build(deps): bump python-multipart from 0.0.22 to 0.0.26 in /backend#5
build(deps): bump python-multipart from 0.0.22 to 0.0.26 in /backend#5dependabot[bot] wants to merge 1 commit into
Conversation
Bumps [python-multipart](https://github.com/Kludex/python-multipart) from 0.0.22 to 0.0.26. - [Release notes](https://github.com/Kludex/python-multipart/releases) - [Changelog](https://github.com/Kludex/python-multipart/blob/master/CHANGELOG.md) - [Commits](Kludex/python-multipart@0.0.22...0.0.26) --- updated-dependencies: - dependency-name: python-multipart dependency-version: 0.0.26 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
|
Hi @dependabot[bot], thanks for taking the time to open this PR. OpenSentry is source-available under AGPL-3.0 but does not currently accept external code contributions. This PR is being closed automatically — it is not a reflection of the quality of your work. If you found a bug or have an idea, we would still love to hear about it:
See CONTRIBUTING.md for the full policy. Thanks for your interest in OpenSentry. |
|
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |
dependabot
Bot
deleted the
dependabot/uv/backend/python-multipart-0.0.26
branch
Dependabot moderate advisory #5. The 0.0.22 pin was vulnerable to a DoS in the multipart parser: crafted requests with large leading CR/LF bytes before the first boundary, or large trailing bytes after the closing boundary, caused O(n²) parsing work. An attacker could send oversized malformed bodies to consume CPU and degrade availability for legitimate requests. Bumped the floor in pyproject.toml and relocked; uv.lock shows exactly one updated line (0.0.22 → 0.0.26) with no transitive drift. pip-audit now reports clean on the production dep graph; all 199 backend tests still pass. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Bumps python-multipart from 0.0.22 to 0.0.26.
Release notes
Sourced from python-multipart's releases.
Changelog
Sourced from python-multipart's changelog.
Commits
28f4785Version 0.0.26 (#263)d4452a7Silently discard epilogue data after the closing boundary (#259)6a7b76dSkip preamble before first multipart boundary (#262)4addb60Version 0.0.25 (#261)d3a4698Add MIME content type info to File (#143)9a1ecbdHandle CTE values case-insensitively (#258)ef2a0b9Remove custom FormParser classes (#257)3a757d7Ignore local Claude state (#255)55e7396fuzz: Add cifuzz (#186)d6d1d11Bump the github-actions group with 2 updates (#249)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.