From d26d937fb1507fa9a2dbaa8d0d332e8a583ab300 Mon Sep 17 00:00:00 2001
From: aitbc <aitbc@keisanki.net>
Date: Sat, 9 May 2026 20:55:36 +0200
Subject: [PATCH] security: update python-multipart and starlette to fix
 high-severity vulnerabilities

- Updated python-multipart from >=0.0.24 to >=0.0.27 (fixes 3 DoS alerts)
- Updated starlette from >=0.27.0 to >=0.49.1 (fixes 1 O(n^2) DoS alert)
- Updated in requirements.txt, pyproject.toml, coordinator-api requirements, aitbc-core

This addresses 4 of the 11 high-severity security vulnerabilities reported by GitHub Dependabot.
---
 .../src/app/services/multi_language/requirements.txt          | 2 +-
 packages/py/aitbc-core/pyproject.toml                         | 2 +-
 pyproject.toml                                                | 4 ++--
 requirements.txt                                              | 4 ++--
 4 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/apps/coordinator-api/src/app/services/multi_language/requirements.txt b/apps/coordinator-api/src/app/services/multi_language/requirements.txt
index d71fd4a1..9ee4de6d 100644
--- a/apps/coordinator-api/src/app/services/multi_language/requirements.txt
+++ b/apps/coordinator-api/src/app/services/multi_language/requirements.txt
@@ -7,7 +7,7 @@ Dependencies and requirements for multi-language support
 fastapi>=0.104.0
 uvicorn[standard]>=0.24.0
 pydantic>=2.5.0
-python-multipart>=0.0.25
+python-multipart>=0.0.27
 
 # Translation providers
 openai>=1.3.0
diff --git a/packages/py/aitbc-core/pyproject.toml b/packages/py/aitbc-core/pyproject.toml
index fa822e9d..bba4f1f8 100644
--- a/packages/py/aitbc-core/pyproject.toml
+++ b/packages/py/aitbc-core/pyproject.toml
@@ -15,7 +15,7 @@ dependencies = [
     "redis>=5.0.0",
     "pydantic>=2.5.0",
     "structlog>=23.0.0",
-    "starlette>=0.27.0",
+    "starlette>=0.49.1",
 ]
 
 [build-system]
diff --git a/pyproject.toml b/pyproject.toml
index 0cc68141..1fb326aa 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -12,7 +12,7 @@ python = ">=3.13,<3.14"
 fastapi = ">=0.115.6"
 uvicorn = {extras = ["standard"], version = ">=0.34.0"}
 gunicorn = ">=23.0.0"
-starlette = ">=0.41.0"
+starlette = ">=0.49.1"
 # Database & ORM
 sqlalchemy = {extras = ["asyncio"], version = ">=2.0.49"}
 sqlmodel = ">=0.0.38"
@@ -57,7 +57,7 @@ keyring = ">=25.7.0"
 # JSON & Serialization
 orjson = ">=3.11.0"
 msgpack = ">=1.1.2"
-python-multipart = ">=0.0.24"
+python-multipart = ">=0.0.27"
 # Logging & Monitoring
 structlog = ">=25.1.0"
 sentry-sdk = ">=2.20.0"
diff --git a/requirements.txt b/requirements.txt
index 69c63033..6003f3db 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -19,7 +19,7 @@
 fastapi>=0.115.6
 uvicorn[standard]>=0.34.0
 gunicorn>=23.0.0
-starlette>=0.27.0
+starlette>=0.49.1
 
 # Database & ORM
 sqlalchemy>=2.0.49
@@ -88,7 +88,7 @@ keyring>=25.7.0
 # JSON & Serialization
 orjson>=3.11.0
 msgpack>=1.1.2
-python-multipart>=0.0.24
+python-multipart>=0.0.27
 
 # Logging & Monitoring
 structlog>=25.1.0