From 92bd99d77b446fb1121c8e5ecad0ec5283234517 Mon Sep 17 00:00:00 2001
From: pranayom <pranaystb@gmail.com>
Date: Wed, 4 Mar 2026 14:06:34 -0500
Subject: [PATCH 1/2] security: bump minimum versions for python-multipart and
 starlette
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Raise dependency floor to exclude versions with known vulnerabilities:

- python-multipart: >=0.0.9 → >=0.0.22
  - GHSA-wp53-j4wj-2cfg (arbitrary file write via non-default config)
  - GHSA-59g5-xgcq-4qw3 (DoS via malformed multipart boundary)

- starlette (python_version < '3.14'): >=0.27 → >=0.47.2
  - GHSA-2c2j-9gv5-cj73 (DoS parsing large multipart files)
  - GHSA-f96h-pmfr-66vw (DoS via multipart/form-data)

The previous minimum versions allowed pip to resolve to vulnerable
releases. Users who pinned or cached older versions within the
allowed range were exposed. Bumping the floor ensures all new
installations pull patched versions.
---
 pyproject.toml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pyproject.toml b/pyproject.toml
index 737839a23..c3e352d19 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -30,8 +30,8 @@ dependencies = [
     "httpx-sse>=0.4",
     "pydantic>=2.12.0",
     "starlette>=0.48.0; python_version >= '3.14'",
-    "starlette>=0.27; python_version < '3.14'",
-    "python-multipart>=0.0.9",
+    "starlette>=0.47.2; python_version < '3.14'",
+    "python-multipart>=0.0.22",
     "sse-starlette>=3.0.0",
     "pydantic-settings>=2.5.2",
     "uvicorn>=0.31.1; sys_platform != 'emscripten'",

From a307aae0a13c658bd72e099f85e32b8fafeff65e Mon Sep 17 00:00:00 2001
From: pranayom <pranaystb@gmail.com>
Date: Wed, 4 Mar 2026 14:21:33 -0500
Subject: [PATCH 2/2] chore: update uv.lock after dependency version bumps

---
 uv.lock | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/uv.lock b/uv.lock
index d01d510f1..0efa9541b 100644
--- a/uv.lock
+++ b/uv.lock
@@ -845,11 +845,11 @@ requires-dist = [
     { name = "pydantic-settings", specifier = ">=2.5.2" },
     { name = "pyjwt", extras = ["crypto"], specifier = ">=2.10.1" },
     { name = "python-dotenv", marker = "extra == 'cli'", specifier = ">=1.0.0" },
-    { name = "python-multipart", specifier = ">=0.0.9" },
+    { name = "python-multipart", specifier = ">=0.0.22" },
     { name = "pywin32", marker = "sys_platform == 'win32'", specifier = ">=311" },
     { name = "rich", marker = "extra == 'rich'", specifier = ">=13.9.4" },
     { name = "sse-starlette", specifier = ">=3.0.0" },
-    { name = "starlette", marker = "python_full_version < '3.14'", specifier = ">=0.27" },
+    { name = "starlette", marker = "python_full_version < '3.14'", specifier = ">=0.47.2" },
     { name = "starlette", marker = "python_full_version >= '3.14'", specifier = ">=0.48.0" },
     { name = "typer", marker = "extra == 'cli'", specifier = ">=0.16.0" },
     { name = "typing-extensions", specifier = ">=4.13.0" },