Bump python-multipart from 0.0.26 to 0.0.27

[dependabot]

Bumps python-multipart from 0.0.26 to 0.0.27.

Release notes

Sourced from python-multipart's releases.

0.0.27

What's Changed

• Pass parse offsets via constructors by @​Kludex in Kludex/python-multipart#268
• Add multipart header limits by @​Kludex in Kludex/python-multipart#267

Full Changelog: Kludex/python-multipart@0.0.26...0.0.27

Changelog

Sourced from python-multipart's changelog.

0.0.27 (2026-04-27)

• Add multipart header limits #267.
• Pass parse offsets via constructors #268.

Commits

• 6d1d689 Version 0.0.27 (#272)
• 0b10220 Run CI on main branch pull requests (#271)
• 3e64f5f Add multipart header limits (#267)
• eb109cc Pass parse offsets via constructors (#268)
• 78e29ab Bump pytest from 9.0.2 to 9.0.3 (#266)
• b2ddd09 fuzz: Enhance fuzzing capabilities with new chunked and boundary tests (#264)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[claude]

Claude encountered an error —— View job

---

I'll analyze this and get back to you.

[claude]

Claude finished @dependabot[bot]'s task in 55s —— View job

---

PR Review: Bump python-multipart 0.0.26 → 0.0.27

• Gather context on the dependency change
• Review changed files
• Analyze security/compatibility implications
• Post final review

---

Summary: This is a safe, beneficial dependency bump. Here's the breakdown:

What changed in 0.0.27

Change	Impact
Add multipart header limits (#267)	Security hardening — limits the size of multipart headers, reducing DoS surface
Pass parse offsets via constructors (#268)	Internal API refactor, no user-facing impact

Usage in this repo

python-multipart is used indirectly via FastAPI's Form(...) parameter type, which appears in:

• web/routes/feeds.py — feed edit/add form submissions (token: str = Form(""), config YAML fields)
• web/routes/defaults.py — global defaults form submissions

There are no direct imports of python-multipart in the codebase; it's pulled in automatically by FastAPI when form data handling is needed.

File changes

• pyproject.toml: Lower bound bumped from >=0.0.26 to >=0.0.27 — appropriate for a patch that includes security fixes
• uv.lock: Hashes and URLs updated correctly; sdist and wheel both verified

Assessment

This is a patch-level bump with a net security benefit. The multipart header limits added in 0.0.27 protect the web UI's form endpoints against malformed or oversized multipart requests. No breaking changes are expected — the FastAPI Form API is unaffected by either change in this release.

The test suite in tests/test_web.py exercises form POST submissions (feed add, preview, confirm, defaults editing), so CI passing would validate compatibility. The Dependabot compatibility score is also green.

Recommendation: merge. ✓