security: Bump urllib3 to 2.7.0 and python-multipart to 0.0.28 (3 high-sev Dependabot alerts)#221
Merged
Merged
Conversation
GHSA-qccp-gfcp-xxvc: urllib3 prior to 2.7.0 forwards sensitive headers (Authorization, Cookie, Proxy-Authorization) across origins when following redirects via the low-level ProxyManager.connection_from_url().urlopen() API. Pin urllib3>=2.7.0 directly in pyproject.toml so the constraint survives future resolutions even though it only enters via transitive deps (docker, requests). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Previous commit regenerated the lock with --exclude-newer, which embedded [options] exclude-newer in the lockfile. CI runs uv sync --all-extras --locked without that flag, and uv rejected the lock as modified (same failure mode previously hit in mcp_kafka #43). Regenerated with UV_EXCLUDE_NEWER unset. Package versions unchanged (urllib3 2.7.0). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…3c5g) GHSA-pp6c-gr5w-3c5g (high): unbounded part-header parsing in python-multipart allows a DoS via crafted multipart bodies. Fixed in 0.0.27. Also update the urllib3 pin comment to call out GHSA-mf9v-mfxr-j63j (decompression-bomb safeguard bypass), which is also fixed by the 2.7.0 bump this PR already makes. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
williajm
changed the title
🧪 Test Results for
|
| Test Suite | Status | Passed | Failed | Skipped | Duration |
|---|---|---|---|---|---|
| Unit Tests - Python 3.13 | ✅ | 966 | 0 | 0 | 15s |
| Unit Tests - Python 3.12 | ✅ | 966 | 0 | 0 | 15s |
| Unit Tests - Python 3.11 | ✅ | 966 | 0 | 0 | 14s |
| Unit Tests - Python 3.14 | ✅ | 966 | 0 | 0 | 15s |
| E2E | ✅ | 29 | 0 | 0 | 41s |
| Integration | ✅ | 5 | 0 | 0 | 0s |
| Total | ✅ | 3898 | 0 | 0 | - |
📊 Coverage
Coverage reports are available in the workflow artifacts.
📦 Download Reports
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Resolves all 3 open high-severity Dependabot alerts on
main.Summary
urllib32.6.3 → 2.7.0 — fixes two advisories at once:Authorization,Cookie,Proxy-Authorization) forwarded across origins in proxied low-level redirects (ProxyManager.connection_from_url().urlopen()).python-multipart0.0.26 → 0.0.28 — fixes GHSA-pp6c-gr5w-3c5g: unbounded multipart part-header parsing → DoS. (0.0.27 is the patched line; 0.0.28 is the latest stable.)pyproject.tomlalongside the existing CVE-driven pins to prevent future re-resolution from regressing the versions.--exclude-newerto keep CI'suv sync --lockedhappy (same fix pattern as security: Bump authlib and python-multipart for Dependabot alerts mcp_kafka#43).Test plan
uv sync --all-extras --lockedsucceeds across Python 3.11 – 3.14