Skip to content

chore(deps): bump python-multipart 0.0.30 → 0.0.31 (CVE-2026-53540)#472

Merged
haksungjang merged 1 commit into
mainfrom
chore/bump-python-multipart
Jul 6, 2026
Merged

chore(deps): bump python-multipart 0.0.30 → 0.0.31 (CVE-2026-53540)#472
haksungjang merged 1 commit into
mainfrom
chore/bump-python-multipart

Conversation

@haksungjang

Copy link
Copy Markdown
Contributor

Backend runtime dependency bump for the Dependabot alert on python-multipart: a negative Content-Length in parse_form buffered the entire request body in memory (LOW severity, DoS). Fixed in 0.0.31.

python-multipart is FastAPI's form/multipart parser — a real shipped runtime dependency, so this is one of the few Dependabot alerts that touch the product runtime (the majority are docs-site build deps, frontend build/transitive deps not in the browser bundle, or the intentionally-vulnerable tests/e2e/golden/fixtures/ scan-test data, which were dismissed as not_used).

Fixes the Dependabot alert on the backend runtime dependency: a negative
Content-Length in parse_form buffered the entire request body in memory (LOW,
DoS). python-multipart is a real FastAPI form-parsing dependency, so this is one
of the few Dependabot alerts on the shipped runtime (most of the rest are docs
build / frontend transitive / intentionally-vulnerable e2e scan fixtures).
@haksungjang haksungjang merged commit 132e460 into main Jul 6, 2026
20 checks passed
@haksungjang haksungjang deleted the chore/bump-python-multipart branch July 6, 2026 00:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant