RHOAIENG-64887: CVE-2026-48710 rhoai/odh-workbench-jupyter-pytorch-rocm-py312-rhel9: Starlette: Security restriction bypass via malformed HTTP Host header [rhoai-2.25]

[jira-autofix]

Add starlette>=1.0.1 floor constraint to cve-constraints.txt.
All images already resolve starlette 1.1.0 which satisfies the fix;
this constraint prevents future downgrades below the patched version.

Summary by CodeRabbit

Release Notes

• Chores
  • Updated Starlette dependency constraint to version 1.0.1 or higher to address security considerations.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign atheo89 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hi @jira-autofix[bot]. Thanks for your PR.

I'm waiting for a opendatahub-io member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited), Repository UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 1fb2f162-93c8-4428-a673-18e5bffe4729

📥 Commits

Reviewing files that changed from the base of the PR and between bf6af4d and 59b8a59.

📒 Files selected for processing (1)

• dependencies/cve-constraints.txt

🚧 Files skipped from review as they are similar to previous changes (1)

• dependencies/cve-constraints.txt

---

📝 Walkthrough

Walkthrough

This PR updates dependencies/cve-constraints.txt to modify the CVE-2026-48710 Starlette security constraint. The change expands the comment to include an additional issue reference (RHOAIENG-64887) and introduces a minimum version requirement enforcing starlette>=1.0.1.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	PR description is minimal but directly addresses the change purpose; however, it entirely omits the required template sections including testing details and self-checklist items.	Add sections for 'How Has This Been Tested?' and the self-checklist from the template, documenting testing environment and verification steps.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	Title uses imperative mood implicitly (describing a CVE fix) and includes the required JIRA ticket reference RHOAIENG-64887, though the format is non-standard.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Branch Prefix Policy	✅ Passed	PR authored by jira-autofix[bot]; bot-authored PRs are exempt from branch prefix policy validation per check instructions.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 27.46%. Comparing base (064a546) to head (59b8a59).
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #3747   +/-   ##
=======================================
  Coverage   27.46%   27.46%           
=======================================
  Files          38       38           
  Lines        4064     4064           
  Branches      670      670           
=======================================
  Hits         1116     1116           
  Misses       2859     2859           
  Partials       89       89           

Flag	Coverage Δ
python	27.46% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 064a546...59b8a59. Read the comment docs.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[ide-developer]

Closing — per-image RHOAIENG CVE trackers are now triaged as not_fixable via AGENTS.md instructions (PR #3780). The centralized fix for CVE-2026-48710 is already in dependencies/cve-constraints.txt on main. Release branch fixes are tracked via RHAIENG parent trackers.