chore(deps): bump python-multipart from 0.0.22 to 0.0.31 in /envs/qed_math_env#916
chore(deps): bump python-multipart from 0.0.22 to 0.0.31 in /envs/qed_math_env#916dependabot[bot] wants to merge 1 commit into
Conversation
Bumps [python-multipart](https://github.com/Kludex/python-multipart) from 0.0.22 to 0.0.31. - [Release notes](https://github.com/Kludex/python-multipart/releases) - [Changelog](https://github.com/Kludex/python-multipart/blob/main/CHANGELOG.md) - [Commits](Kludex/python-multipart@0.0.22...0.0.31) --- updated-dependencies: - dependency-name: python-multipart dependency-version: 0.0.31 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
There was a problem hiding this comment.
Alignment Review Report
Two-tier review of this Dependabot bump of python-multipart 0.0.22 → 0.0.31 in envs/qed_math_env (lockfile-only, 3 lines changed).
Automated Checks
- Lint rules (
ruff checkE/F/W onsrc/+tests/): PASS — "All checks passed!" - Format / imports:
ruff format --checkflags 23 pre-existing files andusort checkflags 2 (tests/envs/test_julia_env.py,tests/envs/test_grid_world.py, documented inAGENTS.md) — all pre-existing repo debt, none inqed_math_env. This PR changes zero.pyfiles, so it introduces no lint regressions (lockfiles aren't linted). - Debug code: CLEAN for this PR — the hook only scans
src/(all matches pre-existing); the PR touches onlyenvs/qed_math_env/uv.lock.
Open RFCs Context
RFCs 000–005 are In Review, 010 is Draft — all architectural (project phases, abstractions, env-spec, MCP, rubrics, agentic harnesses, token world-model). None govern dependency management or HTTP form parsing, so no RFC surface is touched.
Tier 1: Fixes Required
None. Verified clean:
python-multipartis a transitive dependency (the envpyproject.tomldeclares onlyopenenv-core,datasets,math-verify,trackio) → a lock-only change is correct; nopyproject.tomlfloor edit is expected.- Lockfile hashes match PyPI exactly: sdist
fc631183…(46689 B), wheel8408153d…(29996 B);0.0.31isyanked: false,vulnerabilities: [],requires_python >=3.10(satisfies the env's>=3.10). uv lock --check --project envs/qed_math_env→ passes (143 packages, consistent withpyproject.toml).- Minimal, clean diff: no index-source flip (149
pypi.org/simple, 0 HF-mirror at both base and head) and no lockfile-revision bump (alreadyrevision = 3) — unlike many recent env-lock PRs.
Tier 2: Alignment Discussion
Principle Conflicts
None identified. No principle or invariant governs dependency versions.
RFC Conflicts
None identified.
Additional Notes (non-blocking)
Positive — this is a security upgrade. 0.0.22 → 0.0.31 clears 5 CVEs, three of them reachable through OpenEnv's FastAPI/Starlette server stack:
CVE-2026-40347(fixed 0.0.26) — DoS via large multipart preamble/epilogueCVE-2026-42561(fixed 0.0.27) — DoS via unbounded part-header count/size (FastAPI/Starlette-reachable)CVE-2026-53538(fixed 0.0.30) — form-field smuggling / parameter pollution via;-separator differential (FastAPIrequest.form())CVE-2026-53539(fixed 0.0.30) — quadratic;-body parsing DoS (FastAPIrequest.form())CVE-2026-53540(fixed 0.0.31) — negativeContent-Lengthbuffers whole body in memory
Process — Dependabot exclude-paths isn't taking effect (cc @burtenshaw). .github/dependabot.yml scopes the uv updater to directory: "/" with exclude-paths: ["envs/**"], yet this native dependabot/uv/envs/qed_math_env/… PR modifies envs/qed_math_env/. The guard isn't holding for the uv ecosystem (the root has no [tool.uv.workspace]). Not a blocker for this PR — flagging so the intended env-update path stays as the aggregate roll-ups.
Fleet context (cc @burtenshaw). Many sibling envs still pin vulnerable python-multipart: 4 on 0.0.22 (echo_env, sumo_rl_env, finrl_env, dipg_safety_env — all 5 CVEs), and ~29 on 0.0.26–0.0.28 (still missing the 0.0.30/0.0.31 fixes). The same bump would benefit them.
Summary
- 0 mechanical issues to fix (Tier 1)
- 0 alignment points for human review (Tier 2)
- 0 RFC conflicts
- Verdict: clean, low-risk, security-positive transitive lock bump — no blockers from an alignment perspective. 2 non-blocking process/fleet notes for @burtenshaw.
Sent by Cursor Automation: Pre-review
| [[package]] | ||
| name = "python-multipart" | ||
| version = "0.0.22" | ||
| version = "0.0.31" |
There was a problem hiding this comment.
Verified against PyPI: 0.0.31 sdist fc631183… (46689 B) and wheel 8408153d… (29996 B) match this lock exactly; yanked: false, vulnerabilities: [], requires_python >=3.10.
This bump from 0.0.22 clears 5 CVEs (CVE-2026-40347/42561/53538/53539/53540) — three reachable via FastAPI/Starlette form parsing. Transitive dependency, so lock-only (no pyproject.toml change) is correct.


Bumps python-multipart from 0.0.22 to 0.0.31.
Release notes
Sourced from python-multipart's releases.
... (truncated)
Changelog
Sourced from python-multipart's changelog.
Commits
4cffc68Version 0.0.31 (#298)c814948Reject negativeContent-Lengthinparse_form(#297)6b837d4Bound header field name size before validating (#296)e0c4f9dBump the github-actions group with 3 updates (#294)b8a01bbBump the python-packages group with 3 updates (#293)6732164Speed up multipart header parsing and callback dispatch (#295)9d3ead5Version 0.0.30 (#292)3506c15Ignore RFC 2231 extended parameters inparse_options_header(#291)d69df35Treat only&as the urlencoded field separator (#290)1e6ff97Bump idna from 3.11 to 3.15 (#289)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.
Note
Medium Risk
Multipart and urlencoded parsing behavior changed across several minor releases; worth a quick smoke test of any file upload or form endpoints in qed_math_env, though changes are mostly hardening and standards alignment.
Overview
Updates
python-multipartinenvs/qed_math_env/uv.lockfrom 0.0.22 to 0.0.31 (sdist/wheel hashes only; no application source changes).The newer releases add multipart/form parsing hardening (header size limits, boundary caps, non-negative
Content-Lengthchecks) and behavior tweaks for urlencoded bodies andContent-Dispositionoption parsing. In this env the package is pulled in transitively (e.g. Gradio / MCP), so the practical impact is on HTTP form and file upload handling in those stacks rather than direct project code.Reviewed by Cursor Bugbot for commit 89d15c6. Bugbot is set up for automated code reviews on this repo. Configure here.