security(deps): bump python-multipart from 0.0.26 to 0.0.27 in /data-management/viewer/backend

[dependabot]

Bumps python-multipart from 0.0.26 to 0.0.27.

Release notes

Sourced from python-multipart's releases.

0.0.27

What's Changed

• Pass parse offsets via constructors by @​Kludex in Kludex/python-multipart#268
• Add multipart header limits by @​Kludex in Kludex/python-multipart#267

Full Changelog: Kludex/python-multipart@0.0.26...0.0.27

Changelog

Sourced from python-multipart's changelog.

0.0.27 (2026-04-27)

• Add multipart header limits #267.
• Pass parse offsets via constructors #268.

Commits

• 6d1d689 Version 0.0.27 (#272)
• 0b10220 Run CI on main branch pull requests (#271)
• 3e64f5f Add multipart header limits (#267)
• eb109cc Pass parse offsets via constructors (#268)
• 78e29ab Bump pytest from 9.0.2 to 9.0.3 (#266)
• b2ddd09 fuzz: Enhance fuzzing capabilities with new chunked and boundary tests (#264)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 1 package(s) with unknown licenses.

See the Details below.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA cdb870b.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

License Issues

data-management/viewer/backend/uv.lock

Package	Version	License	Issue Type
python-multipart	0.0.27	Null	Unknown License

OpenSSF Scorecard

Package	Version	Score	Details
pip/python-multipart	0.0.27	Unknown	Unknown

Scanned Files

• data-management/viewer/backend/uv.lock

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 67.70%. Comparing base (6141db4) to head (cdb870b).

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #611      +/-   ##
==========================================
+ Coverage   65.16%   67.70%   +2.53%     
==========================================
  Files         251      263      +12     
  Lines       15597    16827    +1230     
  Branches     2152     2290     +138     
==========================================
+ Hits        10164    11392    +1228     
  Misses       5142     5142              
- Partials      291      293       +2     

Flag	Coverage Δ		*Carryforward flag
pester	83.13% <ø> (ø)		Carriedforward from 6141db4
pytest-data-pipeline	100.00% <ø> (ø)		Carriedforward from 6141db4
pytest-dataviewer	66.92% <ø> (ø)
pytest-dm-tools	100.00% <ø> (ø)		Carriedforward from 6141db4
pytest-evaluation	99.83% <ø> (?)
pytest-fuzz	4.90% <ø> (ø)		Carriedforward from 6141db4
pytest-inference	0.00% <ø> (ø)		Carriedforward from 6141db4
pytest-training	82.14% <ø> (ø)		Carriedforward from 6141db4
vitest	53.02% <ø> (ø)		Carriedforward from 6141db4

*This pull request uses carry forward flags. Click here to find out more.
see 12 files with indirect coverage changes

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

Advisory Review Summary

• Ecosystem / surface: uv (PyPI) — python-runtime (dataviewer) under data-management/viewer/backend/
• Lockfile change: uv.lock updated alongside pyproject.toml (not a transitive-only pin)

Package	From	To	Severity	Surface
python-multipart	0.0.26	0.0.27	None (bump post-fix)	python-runtime (dataviewer)

---

python-multipart

Advisory context (resolved before this PR):

• GHSA-mj87-hwqh-73pj (CVE-2026-40347) — Denial of Service via large multipart preamble or epilogue data. CVSS 3.1: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (MODERATE, CWE-400/CWE-834). Fixed in 0.0.26. Source: GitHub Advisory Database.
• GHSA-wp53-j4wj-2cfg (CVE-2026-24486) — Arbitrary file write via non-default configuration (UPLOAD_DIR + UPLOAD_KEEP_FILENAME=True). CVSS 3.1: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L (HIGH, CWE-22). Fixed in 0.0.22. The dataviewer backend does not configure UPLOAD_DIR or UPLOAD_KEEP_FILENAME=True, so this is not exploitable in this codebase. Source: GitHub Advisory Database.

Both advisories are fixed in versions prior to the starting point (0.0.26). This PR moves to 0.0.27, which adds further hardening.

Release notes for 0.0.27 (full changelog):

• Add multipart header limits (#267)
• Pass parse offsets via constructors (#268)

"Add multipart header limits" is a proactive security hardening change — it bounds header count/size during multipart parsing, reducing the remaining DoS attack surface.

Repo-specific risk notes:

• Minor bump (0.0.26 → 0.0.27); no breaking API changes.
• No ABI-sensitive packages touched.
• No Isaac Sim / CUDA / numpy ABI concerns.
• Backend uses python-multipart as a FastAPI transitive dependency for form parsing; no direct use of vulnerable configuration options.

Validation Signal

Deterministic CI: PR_VALIDATION_CONCLUSION = in_progress:queued (run)

⚠️ Deterministic CI conclusion not yet available; verdict is advisory only.

Per-surface check runs already completed for python-runtime (dataviewer):

Check	Conclusion	Link
Dataviewer Backend Pytest	✅ success	job
Python Lint / Ruff Lint and Format Check	✅ success	job
Dataviewer Frontend Tests	⬛ skipped (no frontend change)	job

Static impact reasoning: No ABI-sensitive packages are involved; the bump is minor and the new version adds header-limit hardening. No peer-dep or lockfile-only flag applies — both pyproject.toml and uv.lock are updated in lockstep.

---

Advisory verdict: COMMENT — CI is still queued; per-surface checks that have completed are green, and no advisory or static risk concern is outstanding. Safe to merge once the orchestrator concludes successfully.

Generated by AW Dependabot PR Review for issue #611 · ● 989.9K

[github-actions]

python-multipart 0.0.26 → 0.0.27 — minor bump; no breaking changes.

Two resolved advisories predate this version and are already patched in 0.0.26:

• GHSA-mj87-hwqh-73pj (CVE-2026-40347) — DoS via oversized multipart preamble/epilogue; MODERATE; fixed in 0.0.26.
• GHSA-wp53-j4wj-2cfg (CVE-2026-24486) — path traversal via non-default UPLOAD_DIR+UPLOAD_KEEP_FILENAME=True config; HIGH; fixed in 0.0.22. The dataviewer backend does not use those config options.

0.0.27 adds multipart header limits (#267) as additional hardening — a net security improvement over 0.0.26.

[dependabot]

Looks like python-multipart is up-to-date now, so this is no longer needed.