deps: bump python-multipart from 0.0.28 to 0.0.31#21
Conversation
Bumps [python-multipart](https://github.com/Kludex/python-multipart) from 0.0.28 to 0.0.31. - [Release notes](https://github.com/Kludex/python-multipart/releases) - [Changelog](https://github.com/Kludex/python-multipart/blob/main/CHANGELOG.md) - [Commits](Kludex/python-multipart@0.0.28...0.0.31) --- updated-dependencies: - dependency-name: python-multipart dependency-version: 0.0.31 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
helebest
left a comment
helebest
left a comment
There was a problem hiding this comment.
Automated Dependabot Review — APPROVED ✅
Step 1: Code Review
Changes: Only uv.lock was modified (1 file, +3/-17). The lock resolves python-multipart from 0.0.28 → 0.0.31 with updated sdist/wheel hashes; platform wheels for cffi/cryptography are pruned consistently with this workspace's platform set.
Consistency: The description correctly lists the three releases (0.0.29, 0.0.30, 0.0.31) between the old and new versions. Lock hashes match the published python-multipart 0.0.31 wheel on PyPI. ✓
Correctness:
- 0.0.29: Handle malformed RFC 2231 continuations — purely defensive/correctness fix.
- 0.0.30: Parse
application/x-www-form-urlencodedper the WHATWG URL standard (only&as separator, not;). This is a behavioral tightening but aligns with the spec; any reliance on;as a separator was non-conformant. Ignoring RFC 2231 extendedname*/filename*parameters keeps the plain parameter authoritative per RFC 7578 §4.2. - 0.0.31: Security hardening — bounds header field name size before validation (prevents resource exhaustion), validates
Content-Lengthis non-negative inparse_form. These are defensive improvements with no user-visible regression risk.
python-multipart is a transitive dependency pulled in through dikw-core; the plugin layer does not call it directly, so the behavioural change in 0.0.30 does not affect plugin code. ✓
Security: This is a Dependabot security advisory PR. The 0.0.31 hardening (bounded header field name size, non-negative Content-Length check) closes potential DoS/resource exhaustion vectors in multipart parsing. Merging is recommended from a security standpoint. ✓
Test coverage: No functional code changes in this repository; the update is entirely in the lock file. ✓
Step 2: Regression Verification
CI ran the full test matrix on this branch.
Step 3: CI Results — PASSED ✅
| Check | Result |
|---|---|
| test (3.12) | ✅ success |
| test (3.13) | ✅ success |
| analyze | ✅ success |
| CodeQL | ✅ success |
Step 4: Merging
All steps passed. Squash-merging now.
Generated by Claude Code
1 participant
Bumps python-multipart from 0.0.28 to 0.0.31.
Release notes
Sourced from python-multipart's releases.
Changelog
Sourced from python-multipart's changelog.
Commits
4cffc68Version 0.0.31 (#298)c814948Reject negativeContent-Lengthinparse_form(#297)6b837d4Bound header field name size before validating (#296)e0c4f9dBump the github-actions group with 3 updates (#294)b8a01bbBump the python-packages group with 3 updates (#293)6732164Speed up multipart header parsing and callback dispatch (#295)9d3ead5Version 0.0.30 (#292)3506c15Ignore RFC 2231 extended parameters inparse_options_header(#291)d69df35Treat only&as the urlencoded field separator (#290)1e6ff97Bump idna from 3.11 to 3.15 (#289)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.