chore: bump min starlette version to patch vulnerabilities

[MarlzRana]

Link to Issue or Description of Change

Versions of starlette >= 0.39.0 and < 0.49.1, contain CVE-2025-62727. Let's bump to patch this vulnerability.

Testing Plan

Unit Tests:

• All unit tests pass locally.

Checklist

• I have read the CONTRIBUTING.md document.
• I have performed a self-review of my own code.
• I have commented my code, particularly in hard-to-understand areas.
• I have added tests that prove my fix is effective or that my feature works.
• New and existing unit tests pass locally with my changes.
• I have manually tested my changes end-to-end.
• Any dependent changes have been merged and published in downstream modules.

Additional context

We also have to bump fastapi as well, to make the project's requirements satisfiable, otherwise one gets this:

× No solution found when resolving dependencies for split (markers: python_full_version >= '3.14'):
  ╰─▶ Because only the following versions of fastapi are available:
          fastapi<=0.115.0
          fastapi==0.115.1
          fastapi==0.115.2
          fastapi==0.115.3
          fastapi==0.115.4
          fastapi==0.115.5
          fastapi==0.115.6
          fastapi==0.115.7
          fastapi==0.115.8
          fastapi==0.115.9
          fastapi==0.115.10
          fastapi==0.115.11
          fastapi==0.115.12
          fastapi==0.115.13
          fastapi==0.115.14
          fastapi==0.116.0
          fastapi==0.116.1
          fastapi==0.116.2
          fastapi==0.117.0
          fastapi==0.117.1
          fastapi==0.118.0
          fastapi==0.118.1
          fastapi==0.118.2
          fastapi==0.118.3
          fastapi>0.119.0
      and fastapi>=0.115.0,<=0.115.1 depends on starlette>=0.37.2,<0.39.0, we can conclude that fastapi>=0.115.0,<0.115.2 depends on starlette>=0.37.2,<0.39.0.
      And because fastapi==0.115.2 depends on starlette>=0.37.2,<0.41.0, we can conclude that fastapi>=0.115.0,<0.115.3 depends on starlette>=0.37.2,<0.41.0.
      And because fastapi>=0.115.3,<=0.115.6 depends on starlette>=0.40.0,<0.42.0 and starlette>=0.40.0,<0.46.0, we can conclude that fastapi>=0.115.0,<0.115.10 depends on
      starlette>=0.37.2,<0.46.0.
      And because fastapi>=0.115.10,<=0.116.0 depends on starlette>=0.40.0,<0.47.0 and starlette>=0.40.0,<0.48.0, we can conclude that fastapi>=0.115.0,<0.116.2 depends on
      starlette>=0.37.2,<0.48.0.
      And because fastapi>=0.116.2,<=0.118.3 depends on starlette>=0.40.0,<0.49.0 and your project depends on fastapi>=0.115.0,<0.119.0, we can conclude that your project depends
      on starlette>=0.37.2,<0.49.0.
      And because your project depends on starlette>=0.49.1,<1.0.0 and your project requires google-adk[a2a], we can conclude that your project's requirements are unsatisfiable.

Hence, we need to min-version fastapi at 0.120.1 to get this commit in which enables us to bump starlette in our pyproject.toml.

[gemini-code-assist]

Summary of Changes

Hello @MarlzRana, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances the project's security posture by updating core dependencies. It specifically addresses a known vulnerability in Starlette by upgrading its minimum version, which in turn required a corresponding update to the FastAPI dependency to maintain a compatible and satisfiable dependency tree. This ensures the application remains secure and functional with updated libraries.

Highlights

• Security Vulnerability Patch: Addresses CVE-2025-62727 in Starlette by bumping the minimum required version to 0.49.1 to patch the vulnerability.
• Dependency Version Update (FastAPI): Updates the minimum required FastAPI version to 0.120.1 to ensure compatibility with the new Starlette version and resolve dependency conflicts, as detailed in the additional context.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request addresses a vulnerability in starlette by upgrading it to version 0.49.1. As a necessary follow-up, fastapi is also upgraded to 0.120.1 to maintain compatibility. The changes are well-justified and correctly implemented in pyproject.toml. I have one suggestion to improve the consistency of the version pinning for fastapi.

[gemini-code-assist]

While the lower bound bump for fastapi is well-justified, the upper bound <0.123.5 seems a bit arbitrary. For consistency and better readability, consider using a rounder upper bound like <0.124.0. If there's a specific reason to avoid versions >=0.123.5, it would be helpful to add a comment explaining it.

Suggested change

	"fastapi>=0.120.1, <0.123.5", # FastAPI framework
	"fastapi>=0.120.1, <0.124.0", # FastAPI framework

[MarlzRana]

0.123.5 is the latest version :)

[ryanaiagent]

Hi @MarlzRana, Thank you for your contribution through this pull request! This PR has merge conflicts that require changes from your end. Could you please rebase your branch with the latest main branch to address these? Once this is complete, please let us know so we can proceed with the review.