chore(deps): bump python-multipart from 0.0.22 to 0.0.26

[dependabot]

Bumps python-multipart from 0.0.22 to 0.0.26.

Release notes

Sourced from python-multipart's releases.

Version 0.0.26

What's Changed

• Skip preamble before first multipart boundary by @​Kludex in Kludex/python-multipart#262
• Silently discard epilogue data after the closing boundary by @​Kludex in Kludex/python-multipart#259

Full Changelog: Kludex/python-multipart@0.0.25...0.0.26

Version 0.0.25

What's Changed

• Apply Apache-2.0 properly by @​Kludex in Kludex/python-multipart#247
• Handle multipart headers case-insensitively by @​Kludex in Kludex/python-multipart#252
• Emit field_end for trailing bare field names on finalize by @​bysiber in Kludex/python-multipart#230
• Add UPLOAD_DELETE_TMP to FormParser config by @​Kludex in Kludex/python-multipart#254
• Remove custom FormParser classes by @​Kludex in Kludex/python-multipart#257
• Handle CTE values case-insensitively by @​Kludex in Kludex/python-multipart#258
• Add MIME content type info to File by @​jhnstrk in Kludex/python-multipart#143

Full Changelog: Kludex/python-multipart@0.0.24...0.0.25

Version 0.0.24

What's Changed

• Validate chunk_size in parse_form() by @​Kludex in Kludex/python-multipart#244

Full Changelog: Kludex/python-multipart@0.0.23...0.0.24

Version 0.0.23

What's Changed

• Remove unused trust_x_headers parameter and X-File-Name fallback by @​jhnstrk in Kludex/python-multipart#196
• Return processed length from QuerystringParser._internal_write by @​bysiber in Kludex/python-multipart#229
• Cleanup metadata dunders from __init__.py by @​Chesars in Kludex/python-multipart#227

New Contributors

• @​Chesars made their first contribution in Kludex/python-multipart#227
• @​bysiber made their first contribution in Kludex/python-multipart#229

Full Changelog: Kludex/python-multipart@0.0.22...0.0.23

Changelog

Sourced from python-multipart's changelog.

0.0.26 (2026-04-10)

• Skip preamble before the first multipart boundary more efficiently #262.
• Silently discard epilogue data after the closing multipart boundary #259.

0.0.25 (2026-04-10)

• Add MIME content type info to File #143.
• Handle CTE values case-insensitively #258.
• Remove custom FormParser classes #257.
• Add UPLOAD_DELETE_TMP to FormParser config #254.
• Emit field_end for trailing bare field names on finalize #230.
• Handle multipart headers case-insensitively #252.
• Apply Apache-2.0 properly #247.

0.0.24 (2026-04-05)

• Validate chunk_size in parse_form() #244.

0.0.23 (2026-04-05)

• Remove unused trust_x_headers parameter and X-File-Name fallback #196.
• Return processed length from QuerystringParser._internal_write #229.
• Cleanup metadata dunders from __init__.py #227.

Commits

• 28f4785 Version 0.0.26 (#263)
• d4452a7 Silently discard epilogue data after the closing boundary (#259)
• 6a7b76d Skip preamble before first multipart boundary (#262)
• 4addb60 Version 0.0.25 (#261)
• d3a4698 Add MIME content type info to File (#143)
• 9a1ecbd Handle CTE values case-insensitively (#258)
• ef2a0b9 Remove custom FormParser classes (#257)
• 3a757d7 Ignore local Claude state (#255)
• 55e7396 fuzz: Add cifuzz (#186)
• d6d1d11 Bump the github-actions group with 2 updates (#249)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

---

Note

Low Risk
Lockfile-only dependency updates; behavior changes are limited to the updated third-party multipart parsing library.

Overview
Updates the uv.lock pin for python-multipart from 0.0.22 to 0.0.26, refreshing the locked sdist/wheel URLs and hashes accordingly.

Also expands the tree-sitter-c-sharp lock entry with additional prebuilt wheel artifacts (new cp310-abi3 wheels across macOS/Linux/Windows).

^{Reviewed by Cursor Bugbot for commit 2b62adb. Bugbot is set up for automated code reviews on this repo. Configure here.}

[cursor]

Security review result: no high-confidence vulnerabilities found in this PR.

Prioritized findings:

1. No confirmed vulnerabilities introduced

• The change is limited to uv.lock, bumping python-multipart from 0.0.22 to 0.0.26.
• Artifacts remain hash-pinned (sha256) for both sdist/wheel, which preserves lockfile integrity guarantees.

Uncertain concern (validation recommended):

1. Unrelated lockfile churn increases supply-chain review surface

• The diff also adds multiple new tree_sitter_c_sharp==0.23.1 wheel artifacts (same version, new platform builds).
• This is not a confirmed vulnerability, but it should be validated as expected resolver behavior and acceptable under dependency-update policy.

Suggested remediation:

• Keep this update scoped by confirming CI/install paths only consume expected artifacts for target platforms.
• If your policy prefers minimal churn, regenerate lockfiles in a controlled environment or constrain resolver behavior so unrelated platform wheel additions are minimized.

  

_{Sent by Cursor Automation: Find vulnerabilities}