Skip to content

fix(deps): bump python-multipart to 0.0.32 (security)#616

Open
galshubeli wants to merge 1 commit into
stagingfrom
fix/python-multipart-cve
Open

fix(deps): bump python-multipart to 0.0.32 (security)#616
galshubeli wants to merge 1 commit into
stagingfrom
fix/python-multipart-cve

Conversation

@galshubeli

@galshubeli galshubeli commented Jun 25, 2026
edited by coderabbitai Bot
Loading

Copy link
Copy Markdown
Collaborator

Summary

Bumps python-multipart 0.0.29 → 0.0.32 to clear the dependency-review failure blocking the staging → main promotion (PR #613).

dependency-review flagged 4 advisories on python-multipart@0.0.29:

Advisory Severity Issue First patched
GHSA-5rvq-cxj2-64vf High Quadratic-time querystring parsing → CPU DoS 0.0.30
GHSA-vffw-93wf-4j4q Low Content-Disposition parameter smuggling (RFC 2231/5987) 0.0.30
GHSA-6jv3-5f52-599m Low Semicolon parameter smuggling 0.0.30
GHSA-v9pg-7xvm-68hf Low Negative Content-Length buffers whole body 0.0.31

0.0.32 (latest) covers all four.

Changes

  • pyproject.toml: python-multipart~=0.0.29~=0.0.32
  • uv.lock: regenerated (Updated python-multipart v0.0.29 -> v0.0.32)

Test plan

  • uv sync --all-extras resolves cleanly; import multipart → 0.0.32
  • Unit suite: 138 passed, 1 skipped

Once merged into staging, PR #613's dependency-review will pass.

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Chores
    • Updated a bundled server-related package to a newer compatible version, helping keep the app’s backend support up to date.

@galshubeli @claude
fix(deps): bump python-multipart 0.0.29 -> 0.0.32 (security)
0726fff 
Resolves 4 advisories flagged by dependency-review on PR #613, including a
high-severity ReDoS:
- GHSA-5rvq-cxj2-64vf (high) quadratic querystring parsing DoS (patched 0.0.30)
- GHSA-vffw-93wf-4j4q / GHSA-6jv3-5f52-599m (low) parameter smuggling (0.0.30)
- GHSA-v9pg-7xvm-68hf (low) negative Content-Length buffering (patched 0.0.31)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@overcut-ai

overcut-ai Bot commented Jun 25, 2026
edited
Loading

Copy link
Copy Markdown

Completed Working on "Code Review"

✅ Code review complete. No issues found - all changes look good! ✅

✅ Workflow completed successfully.

👉 View complete log

@github-actions

github-actions Bot commented Jun 25, 2026

Copy link
Copy Markdown

Dependency Review

The following issues were found:
  • ✅ 0 vulnerable package(s)
  • ✅ 0 package(s) with incompatible licenses
  • ✅ 0 package(s) with invalid SPDX license definitions
  • ⚠️ 1 package(s) with unknown licenses.
See the Details below.

License Issues

uv.lock

PackageVersionLicenseIssue Type
python-multipart0.0.32NullUnknown License

OpenSSF Scorecard

PackageVersionScoreDetails
pip/python-multipart 0.0.32 UnknownUnknown

Scanned Files

  • uv.lock

@coderabbitai

coderabbitai Bot commented Jun 25, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b9306e9a-8f2e-43fa-ab9a-63f6589f8fb3

📥 Commits

Reviewing files that changed from the base of the PR and between 37c2013 and 0726fff.

⛔ Files ignored due to path filters (1)
  • uv.lock is excluded by !**/*.lock
📒 Files selected for processing (1)
  • pyproject.toml
📝 Walkthrough

Walkthrough

pyproject.toml updates the server extra’s python-multipart dependency pin from ~0.0.29 to ~0.0.32.

Changes

Server optional dependency update

Layer / File(s) Summary
Dependency pin update
pyproject.toml		 The server optional dependency pin for python-multipart changes to ~0.0.32.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

I hop through the config, soft and neat,
A fresh little pin makes the server sweet.
✨🐇 A nibble of version, tidy and small,
One line has changed, yet it springs for all.
My whiskers twitch — hop, hop, hooray!

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and accurately summarizes the security-focused dependency bump of python-multipart to 0.0.32.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/python-multipart-cve

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@railway-app

railway-app Bot commented Jun 25, 2026

Copy link
Copy Markdown

🚅 Deployed to the QueryWeaver-pr-616 environment in queryweaver

Service Status Web Updated (UTC)
QueryWeaver ✅ Success (View Logs) Web Jun 25, 2026 at 9:24 am

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@galshubeli