From 332754a809ec14b9164c698fb3eff682b1d9d446 Mon Sep 17 00:00:00 2001
From: "@aaronjmars" <61592645+aaronjmars@users.noreply.github.com>
Date: Thu, 21 May 2026 05:59:27 -0400
Subject: [PATCH] fix(security): bump python-multipart 0.0.20 -> 0.0.27 (#332)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Closes three known advisories in python-multipart, all reachable
from the FastAPI multipart form-parser used across the API
(transcribe_audio, knowledge_base uploads, presigned upload flows):

- GHSA-wp53-j4wj-2cfg (HIGH, CWE-22) — arbitrary file write via
  non-default configuration. Fixed in 0.0.22.
- GHSA-pp6c-gr5w-3c5g (HIGH, CWE-400) — DoS via unbounded multipart
  part headers. Fixed in 0.0.27.
- GHSA-mj87-hwqh-73pj (MOD, CWE-400) — DoS via large multipart
  preamble or epilogue. Fixed in 0.0.26.

0.0.27 is a patch-level bump within the same 0.0.x line, no API
changes; fastapi==0.135.3 only requires python-multipart>=0.0.7 so
the upper bound is unaffected.

Detected by Aeon + osv-scanner.

Co-authored-by: aeonframework <aeon@aaronjmars.com>
---
 api/requirements.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/api/requirements.txt b/api/requirements.txt
index d96083e..844738d 100644
--- a/api/requirements.txt
+++ b/api/requirements.txt
@@ -9,7 +9,7 @@ arq==0.26.3
 twilio==9.8.0
 minio==7.2.16
 alembic-postgresql-enum==1.8.0
-python-multipart==0.0.20
+python-multipart==0.0.27
 sentry-sdk[fastapi]==2.38.0
 sqlalchemy[asyncio]==2.0.43
 msgpack==1.1.2