Require starlette>=1.0.1 for Host header parsing fix

[potiuk]

Summary

• Bumps the starlette floor in airflow-core/pyproject.toml from
  >=0.45.0 to >=1.0.1 to pick up the Host-header parsing fix in
  Kludex/starlette#3279.
• Adds a matching [tool.uv.exclude-newer-package] override
  (starlette = "6 hours") so the bump can resolve before 1.0.1
  ages past the project's global 4-day cooldown.
• Teaches scripts/ci/prek/upgrade_important_versions.py to honour
  manual cooldown overrides when checking PyPI and to retire those
  overrides automatically once the global window catches up, so each
  workaround line — and its # REMOVE BY … marker — clean themselves
  out without anyone watching the calendar.

Why this matters for Airflow

The upstream PR closes a case where request.url.path could diverge
from the ASGI scope["path"] when the Host header contains
characters that are invalid per RFC 9110 §7.2 (/, ?, #, @,
\, space). Airflow has authorisation paths that compare against
request.url.path while the downstream app serves the file at
scope["path"]:

• airflow-core/src/airflow/utils/serve_logs/log_server.py
  (JWTAuthStaticFiles)
• providers/edge3/src/airflow/providers/edge3/worker_api/auth.py
  (jwt_token_authorization_rest)

Bumping the floor closes the underlying divergence. Defence-in-depth
follow-ups (comparing scope["path"] directly instead of
request.url.path) can come in a separate PR.

Test plan

• uv run --project scripts pytest scripts/tests/ci/prek/test_upgrade_important_versions.py — 19 passed (5 existing + 14 new covering _parse_duration_hours, _parse_manual_overrides, _remove_override_entry, and the per-package cooldown branch).
• prek run --files … on every touched file — all hooks pass (ruff, ruff-format, mypy-scripts, license headers, codespell, uv.lock sync, …).
• uv lock resolves starlette==1.0.1 once the per-package override is in place; verified by diffing uv.lock.

---

Was generative AI tooling used to co-author this PR?

• Yes — Claude Code (Opus 4.7)

Generated-by: Claude Code (Opus 4.7) following the guidelines

---

Drafted-by: Claude Code (Opus 4.7); reviewed by @potiuk before posting

[github-actions]

uv.lock on main just moved via #67383 ("Cleanup older/outddated uv cooldown exception"), commit 62845dd and this PR currently conflicts.

Quickest fix:

git fetch upstream main && git rebase upstream/main
rm uv.lock && uv lock
git add uv.lock && git rebase --continue
git push --force-with-lease

Automated nudge — ignore if you're not ready to rebase. This comment is updated in place on future uv.lock bumps.

[vatsrahul1001]

@potiuk @jscheffl I had to rebase as there was conflict in pyproject.toml after #67383 , Also noticed CI was breaking

CI fix — bumped httpx floor:
The LowestDeps jobs were all failing on test_access_api_contract with TypeError: unhashable type: 'dict' inside starlette's _mapping[key] via httpx TestClient. Starlette 1.0.1's PyPI metadata requires
httpx<0.29.0,>=0.27.0 for TestClient, but airflow-core/pyproject.toml was at httpx>=0.25.0. Bumped to >=0.27.0 to match.

[potiuk]

Nice! thanks ! - I was just looking :)

[vatsrahul1001]

Pervious understating of bumping httpx was not right. CI was still failling, Below seems correct

Actual CI fix: cadwyn>=6.1.1
The test_access_api_contract LowestDeps failure was caused by cadwyn 6.0.4 (airflow-core's floor) being incompatible with starlette 1.0.x. cadwyn 6.1.1's release notes literally say "Fix compatibility with
starlette==1.0.0" — LowestDeps resolves to the floor and hits the bug. The unhashable-dict TypeError surfaces in cadwyn's swagger dashboard via starlette's templating → jinja2 cache lookup.

Bumped cadwyn>=6.0.4 → cadwyn>=6.1.1 to make airflow-core's floor honest with the new starlette requirement.

cc: @potiuk

[github-actions]

Backport failed to create: v3-2-test. View the failure log Run details

Note: As of Merging PRs targeted for Airflow 3.X
the committer who merges the PR is responsible for backporting the PRs that are bug fixes (generally speaking) to the maintenance branches.

In matter of doubt please ask in #release-management Slack channel.

Status	Branch	Result
❌	v3-2-test

You can attempt to backport this manually by running:

cherry_picker 518eadf v3-2-test

This should apply the commit to the v3-2-test branch and leave the commit in conflict state marking
the files that need manual conflict resolution.

After you have resolved the conflicts, you can continue the backport process by running:

cherry_picker --continue

If you don't have cherry-picker installed, see the installation guide.