[security] Bump starlette to 1.2.1 in aspire-with-python sample

[IEvangelist]

Resolves the open Dependabot alert on samples/aspire-with-python/app/uv.lock:

Alert	Severity	Advisory	Package	Summary
#484	medium	GHSA-86qp-5c8j-p5mr	starlette	Missing Host header validation poisons request.url.path, bypassing path-based security checks

starlette is a transitive dependency in this sample (pulled in via fastapi[standard]), so only the lockfile changes.

Change

• starlette 0.49.3 -> 1.2.1 (patched in 1.0.1; bumped to latest)

Generated with:

uv lock --upgrade-package starlette

The resolver only updated starlette; no other package versions changed.

Co-authored-by: Copilot 223556219+Copilot@users.noreply.github.com

[Copilot]

Copilot wasn't able to review any files in this pull request.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[IEvangelist]

Reviewed the security fix and the failing CI:

Change scope — single-file edit to samples/aspire-with-python/app/uv.lock bumping the transitive starlette dep from 0.49.3 → 1.2.1 (patched in 1.0.1, per GHSA-86qp-5c8j-p5mr). The resolver only touched starlette; no collateral version drift.

CI — windows-latest is green. ubuntu-latest fails on SamplesIntegrationTests.AppHostTests.{AppHostRunsCleanly,TestEndpointsReturnOk} for AspireJavaScript.AppHost because the angular resource fails to start. This failure is unrelated to the Python sample touched here and reproduces on main (e.g. run 26966407089 on main shows the same two tests failing for the same reason). Skipping a CI re-run since it would just hit the same pre-existing flake.

LGTM for the security fix. The angular flake on Linux should be tracked separately.

[IEvangelist]

Validation summary

Change scope (minimal and correct):

• Single file modified: samples/aspire-with-python/app/uv.lock (+3 / -3)
• starlette 0.49.3 → 1.2.1
• starlette is a transitive dependency in this sample (via fastapi[standard] in pyproject.toml), so the lockfile-only bump is the right fix
• 1.2.1 is well past the advisory''s first patched version 1.0.1 (GHSA-86qp-5c8j-p5mr)
• Resolver only touched starlette; no incidental upgrades

Resolves Dependabot alert #484 (medium severity — Host header validation poisoning request.url.path).

CI status:

• ✅ Build & Test Samples (windows-latest) — passes on both the initial run and the rerun
• ✅ license/cla — passes
• ❌ Build & Test Samples (ubuntu-latest) — fails on AspireJavaScript.AppHost (angular resource fails to start). Re-triggered the failed jobs; failure reproduced identically.

The ubuntu failure is a pre-existing flake unrelated to this PR:

• Same 2 failures (AspireJavaScript.AppHost, angular) on both attempts
• Same failure pattern is hitting recent main runs (e.g., commits 4cd89396, 4854509f, ef1effc7, 8b7a4cd7, 3584bff0, e7eb328e all show ubuntu Test failing while windows passes)
• The failure is in a JavaScript sample; this PR only modifies a Python sample''s lockfile, so causation is impossible

Recommend merging when the JS-sample flake is addressed (or via admin merge given the isolated nature of the change).