Closes three known advisories in python-multipart, all reachable
from the FastAPI multipart form-parser used across the API
(transcribe_audio, knowledge_base uploads, presigned upload flows):
- GHSA-wp53-j4wj-2cfg (HIGH, CWE-22) — arbitrary file write via
non-default configuration. Fixed in 0.0.22.
- GHSA-pp6c-gr5w-3c5g (HIGH, CWE-400) — DoS via unbounded multipart
part headers. Fixed in 0.0.27.
- GHSA-mj87-hwqh-73pj (MOD, CWE-400) — DoS via large multipart
preamble or epilogue. Fixed in 0.0.26.
0.0.27 is a patch-level bump within the same 0.0.x line, no API
changes; fastapi==0.135.3 only requires python-multipart>=0.0.7 so
the upper bound is unaffected.
Detected by Aeon + osv-scanner.
Co-authored-by: aeonframework <aeon@aaronjmars.com>
* Add tuner integration
* bump pipecat version
* chore: update pipecat submodule to match upstream and use tuner-pipecat-sdk 0.2.0
Update pipecat submodule from 0.0.109.dev23 to 13e98d0d9 (the exact commit
upstream dograh-hq/dograh uses after v1.30.1). This installs pipecat-ai as
1.1.0.post277 via setuptools_scm, satisfying tuner-pipecat-sdk 0.2.0's
pipecat-ai>=1.0.0 requirement.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* wire tuner
* feat: refactor integrations into self contained packages
* chore: simplify ensure_public_access_token
* fix: remove NodeSpec and make DTOs the source of truth
* feat: send relevant signal to mcp using to_mcp_dict
* fix: fix tests
* cleanup: remove nango integrations
* feat: add agents.md for integrations
---------
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: Abhishek Kumar <abhishek@a6k.me>
