (SEC)

• Disallow cross-reference streams with zero-only width values (#3791) by @​stefan6419846
• Avoid excessive whitespace in layout mode text extraction (#3790) by @​stefan6419846

New Features (ENH)

• Implement SASLprep (RFC 4013) for AES-256 password normalization (#3780) by @​adityamoolya
• CID font resource from font file to encode more characters (#3652) by @​PJBrs

Performance Improvements (PI)

• Optimize retrieval of named destinatinos in reader (#3442) by @​larsga

Bug Fixes (BUG)

• Fix TreeObject.insert_child KeyError on fresh children (#3786) by @​Abzaek

Robustness (ROB)

• AppearanceStream: Also honor user-set font name when not flattening annotations (#3781) by @​PJBrs

Documentation (DOC)

• Block encrypting writer in incremental mode (#3789) by @​stefan6419846

Full Changelog

Version 6.11.0, 2026-05-09

What's new

New Features (ENH)

• Initialise a Font from an embedded font file (#3704) by @​PJBrs

Robustness (ROB)

• Allow to fix AES padding length in non-strict mode (#3742) by @​stefan6419846

Developer Experience (DEV)

• Enable PyPy testing again (#3752) by @​stefan6419846
• Align mypy Makefile target with strict mode (#3690) by @​costajohnt

Full Changelog

Changelog

Sourced from pypdf's changelog.

Version 6.12.0, 2026-05-21

Security (SEC)

• Disallow cross-reference streams with zero-only width values (#3791)
• Avoid excessive whitespace in layout mode text extraction (#3790)

New Features (ENH)

• Implement SASLprep (RFC 4013) for AES-256 password normalization (#3780)
• CID font resource from font file to encode more characters (#3652)

Performance Improvements (PI)

• Optimize retrieval of named destinatinos in reader (#3442)

Bug Fixes (BUG)

• Fix TreeObject.insert_child KeyError on fresh children (#3786)

Robustness (ROB)

• AppearanceStream: Also honor user-set font name when not flattening annotations (#3781)

Documentation (DOC)

• Block encrypting writer in incremental mode (#3789)

Full Changelog

Version 6.11.0, 2026-05-09

New Features (ENH)

• Initialise a Font from an embedded font file (#3704)

Robustness (ROB)

• Allow to fix AES padding length in non-strict mode (#3742)

Developer Experience (DEV)

• Enable PyPy testing again (#3752)
• Align mypy Makefile target with strict mode (#3690)

Full Changelog

Commits

• 08eb143 REL: 6.12.0
• 507d7c9 SEC: Disallow cross-reference streams with zero-only width values (#3791)
• 9d27470 SEC: Avoid excessive whitespace in layout mode text extraction (#3790)
• 0a8e699 DOC: Block encrypting writer in incremental mode (#3789)
• 541ebd4 DEV: Update idna from version 3.10 to 3.15
• de405a8 DEV: Update idna from version 3.10 to 3.15
• a2b90f9 ROB: AppearanceStream: Also honor user-set font name when not flattening anno...
• 22bd60f MAINT: Tiny change of comments (#3787)
• 2995392 ENH: Implement SASLprep (RFC 4013) for AES-256 password normalization (#3780)
• e044789 TST: Disable PyPy update checks after image update
• Additional commits viewable in compare view

Updates starlette from 0.52.1 to 1.0.1

Release notes

Sourced from starlette's releases.

Version 1.0.1

What's Changed

• Ignore malformed Host header when constructing request.url by @​Kludex in Kludex/starlette#3279

Full Changelog: Kludex/starlette@1.0.0...1.0.1

Version 1.0.0

Starlette 1.0 is here! 🎉

After nearly eight years since its creation, Starlette has reached its first stable release.

A special thank you to @​lovelydinosaur, the creator of Starlette, Uvicorn, HTTPX and MkDocs, whose work helped to lay the foundation for the modern async Python ecosystem. 🙏

Thank you to @​adriangb, @​graingert, @​agronholm, @​florimondmanca, @​aminalaee, @​tiangolo, @​alex-oleshkevich, @​abersheeran, and @​uSpike for helping make Starlette what it is today. And to all my sponsors - especially @​tiangolo, @​huggingface, and @​elevenlabs - thank you for your support!

