chore: bump vulnerable dependencies

[johnnygreco]

📋 Summary

Bumps vulnerable dependency versions reported by the attached scanner CSV. This keeps the published package metadata and lockfile aligned so future resolves cannot select the affected urllib3 or python-multipart versions.

🔗 Related Issue

N/A

🔄 Changes

• Adds an explicit urllib3>=2.7.0,<3 floor in data-designer-config for the CVE-2026-44431 and CVE-2026-44432 fixes pulled in through requests.
• Raises the direct python-multipart floor in data-designer-engine to >=0.0.29,<1 for the multipart advisories pulled in through mcp.
• Updates uv.lock to resolve urllib3 to 2.7.0 and python-multipart to 0.0.29.

🔍 Attention Areas

⚠️ Reviewers: Please pay special attention to the dependency security floors.

• packages/data-designer-config/pyproject.toml — adds an explicit transitive floor for urllib3 so resolves stay on the fixed release line.
• packages/data-designer-engine/pyproject.toml — raises the direct python-multipart floor used alongside mcp.

🧪 Testing

• make test passes
• Unit tests added/updated (N/A — dependency metadata and lockfile update only)
• E2E tests added/updated (N/A — no E2E behavior changes)

✅ Checklist

• Follows commit message conventions
• Commits are signed off (DCO)
• Architecture docs updated (N/A — no architecture changes)

[github-actions]

Review: PR #706 — chore: bump vulnerable dependencies

Summary

Pins transitive security-fix floors for two dependencies pulled in via requests and mcp:

• Adds explicit urllib3>=2.7.0,<3 to data-designer-config for CVE-2026-44431 / CVE-2026-44432.
• Bumps the existing python-multipart floor in data-designer-engine from >=0.0.27,<1 to >=0.0.29,<1.
• Lockfile updated accordingly: urllib3 2.6.3 → 2.7.0, python-multipart 0.0.28 → 0.0.29.

Net diff: +11 / −8 across pyproject.toml × 2 and uv.lock.

Findings

Correctness — pass

• Lockfile resolutions match the new floors (urllib3==2.7.0, python-multipart==0.0.29) and the new urllib3 entry is properly added under both the dependencies and requires-dist blocks of data-designer-config in uv.lock.
• Upper bounds (<3, <1) are preserved on both packages, so the major-version compatibility envelope is unchanged.
• Inline comments cite the specific CVEs / advisories — good provenance for future readers.

Conventions — pass

• urllib3 is added to data-designer-config, which is the layer that already declares requests. This respects the import-direction rule (interface → engine → config): putting the floor as low as possible means engine and interface inherit it without redeclaring.
• Comment style matches the existing pillow security-floor comment one line above (# 12.2.0 fixes CVE-2026-40192 …), so the new line fits the established pattern in this file.
• Alphabetical ordering inside dependencies is preserved (urllib3 after rich).

Minor observations (non-blocking)

• Neither urllib3 nor python-multipart is imported directly anywhere under packages/ (verified by grep). Both are pure transitive pins for security. This is fine — declaring them in dependencies propagates the floor to downstream consumers of the published wheels, which [tool.uv] overrides would not. Worth a one-line comment in the future if a third such pin appears, but not needed for this PR.
• The python-multipart comment was reworded from "fixes security advisory" to "addresses multipart security advisories" without naming the specific CVE(s). If the upstream advisory has an identifier, including it would match the precedent set by the urllib3 and pillow lines.

Risk — low

• Patch-level bump on python-multipart (0.0.28 → 0.0.29); minor on urllib3 (2.6 → 2.7). Both are within their existing upper bounds and within ranges already permitted by other packages (requests>=2.33,<3 and mcp>=1.26.0,<2).
• No code changes, no API surface changes, no behavior-affecting changes. CI's make test is the appropriate gate and the PR body confirms it passes.

Verdict

LGTM. Small, well-scoped security-floor bump with correct package placement, consistent style, and a matching lockfile. The only optional polish is naming the specific CVE for python-multipart to match the surrounding precedent — not a blocker.

[greptile-apps]

Greptile Summary

Bumps two vulnerable transitive dependencies — urllib3 and python-multipart — to their respective patched versions by raising floor constraints in the relevant package manifests and regenerating uv.lock.

• packages/data-designer-config/pyproject.toml: adds urllib3>=2.7.0,<3 as an explicit direct dependency so that the CVE-2026-44431/44432 fix is enforced for both data-designer-config and data-designer-engine (which depends on config).
• packages/data-designer-engine/pyproject.toml: raises python-multipart floor from >=0.0.27 to >=0.0.29 to address multipart security advisories introduced transitively through mcp.
• uv.lock: resolves urllib3 to 2.7.0 and python-multipart to 0.0.29 with updated PyPI hashes, keeping the lockfile consistent with the new specifiers.

Confidence Score: 5/5

Safe to merge — this is a targeted dependency floor bump with no logic changes; the lockfile hashes are consistent with the new specifiers.

The change adds two version floor constraints and regenerates the lockfile. Both resolved versions (urllib3 2.7.0, python-multipart 0.0.29) match their respective specifiers, the PyPI hashes in the lockfile are present and well-formed, and data-designer-engine inherits the urllib3 floor transitively through its existing data-designer-config workspace dependency — so no packages are left unconstrained.

No files require special attention.

Important Files Changed

Filename	Overview
packages/data-designer-config/pyproject.toml	Adds explicit urllib3>=2.7.0,<3 floor to pin the CVE-2026-44431/44432 fix; engine inherits this constraint transitively through its data-designer-config dependency.
packages/data-designer-engine/pyproject.toml	Raises python-multipart floor from >=0.0.27 to >=0.0.29 to address multipart security advisories pulled in by mcp.
uv.lock	Resolves urllib3 to 2.7.0 and python-multipart to 0.0.29; hashes and metadata are consistent with the bumped specifiers in both pyproject.toml files.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[data-designer-engine] -->|depends on| B[data-designer-config]
    B -->|direct dep| C[requests>=2.33,<3]
    B -->|explicit floor added| D[urllib3>=2.7.0,<3\nfixes CVE-2026-44431/44432]
    C -->|pulls in| D
    A -->|direct dep| E[mcp>=1.26.0,<2]
    E -->|pulls in| F[python-multipart>=0.0.29,<1\nfixes multipart advisories]
    A -->|direct dep| F

    style D fill:#c8f0c8,stroke:#4a9e4a
    style F fill:#c8f0c8,stroke:#4a9e4a

Loading

_{Reviews (2): Last reviewed commit: "Merge branch 'main' into johnny/chore/fi..." | Re-trigger Greptile}