Skip to content

chore(deps): bump python-multipart from 0.0.22 to 0.0.31 in /envs/qed_math_env#916

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/envs/qed_math_env/python-multipart-0.0.31
Open

chore(deps): bump python-multipart from 0.0.22 to 0.0.31 in /envs/qed_math_env#916
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/envs/qed_math_env/python-multipart-0.0.31

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 3, 2026

Copy link
Copy Markdown
Contributor

Bumps python-multipart from 0.0.22 to 0.0.31.

Release notes

Sourced from python-multipart's releases.

Version 0.0.31

What's Changed

Full Changelog: Kludex/python-multipart@0.0.30...0.0.31

Version 0.0.30

What's Changed

Full Changelog: Kludex/python-multipart@0.0.29...0.0.30

Version 0.0.29

What's Changed

Full Changelog: Kludex/python-multipart@0.0.28...0.0.29

Version 0.0.28

What's Changed

Full Changelog: Kludex/python-multipart@0.0.27...0.0.28

Version 0.0.27

What's Changed

Full Changelog: Kludex/python-multipart@0.0.26...0.0.27

Version 0.0.26

What's Changed

Full Changelog: Kludex/python-multipart@0.0.25...0.0.26

Version 0.0.25

What's Changed

... (truncated)

Changelog

Sourced from python-multipart's changelog.

0.0.31 (2026-06-04)

  • Speed up multipart header parsing and callback dispatch #295.
  • Bound header field name size before validating #296.
  • Validate Content-Length is non-negative in parse_form #297.

0.0.30 (2026-05-31)

  • Parse application/x-www-form-urlencoded bodies per the WHATWG URL standard, treating only & as a field separator #290.
  • Ignore RFC 2231/5987 extended parameters (name*, filename*) in parse_options_header, keeping the plain parameter authoritative per RFC 7578 §4.2 #291.

0.0.29 (2026-05-17)

  • Handle malformed RFC 2231 continuations in parse_options_header #270.

0.0.28 (2026-05-10)

  • Speed up partial-boundary tail scan via bytes.find #281.
  • Cap multipart boundary length at 256 bytes #282.

0.0.27 (2026-04-27)

  • Add multipart header limits #267.
  • Pass parse offsets via constructors #268.

0.0.26 (2026-04-10)

  • Skip preamble before the first multipart boundary more efficiently #262.
  • Silently discard epilogue data after the closing multipart boundary #259.

0.0.25 (2026-04-10)

  • Add MIME content type info to File #143.
  • Handle CTE values case-insensitively #258.
  • Remove custom FormParser classes #257.
  • Add UPLOAD_DELETE_TMP to FormParser config #254.
  • Emit field_end for trailing bare field names on finalize #230.
  • Handle multipart headers case-insensitively #252.
  • Apply Apache-2.0 properly #247.

0.0.24 (2026-04-05)

  • Validate chunk_size in parse_form() #244.

0.0.23 (2026-04-05)

  • Remove unused trust_x_headers parameter and X-File-Name fallback #196.
  • Return processed length from QuerystringParser._internal_write #229.
  • Cleanup metadata dunders from __init__.py #227.
Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Note

Medium Risk
Multipart and urlencoded parsing behavior changed across several minor releases; worth a quick smoke test of any file upload or form endpoints in qed_math_env, though changes are mostly hardening and standards alignment.

Overview
Updates python-multipart in envs/qed_math_env/uv.lock from 0.0.22 to 0.0.31 (sdist/wheel hashes only; no application source changes).

The newer releases add multipart/form parsing hardening (header size limits, boundary caps, non-negative Content-Length checks) and behavior tweaks for urlencoded bodies and Content-Disposition option parsing. In this env the package is pulled in transitively (e.g. Gradio / MCP), so the practical impact is on HTTP form and file upload handling in those stacks rather than direct project code.

Reviewed by Cursor Bugbot for commit 89d15c6. Bugbot is set up for automated code reviews on this repo. Configure here.

Bumps [python-multipart](https://github.com/Kludex/python-multipart) from 0.0.22 to 0.0.31.
- [Release notes](https://github.com/Kludex/python-multipart/releases)
- [Changelog](https://github.com/Kludex/python-multipart/blob/main/CHANGELOG.md)
- [Commits](Kludex/python-multipart@0.0.22...0.0.31)

---
updated-dependencies:
- dependency-name: python-multipart
  dependency-version: 0.0.31
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added Dependencies python:uv Pull requests that update python:uv code labels Jul 3, 2026
@burtenshaw burtenshaw added environment size: small Small pull request labels Jul 3, 2026 — with Cursor

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Alignment Review Report

Two-tier review of this Dependabot bump of python-multipart 0.0.22 → 0.0.31 in envs/qed_math_env (lockfile-only, 3 lines changed).

