We're ready! 🚀

The first release candidate for Starlette 1.0 is here! After years on ZeroVer, we're finally making the jump.

This release removes all deprecated features marked for 1.0.0, along with some last-minute bug fixes.

A special thank you to @lovelydinosaur, the creator of Starlette, Uvicorn, HTTPX and MkDocs, whose work helped to lay the foundation for the modern async Python ecosystem. 🙏

Thank you to @adriangb, @graingert, @agronholm, @florimondmanca, @aminalaee, @tiangolo, @alex-oleshkevich, and @abersheeran for helping make Starlette what it is today. And to all my sponsors - especially @tiangolo, @huggingface, and @elevenlabs - thank you for your support!

Thank you to all 290+ contributors who have shaped Starlette over the years!

Check out the full release notes at https://www.starlette.io/release-notes/#100rc1-february-23-2026

Full Changelog: 0.52.1...1.0.0rc1

What's Changed

• Only use typing_extensions in older Python versions by @Kludex in #3109

Full Changelog: 0.52.0...0.52.1

In this release, State can be accessed using dictionary-style syntax for improved type safety (#3036).

from collections.abc import AsyncIterator
from contextlib import asynccontextmanager
from typing import TypedDict

import httpx

from starlette.applications import Starlette
from starlette.requests import Request


class State(TypedDict):
    http_client: httpx.AsyncClient


@asynccontextmanager
async def lifespan(app: Starlette) -> AsyncIterator[State]:
    async with httpx.AsyncClient() as client:
        yield {"http_client": client}


async def homepage(request: Request[State]):
    client = request.state["http_client"]
    # If you run the below line with mypy or pyright, it will reveal the correct type.
    reveal_type(client)  # Revealed type is 'httpx.AsyncClient'

See Accessing State for more details.

Full Changelog: 0.51.0...0.52.0

Added

• Add allow_private_network in CORSMiddleware #3065.

Changed

• Increase warning stacklevel on DeprecationWarning for wsgi module #3082.

New Contributors

• @santibreo made their first contribution in #3082
• @iddqd888 made their first contribution in #3083

Full Changelog: 0.50.0...0.51.0

Removed

• Drop Python 3.9 support #3061.

Full Changelog: 0.49.3...0.50.0

Fixed

• Relax strictness on Middleware type #3059.

Full Changelog: 0.49.2...0.49.3

Fixed

• Ignore if-modified-since header if if-none-match is present in StaticFiles #3044.

Full Changelog: 0.49.1...0.49.2

This release fixes a security vulnerability in the parsing logic of the Range header in FileResponse.

You can view the full security advisory: GHSA-7f5h-v6xp-fcq8

Fixed

• Optimize the HTTP ranges parsing logic 4ea6e22b489ec388d6004cfbca52dd5b147127c5

Full Changelog: 0.49.0...0.49.1

Added

• Add encoding parameter to Config class #2996.
• Support multiple cookie headers in Request.cookies #3029.
• Use Literal type for WebSocketEndpoint encoding values #3027.

Changed

• Do not pollute exception context in Middleware when using BaseHTTPMiddleware #2976.

New Contributors

• @TheWesDias made their first contribution in #3017
• @gmos2104 made their first contribution in #3027
• @secrett2633 made their first contribution in #2996
• @adam-sikora made their first contribution in #2976

Full Changelog: 0.48.0...0.49.0

Added

• Add official Python 3.14 support #3013.

Changed

• Implement RFC9110 http status names #2939.

New Contributors

• @yakimka made their first contribution in #2943
• @mbeijen made their first contribution in #2939

Full Changelog: 0.47.3...0.48.0