## Summary

- **starlette** 0.41.2 → 1.0.0: remediates CVE-2025-54121 (MEDIUM) and
CVE-2025-62727 (HIGH). Removes the `starlette==0.41.2` constraint pin
from `[tool.uv]` — the only middleware in this repo is FastAPI's
built-in CORS middleware, which is compatible with starlette 1.0.0.
- **python-multipart** 0.0.22 → 0.0.27: remediates CVE-2026-40347
(MEDIUM).
- Bumps service version from 0.1.5 → 0.1.6.
- Does **not** touch lxml (handled by PR #525).

## Test plan

- [x] `uv sync --locked` succeeds (lockfile is consistent)
- [x] `make check-src` passes (ruff format, ruff check, mypy)
- [ ] CI lint + unit tests pass
- [ ] Docker smoke tests pass

🤖 Generated with [Claude Code](https://claude.com/claude-code)

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Medium Risk**
> Primarily dependency/version changes, but removing the
`starlette==0.41.2` constraint can introduce runtime incompatibilities
due to a major Starlette upgrade affecting FastAPI/middleware behavior.
> 
> **Overview**
> Updates the service to `0.1.6` and documents a new security release in
`CHANGELOG.md`.
> 
> Removes the `starlette==0.41.2` constraint from `pyproject.toml`
(allowing Starlette to upgrade to remediate CVE-2025-54121 and
CVE-2025-62727) and bumps `python-multipart` to a non-vulnerable release
to address CVE-2026-40347.
> 
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
ddaeefc. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

---------

Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]>