fix(deps): bump starlette and fastapi to address CVE-2026-48710

Starlette prior to 1.0.1 did not validate the HTTP Host header before
reconstructing request.url, allowing a malformed header to bypass
security restrictions based on request.url.path. Bump starlette to
>=1.0.1 and fastapi to >=0.133.0 (the minimum version compatible with
starlette >=1.0.1).

Fixes #5893

Merge https://github.com/google/adk-python/pull/5894

Change-Id: If7743e53d95740452c9e562e9bba98d132ae049e