fix: remediate CVEs for unstructured-api (#571)

lawrence-u10d · claude · web-flow · commit 58d9c34ce699 · 2026-05-11T18:04:01.000-05:00
## Summary - **starlette** 0.41.2 → 1.0.0: remediates CVE-2025-54121 (MEDIUM) and CVE-2025-62727 (HIGH). Removes the `starlette==0.41.2` constraint pin from `[tool.uv]` — the only middleware in this repo is FastAPI's built-in CORS middleware, which is compatible with starlette 1.0.0. - **python-multipart** 0.0.22 → 0.0.27: remediates CVE-2026-40347 (MEDIUM). - Bumps service version from 0.1.5 → 0.1.6. - Does **not** touch lxml (handled by PR #525). ## Test plan - [x] `uv sync --locked` succeeds (lockfile is consistent) - [x] `make check-src` passes (ruff format, ruff check, mypy) - [ ] CI lint + unit tests pass - [ ] Docker smoke tests pass 🤖 Generated with [Claude Code](https://claude.com/claude-code)  --- > [!NOTE] > **Medium Risk** > Primarily dependency/version changes, but removing the `starlette==0.41.2` constraint can introduce runtime incompatibilities due to a major Starlette upgrade affecting FastAPI/middleware behavior. > > **Overview** > Updates the service to `0.1.6` and documents a new security release in `CHANGELOG.md`. > > Removes the `starlette==0.41.2` constraint from `pyproject.toml` (allowing Starlette to upgrade to remediate CVE-2025-54121 and CVE-2025-62727) and bumps `python-multipart` to a non-vulnerable release to address CVE-2026-40347. > > <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit ddaeefc. Bugbot is set up for automated code reviews on this repo. Configure [here](https://www.cursor.com/dashboard/bugbot).</sup>  --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,10 @@
+## 0.1.6
+
+### Security
+
+- **Bump starlette** to latest to remediate CVE-2025-54121 (MEDIUM) and CVE-2025-62727 (HIGH). Removes the `starlette==0.41.2` constraint pin.
+- **Bump python-multipart** to latest to remediate CVE-2026-40347 (MEDIUM).
+
 ## 0.1.5
 
 ### Security
diff --git a/prepline_general/api/__version__.py b/prepline_general/api/__version__.py
@@ -1 +1 @@
-__version__ = "0.1.5"  # pragma: no cover
+__version__ = "0.1.6"  # pragma: no cover
diff --git a/prepline_general/api/app.py b/prepline_general/api/app.py
@@ -86,6 +86,7 @@ async def patched_get_form(
     *,
     max_files: int | float = 1000,
     max_fields: int | float = 1000,
+    max_part_size: int = 1024 * 1024,
 ) -> FormData:
     """
     Call the original get_form, and iterate the results
diff --git a/pyproject.toml b/pyproject.toml
@@ -41,12 +41,15 @@ path = "prepline_general/api/__version__.py"
 [tool.uv]
 # Constraints for transitive dependencies that need pinning for functional reasons
 constraint-dependencies = [
-    # later versions of Starlette break middleware
-    "starlette==0.41.2",
     # pdfminer.six 20260107 includes performance fix
     "pdfminer-six==20260107",
 ]
 
+[[tool.uv.index]]
+name = "pypi"
+url = "https://pypi.org/simple"
+default = true
+
 [tool.pyright]
 pythonPlatform = "Linux"
 pythonVersion = "3.12"
diff --git a/uv.lock b/uv.lock

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-__version__ = "0.1.5" # pragma: no cover`
	`1`	`+__version__ = "0.1.6" # pragma: no cover`