Skip to content

Build(deps): Bump python-multipart from 0.0.26 to 0.0.32 in /python#6406

Open
dependabot[bot] wants to merge 2 commits into
mainfrom
dependabot/uv/python/python-multipart-0.0.27
Open

Build(deps): Bump python-multipart from 0.0.26 to 0.0.32 in /python#6406
dependabot[bot] wants to merge 2 commits into
mainfrom
dependabot/uv/python/python-multipart-0.0.27

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 8, 2026
edited by Copilot AI
Loading

Copy link
Copy Markdown
Contributor

Motivation and Context

Bumps python-multipart from 0.0.26 to 0.0.32 to address multiple security advisories. The previous bump to 0.0.27 only covered the older <0.0.27 alert; version 0.0.32 (satisfying >=0.0.31) covers the newer python-multipart vulnerability alerts as well.

Description

  • Adds python-multipart>=0.0.31 to override-dependencies in python/pyproject.toml. constraint-dependencies was insufficient because litellm[proxy] pins python-multipart exactly at ==0.0.27; an override is required to bypass that exact pin.
  • Regenerated python/uv.lock — the resolver selected 0.0.32 (latest version satisfying >=0.0.31).

Contribution Checklist

  • The code builds clean without any errors or warnings
  • The PR follows the Contribution Guidelines
  • All unit tests pass, and I have added new tests where possible
  • Is this a breaking change? If yes, add "[BREAKING]" prefix to the title of the PR.

@dependabot dependabot Bot added dependencies python Issues related to the Python codebase labels Jun 8, 2026
Copilot AI review requested due to automatic review settings June 8, 2026 22:53
Copilot AI reviewed Jun 8, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

@github-actions github-actions Bot changed the title Build(deps): Bump python-multipart from 0.0.26 to 0.0.27 in /python Python: Build(deps): Bump python-multipart from 0.0.26 to 0.0.27 in /python Jun 8, 2026
@dependabot
Build(deps): Bump python-multipart from 0.0.26 to 0.0.27 in /python
6b2ff3e 
Bumps [python-multipart](https://github.com/Kludex/python-multipart) from 0.0.26 to 0.0.27.
- [Release notes](https://github.com/Kludex/python-multipart/releases)
- [Changelog](https://github.com/Kludex/python-multipart/blob/main/CHANGELOG.md)
- [Commits](Kludex/python-multipart@0.0.26...0.0.27)

---
updated-dependencies:
- dependency-name: python-multipart
  dependency-version: 0.0.27
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot changed the title Python: Build(deps): Bump python-multipart from 0.0.26 to 0.0.27 in /python Build(deps): Bump python-multipart from 0.0.26 to 0.0.27 in /python Jun 9, 2026
@dependabot dependabot Bot force-pushed the dependabot/uv/python/python-multipart-0.0.27 branch from e8f5966 to 6b2ff3e Compare June 9, 2026 06:01
@moonbox3

moonbox3 commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

@copilot: update this PR to bump python-multipart to 0.0.31 instead of 0.0.27 and regenerate python/uv.lock. If the resolver will not choose 0.0.31 from existing constraints, add a security floor in python/pyproject.toml under [tool.uv] constraint-dependencies for python-multipart>=0.0.31, then regenerate python/uv.lock. The current bump only fixes the old <0.0.27 alert; 0.0.31 should cover the newer python-multipart alerts too.

Copilot AI commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

@copilot: update this PR to bump python-multipart to 0.0.31 instead of 0.0.27 and regenerate python/uv.lock. If the resolver will not choose 0.0.31 from existing constraints, add a security floor in p...

Done. constraint-dependencies couldn't work here because litellm[proxy] pins python-multipart exactly at ==0.0.27, so the constraint floor was silently ignored. I added python-multipart>=0.0.31 to override-dependencies instead (alongside the existing mcp[ws], uvicorn, and opentelemetry-semantic-conventions overrides), then regenerated python/uv.lock. The resolver picked 0.0.32 (the latest satisfying >=0.0.31) — see commit Build(deps): Bump python-multipart to 0.0.32 via override-dependencies floor >=0.0.31.

Copilot AI changed the title Build(deps): Bump python-multipart from 0.0.26 to 0.0.27 in /python Build(deps): Bump python-multipart from 0.0.26 to 0.0.32 in /python Jun 17, 2026
Copilot AI requested a review from moonbox3 June 17, 2026 02:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@moonbox3 moonbox3 Awaiting requested review from moonbox3

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

python Issues related to the Python codebase

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@moonbox3