fix: remediate CVEs for unstructured-api#571
Conversation
…urity] - starlette 0.41.2 -> 1.0.0: fixes CVE-2025-54121 (MEDIUM), CVE-2025-62727 (HIGH) - python-multipart 0.0.22 -> 0.0.27: fixes CVE-2026-40347 (MEDIUM) - Remove starlette==0.41.2 constraint pin (only CORS middleware used, no breakage) - Bump service version 0.1.5 -> 0.1.6 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit ddaeefc. Configure here.
| # Constraints for transitive dependencies that need pinning for functional reasons | ||
| constraint-dependencies = [ | ||
| # later versions of Starlette break middleware | ||
| "starlette==0.41.2", |
There was a problem hiding this comment.
Monkey-patched _get_form missing max_part_size parameter from starlette 1.0.0
High Severity
Removing the starlette==0.41.2 constraint allows upgrade to starlette 1.0.0, but prepline_general/api/app.py monkey-patches Request._get_form with a signature that only accepts max_files and max_fields. Starlette 0.44.0 (PR #2815, Dec 2024) added max_part_size to _get_form's signature, and form() forwards it. At runtime, starlette 1.0.0's form() will call _get_form(max_files=..., max_fields=..., max_part_size=...), causing a TypeError on the patched version. This breaks all multipart form uploads — the API's core functionality.
Reviewed by Cursor Bugbot for commit ddaeefc. Configure here.
There was a problem hiding this comment.
resolved below
The lockfile was resolving all packages from the Azure DevOps private feed, which requires authentication. CI lacks Azure credentials, causing lint failures (401 Unauthorized on mypy-extensions download). Add explicit PyPI index as default in pyproject.toml and regenerate the lockfile so all public packages resolve from PyPI. The Azure feed remains available via the uv-wrapper for local development when private packages are needed. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Starlette 1.0.0 added max_part_size to _get_form's signature and form() forwards it. Without this parameter, the monkey-patch raises TypeError on all multipart form uploads. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2 participants
Summary
starlette==0.41.2constraint pin from[tool.uv]— the only middleware in this repo is FastAPI's built-in CORS middleware, which is compatible with starlette 1.0.0.Test plan
uv sync --lockedsucceeds (lockfile is consistent)make check-srcpasses (ruff format, ruff check, mypy)🤖 Generated with Claude Code
Note
Medium Risk
Primarily dependency/version changes, but removing the
starlette==0.41.2constraint can introduce runtime incompatibilities due to a major Starlette upgrade affecting FastAPI/middleware behavior.Overview
Updates the service to
0.1.6and documents a new security release inCHANGELOG.md.Removes the
starlette==0.41.2constraint frompyproject.toml(allowing Starlette to upgrade to remediate CVE-2025-54121 and CVE-2025-62727) and bumpspython-multipartto a non-vulnerable release to address CVE-2026-40347.Reviewed by Cursor Bugbot for commit ddaeefc. Bugbot is set up for automated code reviews on this repo. Configure here.