Automated Checks

  • Lint rules (ruff check E/F/W on src/+tests/): PASS — "All checks passed!"
  • Format / imports: ruff format --check flags 23 pre-existing files and usort check flags 2 (tests/envs/test_julia_env.py, tests/envs/test_grid_world.py, documented in AGENTS.md) — all pre-existing repo debt, none in qed_math_env. This PR changes zero .py files, so it introduces no lint regressions (lockfiles aren't linted).
  • Debug code: CLEAN for this PR — the hook only scans src/ (all matches pre-existing); the PR touches only envs/qed_math_env/uv.lock.

Open RFCs Context

RFCs 000–005 are In Review, 010 is Draft — all architectural (project phases, abstractions, env-spec, MCP, rubrics, agentic harnesses, token world-model). None govern dependency management or HTTP form parsing, so no RFC surface is touched.

Tier 1: Fixes Required

None. Verified clean:

  • python-multipart is a transitive dependency (the env pyproject.toml declares only openenv-core, datasets, math-verify, trackio) → a lock-only change is correct; no pyproject.toml floor edit is expected.
  • Lockfile hashes match PyPI exactly: sdist fc631183… (46689 B), wheel 8408153d… (29996 B); 0.0.31 is yanked: false, vulnerabilities: [], requires_python >=3.10 (satisfies the env's >=3.10).
  • uv lock --check --project envs/qed_math_envpasses (143 packages, consistent with pyproject.toml).
  • Minimal, clean diff: no index-source flip (149 pypi.org/simple, 0 HF-mirror at both base and head) and no lockfile-revision bump (already revision = 3) — unlike many recent env-lock PRs.

Tier 2: Alignment Discussion

Principle Conflicts

None identified. No principle or invariant governs dependency versions.

RFC Conflicts

None identified.

Additional Notes (non-blocking)

Positive — this is a security upgrade. 0.0.22 → 0.0.31 clears 5 CVEs, three of them reachable through OpenEnv's FastAPI/Starlette server stack:

  • CVE-2026-40347 (fixed 0.0.26) — DoS via large multipart preamble/epilogue
  • CVE-2026-42561 (fixed 0.0.27) — DoS via unbounded part-header count/size (FastAPI/Starlette-reachable)
  • CVE-2026-53538 (fixed 0.0.30) — form-field smuggling / parameter pollution via ;-separator differential (FastAPI request.form())
  • CVE-2026-53539 (fixed 0.0.30) — quadratic ;-body parsing DoS (FastAPI request.form())
  • CVE-2026-53540 (fixed 0.0.31) — negative Content-Length buffers whole body in memory

Process — Dependabot exclude-paths isn't taking effect (cc @burtenshaw). .github/dependabot.yml scopes the uv updater to directory: "/" with exclude-paths: ["envs/**"], yet this native dependabot/uv/envs/qed_math_env/… PR modifies envs/qed_math_env/. The guard isn't holding for the uv ecosystem (the root has no [tool.uv.workspace]). Not a blocker for this PR — flagging so the intended env-update path stays as the aggregate roll-ups.

Fleet context (cc @burtenshaw). Many sibling envs still pin vulnerable python-multipart: 4 on 0.0.22 (echo_env, sumo_rl_env, finrl_env, dipg_safety_env — all 5 CVEs), and ~29 on 0.0.26–0.0.28 (still missing the 0.0.30/0.0.31 fixes). The same bump would benefit them.

Summary

  • 0 mechanical issues to fix (Tier 1)
  • 0 alignment points for human review (Tier 2)
  • 0 RFC conflicts
  • Verdict: clean, low-risk, security-positive transitive lock bump — no blockers from an alignment perspective. 2 non-blocking process/fleet notes for @burtenshaw.
Open in Web View Automation 

Sent by Cursor Automation: Pre-review

Comment thread envs/qed_math_env/uv.lock
[[package]]
name = "python-multipart"
version = "0.0.22"
version = "0.0.31"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Verified against PyPI: 0.0.31 sdist fc631183… (46689 B) and wheel 8408153d… (29996 B) match this lock exactly; yanked: false, vulnerabilities: [], requires_python >=3.10.

This bump from 0.0.22 clears 5 CVEs (CVE-2026-40347/42561/53538/53539/53540) — three reachable via FastAPI/Starlette form parsing. Transitive dependency, so lock-only (no pyproject.toml change) is correct.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Dependencies environment python:uv Pull requests that update python:uv code size: small Small pull request

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant