Skip to content

Build(deps): Bump python-multipart from 0.0.26 to 0.0.32 in /python#6406

Merged
eavanvalkenburg merged 3 commits into
mainfrom
dependabot/uv/python/python-multipart-0.0.27
Jun 19, 2026
Merged

Build(deps): Bump python-multipart from 0.0.26 to 0.0.32 in /python#6406
eavanvalkenburg merged 3 commits into
mainfrom
dependabot/uv/python/python-multipart-0.0.27

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 8, 2026

Copy link
Copy Markdown
Contributor

Motivation and Context

Bumps python-multipart from 0.0.26 to 0.0.32 to address multiple security advisories. The previous bump to 0.0.27 only covered the older <0.0.27 alert; version 0.0.32 (satisfying >=0.0.31) covers the newer python-multipart vulnerability alerts as well.

Description

  • Adds python-multipart>=0.0.31 to override-dependencies in python/pyproject.toml. constraint-dependencies was insufficient because litellm[proxy] pins python-multipart exactly at ==0.0.27; an override is required to bypass that exact pin.
  • Regenerated python/uv.lock — the resolver selected 0.0.32 (latest version satisfying >=0.0.31).

Contribution Checklist

  • The code builds clean without any errors or warnings
  • The PR follows the Contribution Guidelines
  • All unit tests pass, and I have added new tests where possible
  • Is this a breaking change? If yes, add "[BREAKING]" prefix to the title of the PR.

@dependabot dependabot Bot added dependencies python Usage: [Issues, PRs], Target: Python labels Jun 8, 2026
Copilot AI review requested due to automatic review settings June 8, 2026 22:53

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

@github-actions github-actions Bot changed the title Build(deps): Bump python-multipart from 0.0.26 to 0.0.27 in /python Python: Build(deps): Bump python-multipart from 0.0.26 to 0.0.27 in /python Jun 8, 2026
Bumps [python-multipart](https://github.com/Kludex/python-multipart) from 0.0.26 to 0.0.27.
- [Release notes](https://github.com/Kludex/python-multipart/releases)
- [Changelog](https://github.com/Kludex/python-multipart/blob/main/CHANGELOG.md)
- [Commits](Kludex/python-multipart@0.0.26...0.0.27)

---
updated-dependencies:
- dependency-name: python-multipart
  dependency-version: 0.0.27
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot changed the title Python: Build(deps): Bump python-multipart from 0.0.26 to 0.0.27 in /python Build(deps): Bump python-multipart from 0.0.26 to 0.0.27 in /python Jun 9, 2026
@dependabot dependabot Bot force-pushed the dependabot/uv/python/python-multipart-0.0.27 branch from e8f5966 to 6b2ff3e Compare June 9, 2026 06:01
@moonbox3

Copy link
Copy Markdown
Contributor

@copilot: update this PR to bump python-multipart to 0.0.31 instead of 0.0.27 and regenerate python/uv.lock. If the resolver will not choose 0.0.31 from existing constraints, add a security floor in python/pyproject.toml under [tool.uv] constraint-dependencies for python-multipart>=0.0.31, then regenerate python/uv.lock. The current bump only fixes the old <0.0.27 alert; 0.0.31 should cover the newer python-multipart alerts too.

Copilot AI commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

@copilot: update this PR to bump python-multipart to 0.0.31 instead of 0.0.27 and regenerate python/uv.lock. If the resolver will not choose 0.0.31 from existing constraints, add a security floor in p...

Done. constraint-dependencies couldn't work here because litellm[proxy] pins python-multipart exactly at ==0.0.27, so the constraint floor was silently ignored. I added python-multipart>=0.0.31 to override-dependencies instead (alongside the existing mcp[ws], uvicorn, and opentelemetry-semantic-conventions overrides), then regenerated python/uv.lock. The resolver picked 0.0.32 (the latest satisfying >=0.0.31) — see commit Build(deps): Bump python-multipart to 0.0.32 via override-dependencies floor >=0.0.31.

Copilot AI changed the title Build(deps): Bump python-multipart from 0.0.26 to 0.0.27 in /python Build(deps): Bump python-multipart from 0.0.26 to 0.0.32 in /python Jun 17, 2026
Copilot AI requested a review from moonbox3 June 17, 2026 02:19
@eavanvalkenburg

Copy link
Copy Markdown
Member

@dependabot rebase

@dependabot @github

dependabot Bot commented on behalf of github Jun 18, 2026

Copy link
Copy Markdown
Contributor Author

Looks like this PR has been edited by someone other than Dependabot. That means Dependabot can't rebase it - sorry!

If you're happy for Dependabot to recreate it from scratch, overwriting any edits, you can request @dependabot recreate.

@eavanvalkenburg

Copy link
Copy Markdown
Member

@dependabot recreate

@dependabot @github

dependabot Bot commented on behalf of github Jun 18, 2026

Copy link
Copy Markdown
Contributor Author

Dependabot can't resolve your Python dependency files. Because of this, Dependabot cannot update this pull request.

@eavanvalkenburg

Copy link
Copy Markdown
Member

@copilot fix the merge conflict

Copilot AI commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

@copilot fix the merge conflict

Resolved — merged main into the branch and regenerated python/uv.lock cleanly. python-multipart remains at 0.0.32.

@eavanvalkenburg eavanvalkenburg added this pull request to the merge queue Jun 19, 2026
Merged via the queue into main with commit 7f7c88b Jun 19, 2026
36 of 38 checks passed
@dependabot dependabot Bot deleted the dependabot/uv/python/python-multipart-0.0.27 branch June 19, 2026 01:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

python Usage: [Issues, PRs], Target: Python

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants