-
Notifications
You must be signed in to change notification settings - Fork 13.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore: bump gunicorn to 22.0.0 #28490
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #28490 +/- ##
===========================================
+ Coverage 60.48% 83.41% +22.92%
===========================================
Files 1931 521 -1410
Lines 76236 37467 -38769
Branches 8568 0 -8568
===========================================
- Hits 46114 31252 -14862
+ Misses 28017 6215 -21802
+ Partials 2105 0 -2105
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM after reviewing breaking changes https://docs.gunicorn.org/en/latest/news.html
Looks ok to me but thought I'd paste here for @dpgaspar to have another look pre-merge:
** Breaking changes **
minimum version is Python 3.7
the limitations on valid characters in the HTTP method have been bounded to Internet Standards
requests specifying unsupported transfer coding (order) are refused by default (rare)
HTTP methods are no longer casefolded by default (IANA method registry contains none affected)
HTTP methods containing the number sign (#) are no longer accepted by default (rare)
HTTP versions < 1.0 or >= 2.0 are no longer accepted by default (rare, only HTTP/1.1 is supported)
HTTP versions consisting of multiple digits or containing a prefix/suffix are no longer accepted
HTTP header field names Gunicorn cannot safely map to variables are silently dropped, as in other software
HTTP headers with empty field name are refused by default (no legitimate use cases, used in exploits)
requests with both Transfer-Encoding and Content-Length are refused by default (such a message might indicate an attempt to perform request smuggling)
empty transfer codings are no longer permitted (reportedly seen with really old & broken proxies)
@@ -55,7 +55,7 @@ dependencies = [ | |||
"flask-wtf>=1.1.0, <2.0", | |||
"func_timeout", | |||
"geopy", | |||
"gunicorn>=21.2.0, <22.0; sys_platform != 'win32'", | |||
"gunicorn>=22.0.0; sys_platform != 'win32'", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@dpgaspar should we include an upper limit on <23.0
?
Additionally, do you know why we need the sys_platform != 'win32'
check, especially given that we don't support Windows?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We may be moving away from always pinning the upper limit: #28144 (comment)
I took a look, seems unlikely to break anyones deployments |
CVE-2024-1135 is reported as Will this version bump be applied to the 3.1-x branch too to avoid that CVE affecting current stable versions? |
Any update on this? Seems to not be available on release 4.0.2. Thanks |
Should be in 4.1.0, which has an open release candidate |
SUMMARY
Bump gunicorn to address a potencial vulnerability
https://docs.gunicorn.org/en/latest/news.html#id1
BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF
TESTING INSTRUCTIONS
ADDITIONAL INFORMATION