chore: bump dependency floors for starlette form() DoS fix

[FarhanAliRaza]

Raise starlette to >=1.3.1 to pull in the CVE-2026-54283 form() DoS fix, and exempt it from the workspace exclude so the floor resolves before it ages out of the exclude-newer window. Also bump granian to >=2.7.4, python-multipart to >=0.0.30, and vite to 8.0.16.

All Submissions:

• Have you followed the guidelines stated in CONTRIBUTING.md file?
• Have you checked to ensure there aren't any other open Pull Requests for the desired changed?

Type of change

Please delete options that are not relevant.

• Bug fix (non-breaking change which fixes an issue)

New Feature Submission:

• Does your submission pass the tests?
• Have you linted your code locally prior to submission?

Changes To Core Features:

• Have you added an explanation of what your changes do and why you'd like us to include them?
• Have you written new tests for your core changes, as applicable?
• Have you successfully ran tests with your changes locally?

[codspeed-hq]

Merging this PR will degrade performance by 4.63%

⚠️ Different runtime environments detected

Some benchmarks with significant performance changes were compared across different runtime environments,
which may affect the accuracy of the results.

Open the report in CodSpeed to investigate

❌ 1 regressed benchmark
✅ 25 untouched benchmarks
⏩ 8 skipped benchmarks¹

Warning

Please fix the performance issues or acknowledge them on CodSpeed.

Performance Changes

	Benchmark	BASE	HEAD	Efficiency
❌	test_var_access[non_mutable_scalar]	57.3 ms	60.1 ms	-4.63%

Tip

Investigate this regression by commenting @codspeedbot fix this regression on this PR, or directly use the CodSpeed MCP with your agent.

---

_{Comparing FarhanAliRaza:bump-version (ea7fd8c) with main (932f20f)}

Footnotes

1. 8 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports. ↩

[greptile-apps]

Greptile Summary

This PR raises minimum dependency floors to pull in several security fixes: starlette jumps from >=0.47.0 to >=1.3.1 (Host-header poisoning, form() DoS CVE-2026-54283, UNC-path SSRF), python-multipart from >=0.0.20 to >=0.0.32 (quadratic querystring DoS, header-size bounding, negative Content-Length buffering), granian from >=2.5.5 to >=2.7.4 (WSGI/WebSocket header-panic DoS), and vite from 8.0.14 to 8.0.16 (server.fs.deny bypass CVE-2026-53571). The uv.lock resolves every dependency exactly to the new floor, and the PR description's reference to python-multipart>=0.0.30 is an outdated draft note — the actual floor in code and changelog is correctly >=0.0.32.

• pyproject.toml: three Python dependency floors raised for security; starlette exempted from the uv workspace exclude-newer window so the 1.3.1 floor resolves immediately.
• installer.py / package.json / bun.lock: vite pinned version bumped consistently across the generated-app template and the docs lockfile.
• Changelog entries in both news/ directories accurately document each CVE and the affected dependency.

Confidence Score: 5/5

Straightforward dependency floor bumps with no logic changes; all packages resolve exactly to the new minimum versions in the lock file.

Every changed file is either a version string, a lock file, or a changelog entry. The lock file confirms all three Python packages land on the intended floor versions, and the vite pin is updated consistently in all three relevant files. No application logic is touched.

No files require special attention.

Important Files Changed

Filename	Overview
pyproject.toml	Security bump: starlette >=0.47.0→>=1.3.1, python-multipart >=0.0.20→>=0.0.32, granian >=2.5.5→>=2.7.4; starlette exempted from exclude-newer
packages/reflex-base/src/reflex_base/constants/installer.py	Vite dev dependency bumped 8.0.14→8.0.16 to fix server.fs.deny bypass (CVE-2026-53571)
docs/app/reflex.lock/package.json	Vite pinned version updated 8.0.14→8.0.16 consistent with installer.py change
docs/app/reflex.lock/bun.lock	Auto-generated lock file regenerated after vite bump; @masenf/hello-react hash entry trimmed
uv.lock	Lock resolves starlette→1.3.1, python-multipart→0.0.32, granian→2.7.4 — all exactly at the new floor versions
news/6665.bugfix.md	Changelog entry accurately documents the three Python dependency security bumps and their CVEs
packages/reflex-base/news/6665.bugfix.md	Changelog entry for the vite 8.0.16 bump and CVE-2026-53571 fix

_{Reviews (2): Last reviewed commit: "chore: raise python-multipart floor to 0..." | Re-trigger Greptile}

[FarhanAliRaza]

@greprile rereview