diff --git a/pyproject.toml b/pyproject.toml
index aa7573f..65b4df2 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -15,7 +15,7 @@ dependencies = [
     # Security floors — make CVE-driven minimums explicit so future resolves
     # can't silently downgrade. See PR description for advisory IDs.
     "gitpython>=3.1.49",
-    "python-multipart>=0.0.27",
+    "python-multipart>=0.0.29",
     # Upper bound is forced by our transitive ecosystem: both mlflow-skinny 3.11.x
     # AND opentelemetry-api 1.41.x cap importlib-metadata<8.8. Dependabot tried
     # to bump it to 9.0.0 (PR #3) and broke every deploy — explicit ceiling so
diff --git a/requirements.txt b/requirements.txt
index a009bcc..bd2c270 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -149,7 +149,7 @@ python-dotenv==1.2.2
     #   pydantic-settings
 python-engineio==4.13.1
     # via python-socketio
-python-multipart==0.0.27
+python-multipart==0.0.29
     # via
     #   coda (pyproject.toml)
     #   mcp