Commit e98b17a
fix: remediate starlette, lxml, and python-multipart CVEs for unstructured-api (#573)
## Summary
- **Bump starlette** 1.0.0 → 1.1.0 (transitive via fastapi) — fixes
CVE-2025-62727 (HIGH, SLA breach +36d) and CVE-2025-54121 (MEDIUM, SLA
breach +20d)
- **Bump lxml** 6.1.0 → 6.1.1 (transitive via unstructured) — fixes
CVE-2026-41066 (HIGH, SLA breach +20d)
- **Bump python-multipart** 0.0.27 → 0.0.29 (direct dep) — fixes
CVE-2026-40347 (MEDIUM, SLA breach +4d)
- **Rebuild** picks up latest python-3.12 apk — resolves CVE-2025-12781
(MEDIUM)
All 5 CVEs are in SLA breach.
### Changes
- `pyproject.toml`: bumped `python-multipart` minimum from `>=0.0.18` to
`>=0.0.29`; added `starlette>=1.1.0` and `lxml>=6.1.1` to `[tool.uv]
constraint-dependencies` to pin transitive dep floors
- `uv.lock`: regenerated with upgraded packages
- `prepline_general/api/__version__.py`: patch bump 0.1.6 → 0.1.7
- `CHANGELOG.md`: added 0.1.7 security entry
## Test plan
- [x] `make install-test` succeeds with `--locked`
- [x] `make test` — 133 passed, 0 failures
- [ ] CI passes on this PR
- [ ] Image build + scan confirms CVEs resolved
🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Remediates five SLA-breached CVEs by updating `starlette`, `lxml`, and
`python-multipart`, rebuilding for the latest Python 3.12 APK, and
tightening transitive floors. Also fixes CI by regenerating `uv.lock`
with the real `uv` binary.
- **Dependencies**
- `starlette` 1.0.0 → 1.1.0 — fixes CVE-2025-62727, CVE-2025-54121.
- `lxml` 6.1.0 → 6.1.1 — fixes CVE-2026-41066.
- `python-multipart` 0.0.27 → 0.0.29 — fixes CVE-2026-40347.
- Rebuild image to include latest Python 3.12 APK — fixes
CVE-2025-12781.
- Add `[tool.uv]` constraints (`starlette>=1.1.0`, `lxml>=6.1.1`);
regenerate `uv.lock` with real `uv` to fix `uv sync --locked` in CI.
- Bump version to 0.1.7 and update `CHANGELOG.md`.
<sup>Written for commit 73f74ba.
Summary will update on new commits. <a
href="https://cubic.dev/pr/Unstructured-IO/unstructured-api/pull/573?utm_source=github">Review
in cubic</a></sup>
<!-- End of auto-generated description by cubic. -->
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>1 parent 58d9c34 commit e98b17a
4 files changed
Lines changed: 183 additions & 165 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
| 1 | + | |
| 2 | + | |
| 3 | + | |
| 4 | + | |
| 5 | + | |
| 6 | + | |
| 7 | + | |
| 8 | + | |
| 9 | + | |
1 | 10 | | |
2 | 11 | | |
3 | 12 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1 | | - | |
| 1 | + | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
6 | 6 | | |
7 | 7 | | |
8 | 8 | | |
9 | | - | |
| 9 | + | |
10 | 10 | | |
11 | 11 | | |
12 | 12 | | |
| |||
43 | 43 | | |
44 | 44 | | |
45 | 45 | | |
| 46 | + | |
| 47 | + | |
| 48 | + | |
| 49 | + | |
46 | 50 | | |
47 | 51 | | |
48 | 52 | | |
| |||
0 commit comments