nlip-server pins fastapi<0.116 — blocks starlette CVE fix (DoS)

## Problem

`nlip-server` (required by `ag2[nlip]`) pins `fastapi[standard]>=0.115.12,<0.116.0`.

This prevents downstream consumers from upgrading to `fastapi>=0.136` which drops the `starlette<0.47.0` upper bound, blocking the fix for two starlette CVEs:

- **Dependabot #73**: [Starlette DoS via multipart parsing](https://github.com/encode/starlette/security/advisories/GHSA-6ghw-3v4p-8269) — patched in starlette ≥0.47.2
- **Dependabot #12**: [Starlette O(n²) DoS via Range header](https://github.com/encode/starlette/security/advisories/GHSA-jj98-33cq-37hp) — patched in starlette ≥0.49.1

## Reproduction

```toml
# pyproject.toml
[project.optional-dependencies]
nlip = ["ag2[nlip,openai]>=0.13.0"]
studio = ["fastapi>=0.136", "starlette>=0.49.1"]
```

```
$ uv lock
error: lionagi[nlip] and lionagi[studio] are incompatible
  nlip-server<1,>=0.1.0 → fastapi<0.116.0
  lionagi[studio] → fastapi>=0.136
```

## Suggestion

Widen `nlip-server`'s fastapi constraint to `fastapi>=0.115.0,<1` (matching ag2's own constraint for its other extras like `dev`, `test`, `twilio`, `types`).

## Versions

- ag2: 0.13.0
- nlip-server: 0.1.2
- fastapi latest: 0.136.1
- starlette latest: 0.46.2 (locked), 0.49.1+ needed for CVE fix

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

nlip-server pins fastapi<0.116 — blocks starlette CVE fix (DoS) #2894

Problem

Reproduction

Suggestion

Versions

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

nlip-server pins fastapi<0.116 — blocks starlette CVE fix (DoS) #2894

Description

Problem

Reproduction

Suggestion

Versions

Metadata

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Issue actions