Skip to content

Commit e98b17a

Browse files
fix: remediate starlette, lxml, and python-multipart CVEs for unstructured-api (#573)
## Summary - **Bump starlette** 1.0.0 → 1.1.0 (transitive via fastapi) — fixes CVE-2025-62727 (HIGH, SLA breach +36d) and CVE-2025-54121 (MEDIUM, SLA breach +20d) - **Bump lxml** 6.1.0 → 6.1.1 (transitive via unstructured) — fixes CVE-2026-41066 (HIGH, SLA breach +20d) - **Bump python-multipart** 0.0.27 → 0.0.29 (direct dep) — fixes CVE-2026-40347 (MEDIUM, SLA breach +4d) - **Rebuild** picks up latest python-3.12 apk — resolves CVE-2025-12781 (MEDIUM) All 5 CVEs are in SLA breach. ### Changes - `pyproject.toml`: bumped `python-multipart` minimum from `>=0.0.18` to `>=0.0.29`; added `starlette>=1.1.0` and `lxml>=6.1.1` to `[tool.uv] constraint-dependencies` to pin transitive dep floors - `uv.lock`: regenerated with upgraded packages - `prepline_general/api/__version__.py`: patch bump 0.1.6 → 0.1.7 - `CHANGELOG.md`: added 0.1.7 security entry ## Test plan - [x] `make install-test` succeeds with `--locked` - [x] `make test` — 133 passed, 0 failures - [ ] CI passes on this PR - [ ] Image build + scan confirms CVEs resolved 🤖 Generated with [Claude Code](https://claude.com/claude-code) <!-- This is an auto-generated description by cubic. --> --- ## Summary by cubic Remediates five SLA-breached CVEs by updating `starlette`, `lxml`, and `python-multipart`, rebuilding for the latest Python 3.12 APK, and tightening transitive floors. Also fixes CI by regenerating `uv.lock` with the real `uv` binary. - **Dependencies** - `starlette` 1.0.0 → 1.1.0 — fixes CVE-2025-62727, CVE-2025-54121. - `lxml` 6.1.0 → 6.1.1 — fixes CVE-2026-41066. - `python-multipart` 0.0.27 → 0.0.29 — fixes CVE-2026-40347. - Rebuild image to include latest Python 3.12 APK — fixes CVE-2025-12781. - Add `[tool.uv]` constraints (`starlette>=1.1.0`, `lxml>=6.1.1`); regenerate `uv.lock` with real `uv` to fix `uv sync --locked` in CI. - Bump version to 0.1.7 and update `CHANGELOG.md`. <sup>Written for commit 73f74ba. Summary will update on new commits. <a href="https://cubic.dev/pr/Unstructured-IO/unstructured-api/pull/573?utm_source=github">Review in cubic</a></sup> <!-- End of auto-generated description by cubic. --> --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1 parent 58d9c34 commit e98b17a

4 files changed

Lines changed: 183 additions & 165 deletions

File tree

CHANGELOG.md

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,12 @@
1+
## 0.1.7
2+
3+
### Security
4+
5+
- **Bump starlette** to >=1.1.0 to remediate CVE-2025-62727 (HIGH) and CVE-2025-54121 (MEDIUM).
6+
- **Bump lxml** to >=6.1.1 to remediate CVE-2026-41066 (HIGH).
7+
- **Bump python-multipart** to >=0.0.29 to remediate CVE-2026-40347 (MEDIUM).
8+
- **Rebuild** to pick up latest python-3.12 apk, resolving CVE-2025-12781 (MEDIUM).
9+
110
## 0.1.6
211

312
### Security
Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
__version__ = "0.1.6" # pragma: no cover
1+
__version__ = "0.1.7" # pragma: no cover

pyproject.toml

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ requires-python = ">=3.12"
66
dependencies = [
77
"unstructured[all-docs] >=0.18.31, <1.0.0",
88
"fastapi >=0.128.4, <1.0.0",
9-
"python-multipart >=0.0.18",
9+
"python-multipart >=0.0.29",
1010
"uvicorn >=0.40.0, <1.0.0",
1111
"backoff >=2.2.1, <3.0.0",
1212
"pandas >=3.0.0, <4.0.0",
@@ -43,6 +43,10 @@ path = "prepline_general/api/__version__.py"
4343
constraint-dependencies = [
4444
# pdfminer.six 20260107 includes performance fix
4545
"pdfminer-six==20260107",
46+
# starlette >=1.1.0 fixes CVE-2025-62727 (HIGH) and CVE-2025-54121 (MEDIUM)
47+
"starlette>=1.1.0",
48+
# lxml >=6.1.1 fixes CVE-2026-41066 (HIGH)
49+
"lxml>=6.1.1",
4650
]
4751

4852
[[tool.uv.index]]

0 commit comments

Comments
 (0)