From 74d061e994d4907073e22990ded0a10cb9da8494 Mon Sep 17 00:00:00 2001 From: Greyson LaLonde Date: Thu, 16 Apr 2026 04:25:35 +0800 Subject: [PATCH] fix: bump python-multipart to 0.0.26 to patch GHSA-mj87-hwqh-73pj Fixes GHSA-mj87-hwqh-73pj --- pyproject.toml | 2 ++ uv.lock | 9 +++++---- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index 74f2645ca..40fc25cbe 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -172,6 +172,7 @@ exclude-newer = "1 day" # cryptography 46.0.6 has CVE-2026-39892; force 46.0.7+. # pypdf <6.10.1 has CVE-2026-40260 and GHSA-jj6c-8h6c-hppx; force 6.10.1+. # uv <0.11.6 has GHSA-pjjw-68hj-v9mw; force 0.11.6+. +# python-multipart <0.0.26 has GHSA-mj87-hwqh-73pj; force 0.0.26+. override-dependencies = [ "rich>=13.7.1", "onnxruntime<1.24; python_version < '3.11'", @@ -182,6 +183,7 @@ override-dependencies = [ "cryptography>=46.0.7", "pypdf>=6.10.1,<7", "uv>=0.11.6,<1", + "python-multipart>=0.0.26,<1", ] [tool.uv.workspace] diff --git a/uv.lock b/uv.lock index ee32d7aaa..4668670fd 100644 --- a/uv.lock +++ b/uv.lock @@ -13,7 +13,7 @@ resolution-markers = [ ] [options] -exclude-newer = "2026-04-14T20:05:08.458275Z" +exclude-newer = "2026-04-14T20:20:18.36862Z" exclude-newer-span = "P1D" [manifest] @@ -29,6 +29,7 @@ overrides = [ { name = "onnxruntime", marker = "python_full_version < '3.11'", specifier = "<1.24" }, { name = "pillow", specifier = ">=12.1.1" }, { name = "pypdf", specifier = ">=6.10.1,<7" }, + { name = "python-multipart", specifier = ">=0.0.26,<1" }, { name = "rich", specifier = ">=13.7.1" }, { name = "transformers", marker = "python_full_version >= '3.10'", specifier = ">=5.4.0" }, { name = "urllib3", specifier = ">=2.6.3" }, @@ -6988,11 +6989,11 @@ wheels = [ [[package]] name = "python-multipart" -version = "0.0.24" +version = "0.0.26" source = { registry = "https://pypi.org/simple" } -sdist = { url = "https://files.pythonhosted.org/packages/8a/45/e23b5dc14ddb9918ae4a625379506b17b6f8fc56ca1d82db62462f59aea6/python_multipart-0.0.24.tar.gz", hash = "sha256:9574c97e1c026e00bc30340ef7c7d76739512ab4dfd428fec8c330fa6a5cc3c8", size = 37695, upload-time = "2026-04-05T20:49:13.829Z" } +sdist = { url = "https://files.pythonhosted.org/packages/88/71/b145a380824a960ebd60e1014256dbb7d2253f2316ff2d73dfd8928ec2c3/python_multipart-0.0.26.tar.gz", hash = "sha256:08fadc45918cd615e26846437f50c5d6d23304da32c341f289a617127b081f17", size = 43501, upload-time = "2026-04-10T14:09:59.473Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/a3/73/89930efabd4da63cea44a3f438aeb753d600123570e6d6264e763617a9ce/python_multipart-0.0.24-py3-none-any.whl", hash = "sha256:9b110a98db707df01a53c194f0af075e736a770dc5058089650d70b4a182f950", size = 24420, upload-time = "2026-04-05T20:49:12.555Z" }, + { url = "https://files.pythonhosted.org/packages/9a/22/f1925cdda983ab66fc8ec6ec8014b959262747e58bdca26a4e3d1da29d56/python_multipart-0.0.26-py3-none-any.whl", hash = "sha256:c0b169f8c4484c13b0dcf2ef0ec3a4adb255c4b7d18d8e420477d2b1dd03f185", size = 28847, upload-time = "2026-04-10T14:09:58.131Z" }, ] [[package]]