Bump python-multipart lower bound above known-CVE versions

[a-maccormack]

Description

mcp's requires-dist currently declares python-multipart>=0.0.9, which still allows resolution into versions affected by published advisories:

• GHSA-59g5-xgcq-4qw3 — DoS via deformed multipart/form-data boundary (fixed in 0.0.18)
• GHSA-2jv5-9r88-3w3p — Content-Type header ReDoS (fixed in 0.0.20)
• GHSA-wp53-j4wj-2cfg — Arbitrary file write via non-default config
• GHSA-mj87-hwqh-73pj — DoS via large preamble/epilogue

Downstream projects that depend on mcp (checked against mcp==1.26.0) have to carry a defensive python-multipart pin in their own pyproject.toml to enforce a safe floor, since mcp's own transitive floor sits below the patched versions.

Proposal: bump requires-dist to python-multipart>=0.0.20 (or the latest, currently 0.0.26) so downstreams don't need to duplicate the pin.

References

• GHSA-59g5-xgcq-4qw3
• GHSA-2jv5-9r88-3w3p
• GHSA-wp53-j4wj-2cfg
• GHSA-mj87-hwqh-73pj
• python-multipart floor declared in mcp 1.26.0 requires-dist

[a-maccormack]

I'd be happy to send a one-line PR bumping this to >=0.0.20, targeting v1.x since it's a security floor bump rather than a behavioral change. For what it's worth, we've been running mcp with python-multipart==0.0.22 in production on our own MCP server (with the defensive pin in our pyproject.toml) without any compatibility issues. Let me know if that'd be welcome, or if there's context I'm missing.