rusackas opened a new pull request, #40534: URL: https://github.com/apache/superset/pull/40534
### SUMMARY Bumps `python-multipart` from 0.0.20 to 0.0.29 in `requirements/development.txt`. **Vulnerability context:** CVE path traversal (fixed in 0.0.22) — when `UPLOAD_KEEP_FILENAME=True` and `UPLOAD_DIR` is set, an attacker could supply an absolute filename to escape the upload directory via `os.path.join(UPLOAD_DIR, filename)`. **Superset is not directly exposed:** - `python-multipart` is a development dependency pulled in transitively via `mcp`, not a runtime dependency - Superset uses Werkzeug's own multipart parser at runtime (not python-multipart) - Superset does not configure `UPLOAD_KEEP_FILENAME=True` This bump is a precautionary alignment with the patched release. ### TESTING INSTRUCTIONS - [ ] CI passes (no runtime behavior changes) ### ADDITIONAL INFORMATION - [ ] Has associated issue: n/a - [ ] Required feature flags: n/a - [ ] Changes UI: No - [ ] Includes DB Migration: No - [ ] Introduces new feature or API: No - [ ] Removes existing feature or API: No 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
