security: update starlette to fix multipart/form-data DoS vulnerability

[devin-ai-integration]

Security: Update Starlette to fix DoS vulnerability

This PR updates Starlette to version 0.36.3 to fix a high-severity DoS vulnerability that affects applications accepting multipart/form-data requests. The vulnerability allows attackers to cause memory exhaustion through unbounded form field buffering.

Changes

• Updated Starlette from 0.35.1 to 0.36.3
• Updated FastAPI to 0.109.2 for compatibility

Security Impact

This update addresses a high-severity security vulnerability where Starlette treats multipart/form-data parts without a filename as text form fields and buffers those in byte strings with no size limit. This could allow an attacker to:

• Upload arbitrary large form fields
• Cause significant memory allocations and copy operations
• Potentially crash the server through memory exhaustion

Testing

• ✅ Package updates successfully applied
• ✅ Dependencies resolved without conflicts
• ✅ Pre-commit hooks passing

Link to Devin run: https://app.devin.ai/sessions/2430149b78eb49f6bff9c52e97afdb17
Requested by: [email protected]

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add "(aside)" to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[devin-ai-integration]

Closing due to inactivity.