chore(deps): bump python-multipart from 0.0.26 to 0.0.27 in the uv group across 1 directory#21
Closed
dependabot[bot] wants to merge 1 commit into
Closed
chore(deps): bump python-multipart from 0.0.26 to 0.0.27 in the uv group across 1 directory#21dependabot[bot] wants to merge 1 commit into
dependabot[bot] wants to merge 1 commit into
Conversation
dependabot
Bot
added
dependencies
Bumps the uv group with 1 update in the / directory: [python-multipart](https://github.com/Kludex/python-multipart). Updates `python-multipart` from 0.0.26 to 0.0.27 - [Release notes](https://github.com/Kludex/python-multipart/releases) - [Changelog](https://github.com/Kludex/python-multipart/blob/main/CHANGELOG.md) - [Commits](Kludex/python-multipart@0.0.26...0.0.27) --- updated-dependencies: - dependency-name: python-multipart dependency-version: 0.0.27 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/uv/uv-14c377a4fb
branch
from
d4b3c1b to
34c27ed
Compare
Owner
|
Closing for now — branch predates the tree-sitter-language-pack <1.7 pin landing in v3.15.2. Dependabot will re-open this same patch bump next week against the post-v3.15.2 main. |
Contributor
Author
|
This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests. To ignore these dependencies, configure ignore rules in dependabot.yml |
Owner
|
Reopening — this bump fixes a real CVE (python-multipart DoS via unbounded multipart headers, GHSA-disclosed). My earlier 'close, dependabot will reopen next week' was wrong; CVE-fixing bumps shouldn't wait. Will rebase + merge as part of v3.15.3 hotfix together with the v3.15.2 release fix. |
cdeust
added a commit
that referenced
this pull request
May 9, 2026
…5.2 tag (#23) Two issues bundled into one hotfix release. 1. python-multipart 0.0.26 → 0.0.27: patches a DoS vulnerability in MultipartParser header parsing (unbounded part headers cause CPU exhaustion). Affects every ASGI app in the FastMCP dep chain. The dependabot PR (#21) flagged this; closing it was wrong on my part. 2. v3.15.2 was tagged at 308ed41 (pre-PR-#22 merge) instead of 6b19ec4 because a stale uv.lock blocked the local fast-forward during release scripting. The broken v3.15.2 tag stays as a graveyard. v3.15.3 is the canonical version with both the MCP startup robustness work (PR #22 contents) AND this security bump.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps the uv group with 1 update in the / directory: python-multipart.
Updates
python-multipartfrom 0.0.26 to 0.0.27Release notes
Sourced from python-multipart's releases.
Changelog
Sourced from python-multipart's changelog.
Commits
6d1d689Version 0.0.27 (#272)0b10220Run CI on main branch pull requests (#271)3e64f5fAdd multipart header limits (#267)eb109ccPass parse offsets via constructors (#268)78e29abBump pytest from 9.0.2 to 9.0.3 (#266)b2ddd09fuzz: Enhance fuzzing capabilities with new chunked and boundary tests (#264)