Thank you to all 290+ contributors who have shaped Starlette over the years! ❤️

Read more on the blog post.

Check out the full release notes at https://www.starlette.io/release-notes/#100-march-22-2026

---

Full Changelog: Kludex/starlette@1.0.0rc1...1.0.0

Version 1.0.0rc1

We're ready! 🚀

The first release candidate for Starlette 1.0 is here! After years on ZeroVer, we're finally making the jump.

This release removes all deprecated features marked for 1.0.0, along with some last-minute bug fixes.

A special thank you to @​lovelydinosaur, the creator of Starlette, Uvicorn, HTTPX and MkDocs, whose work helped to lay the foundation for the modern async Python ecosystem. 🙏

Thank you to @​adriangb, @​graingert, @​agronholm, @​florimondmanca, @​aminalaee, @​tiangolo, @​alex-oleshkevich, and @​abersheeran for helping make Starlette what it is today. And to all my sponsors - especially @​tiangolo, @​huggingface, and @​elevenlabs - thank you for your support!

Thank you to all 290+ contributors who have shaped Starlette over the years!

Check out the full release notes at https://www.starlette.io/release-notes/#100rc1-february-23-2026

---

Full Changelog: Kludex/starlette@0.52.1...1.0.0rc1

Changelog

Sourced from starlette's changelog.

1.0.1 (May 21, 2026)

Fixed

• Ignore malformed Host header when constructing request.url #3279.

1.0.0 (March 22, 2026)

Starlette 1.0 is here!

After nearly eight years since its creation, Starlette has reached its first stable release. Thank you to everyone who tested the release candidate and reported issues.

You can read more on the blog post.

Added

• Track session access and modification in SessionMiddleware #3166.

Fixed

• Handle websocket denial responses in StreamingResponse and FileResponse #3189.
• Use bytearray for field accumulation in FormParser #3179.
• Move parser.finalize() inside try/except in MultiPartParser.parse() #3153.

1.0.0rc1 (February 23, 2026)

We're ready! I'm thrilled to announce the first release candidate for Starlette 1.0.

Starlette was created in June 2018 by Tom Christie, and has been on ZeroVer for years. Today, it's downloaded almost 10 million times a day, serves as the foundation for FastAPI, and has inspired many other frameworks. In the age of AI, Starlette continues to play an important role as a dependency of the Python MCP SDK.

This release focuses on removing deprecated features that were marked for removal in 1.0.0, along with some last minute bug fixes. It's a release candidate, so we can gather feedback from the community before the final 1.0.0 release soon.

A huge thank you to all the contributors who have helped make Starlette what it is today. In particular, I'd like to recognize:

• Kim Christie - The original creator of Starlette, Uvicorn, and MkDocs, and the current maintainer of HTTPX. Kim's work helped lay the foundation for the modern async Python ecosystem.
• Adrian Garcia Badaracco - One of the smartest people I know, whom I have the pleasure of working with at Pydantic.
• Thomas Grainger - My async teacher, always ready to help with questions.
• Alex Grönholm - Another async mentor, always prompt to help with questions.
• Florimond Manca - Always present in the early days of both Starlette and Uvicorn, and helped a lot in the ecosystem.
• Amin Alaee - Contributed a lot with file-related PRs.
• Sebastián Ramírez - Maintains FastAPI upstream, and always in contact to help with upstream issues.
• Alex Oleshkevich - Helped a lot on templates and many discussions.

... (truncated)

Commits

• 48f8e33 Version 1.0.1 (#3281)
• f078832 Remove Hugging Face sponsor block from docs (#3280)
• 472951e chore(deps): bump the github-actions group with 2 updates (#3277)
• 764dab0 Ignore malformed Host header when constructing request.url (#3279)
• 19d0811 Harden GitHub Actions workflows and Dependabot config (#3276)
• 01f4637 chore(deps): bump idna from 3.10 to 3.15 (#3274)
• b8fa514 docs: fix typos in TestClient docs and test_requests comment (#3266)
• e935b6b fix uvicorn domain (#3269)
• 96af952 Add 7-day cooldown for dependency resolution via uv exclude-newer (#3265)
• 61e385b Add zizmor GitHub Actions security analysis workflow (#3264)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.