build(deps): unpin and upgrade python-multipart (#10110)

Commit febbed6db1 ("Pin multipart version to fix issues with yanking
(#9834)") pinned this because of issues with `micropip` yanking
versions. However, doing so blocks users of `gradio` from being able to
resolve important security vulnerabilities (see [[1]] as an example).

This updates `python-multipart` to the patched version, as well as unpins
it to prevent the need for `gradio` to cut new releases every time a
`python-multipart` vulnerability is found.

[1]: https://github.com/advisories/GHSA-59g5-xgcq-4qw3

Signed-off-by: Luke Hsiao <luke.hsiao@numbersstation.ai>
This commit is contained in:
Luke Hsiao 2024-12-03 17:11:24 -07:00 committed by GitHub
parent e450674ce4
commit f1718c4713
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 3 additions and 3 deletions

View File

@ -632,7 +632,7 @@ class GradioMultiPartParser:
raise MultiPartException("Missing boundary in multipart.") from e raise MultiPartException("Missing boundary in multipart.") from e
# Callbacks dictionary. # Callbacks dictionary.
callbacks: multipart.multipart.MultipartCallbacks = { callbacks = {
"on_part_begin": self.on_part_begin, "on_part_begin": self.on_part_begin,
"on_part_data": self.on_part_data, "on_part_data": self.on_part_data,
"on_part_end": self.on_part_end, "on_part_end": self.on_part_end,
@ -644,7 +644,7 @@ class GradioMultiPartParser:
} }
# Create the parser. # Create the parser.
parser = multipart.MultipartParser(boundary, callbacks) parser = multipart.MultipartParser(boundary, callbacks) # type: ignore
try: try:
# Feed the parser with data from the request. # Feed the parser with data from the request.
async for chunk in self.stream: async for chunk in self.stream:

View File

@ -14,7 +14,7 @@ packaging
pandas>=1.0,<3.0 pandas>=1.0,<3.0
pillow>=8.0,<12.0 pillow>=8.0,<12.0
pydantic>=2.0 pydantic>=2.0
python-multipart==0.0.12 # required for fastapi forms. pinning to avoid yanking issues with micropip. python-multipart>=0.0.18 # required for fastapi forms.
pydub pydub
pyyaml>=5.0,<7.0 pyyaml>=5.0,<7.0
ruff>=0.2.2; sys.platform != 'emscripten' ruff>=0.2.2; sys.platform != 'emscripten'