Merge upstream/main to unblock pyOpenSSL 26.x bump#4
Merged
Conversation
…in the openssl group (mitmproxy#8180) * Update pyopenssl requirement in the openssl group Updates the requirements on [pyopenssl](https://github.com/pyca/pyopenssl) to permit the latest version. Updates `pyopenssl` to 26.0.0 - [Changelog](https://github.com/pyca/pyopenssl/blob/main/CHANGELOG.rst) - [Commits](pyca/pyopenssl@24.3.0...26.0.0) --- updated-dependencies: - dependency-name: pyopenssl dependency-version: 26.0.0 dependency-type: direct:production dependency-group: openssl ... Signed-off-by: dependabot[bot] <support@github.com> * [autofix.ci] apply automated fixes --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
mitmproxy#8181) * Update asgiref requirement from <=3.11.0,>=3.2.10 to >=3.2.10,<=3.11.1 Updates the requirements on [asgiref](https://github.com/django/asgiref) to permit the latest version. - [Changelog](https://github.com/django/asgiref/blob/main/CHANGELOG.txt) - [Commits](django/asgiref@3.2.10...3.11.1) --- updated-dependencies: - dependency-name: asgiref dependency-version: 3.11.1 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> * [autofix.ci] apply automated fixes --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
…#8183) * Use sys.executable instead of python3 in docs build script * [autofix.ci] apply automated fixes --------- Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
* fix: avoid IndexError in is_mostly_bin for short tails `is_mostly_bin` looks up to 4 bytes past the 100-byte cutoff to find a clean UTF-8 character boundary. when the input is just over 100 bytes and starts with a continuation byte at index 100, the lookahead reads past the end of the buffer. cap the loop end at `len(s)`. existing fallback to `s[:100]` still covers the case where every byte in the lookahead window is a continuation byte. fixes mitmproxy#8188 * [autofix.ci] apply automated fixes --------- Co-authored-by: Julio César Suástegui <juliosuas@users.noreply.github.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
* Bump upper bounds for cryptography and pyOpenSSL * [autofix.ci] apply automated fixes --------- Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
Bumps the github-actions group with 8 updates: | Package | From | To | | --- | --- | --- | | [actions/setup-node](https://github.com/actions/setup-node) | `6` | `6.3.0` | | [apple-actions/import-codesign-certs](https://github.com/apple-actions/import-codesign-certs) | `6.0.0` | `6.1.0` | | [actions/cache](https://github.com/actions/cache) | `5` | `5.0.4` | | [docker/setup-qemu-action](https://github.com/docker/setup-qemu-action) | `3.7.0` | `4.0.0` | | [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) | `3.12.0` | `4.0.0` | | [docker/login-action](https://github.com/docker/login-action) | `3.7.0` | `4.0.0` | | [docker/metadata-action](https://github.com/docker/metadata-action) | `5.10.0` | `6.0.0` | | [docker/build-push-action](https://github.com/docker/build-push-action) | `6.19.2` | `7.0.0` | Updates `actions/setup-node` from 6 to 6.3.0 - [Release notes](https://github.com/actions/setup-node/releases) - [Commits](actions/setup-node@v6...v6.3.0) Updates `apple-actions/import-codesign-certs` from 6.0.0 to 6.1.0 - [Release notes](https://github.com/apple-actions/import-codesign-certs/releases) - [Commits](Apple-Actions/import-codesign-certs@b610f78...fe74d46) Updates `actions/cache` from 5 to 5.0.4 - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@v5...v5.0.4) Updates `docker/setup-qemu-action` from 3.7.0 to 4.0.0 - [Release notes](https://github.com/docker/setup-qemu-action/releases) - [Commits](docker/setup-qemu-action@c7c5346...ce36039) Updates `docker/setup-buildx-action` from 3.12.0 to 4.0.0 - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](docker/setup-buildx-action@8d2750c...4d04d5d) Updates `docker/login-action` from 3.7.0 to 4.0.0 - [Release notes](https://github.com/docker/login-action/releases) - [Commits](docker/login-action@c94ce9f...b45d80f) Updates `docker/metadata-action` from 5.10.0 to 6.0.0 - [Release notes](https://github.com/docker/metadata-action/releases) - [Commits](docker/metadata-action@c299e40...030e881) Updates `docker/build-push-action` from 6.19.2 to 7.0.0 - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](docker/build-push-action@10e90e3...d08e5c3) --- updated-dependencies: - dependency-name: actions/setup-node dependency-version: 6.3.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: apple-actions/import-codesign-certs dependency-version: 6.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: actions/cache dependency-version: 5.0.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: docker/setup-qemu-action dependency-version: 4.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: docker/setup-buildx-action dependency-version: 4.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: docker/login-action dependency-version: 4.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: docker/metadata-action dependency-version: 6.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: docker/build-push-action dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* Bump awscli from 1.44.53 to 1.44.63 in the deploy group Bumps the deploy group with 1 update: [awscli](https://github.com/aws/aws-cli). Updates `awscli` from 1.44.53 to 1.44.63 - [Release notes](https://github.com/aws/aws-cli/releases) - [Commits](aws/aws-cli@1.44.53...1.44.63) --- updated-dependencies: - dependency-name: awscli dependency-version: 1.44.63 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: deploy ... Signed-off-by: dependabot[bot] <support@github.com> * [autofix.ci] apply automated fixes --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
* Bump the tox group with 2 updates Bumps the tox group with 2 updates: [tox](https://github.com/tox-dev/tox) and [tox-uv](https://github.com/tox-dev/tox-uv). Updates `tox` from 4.49.0 to 4.50.3 - [Release notes](https://github.com/tox-dev/tox/releases) - [Changelog](https://github.com/tox-dev/tox/blob/main/docs/changelog.rst) - [Commits](tox-dev/tox@4.49.0...4.50.3) Updates `tox-uv` from 1.33.1 to 1.33.4 - [Release notes](https://github.com/tox-dev/tox-uv/releases) - [Commits](tox-dev/tox-uv@1.33.1...1.33.4) --- updated-dependencies: - dependency-name: tox dependency-version: 4.50.3 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: tox - dependency-name: tox-uv dependency-version: 1.33.4 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: tox ... Signed-off-by: dependabot[bot] <support@github.com> * [autofix.ci] apply automated fixes --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
…er group (mitmproxy#8205) * Bump pyinstaller-hooks-contrib in the pyinstaller group Bumps the pyinstaller group with 1 update: [pyinstaller-hooks-contrib](https://github.com/pyinstaller/pyinstaller-hooks-contrib). Updates `pyinstaller-hooks-contrib` from 2026.2 to 2026.3 - [Release notes](https://github.com/pyinstaller/pyinstaller-hooks-contrib/releases) - [Changelog](https://github.com/pyinstaller/pyinstaller-hooks-contrib/blob/master/CHANGELOG.rst) - [Commits](pyinstaller/pyinstaller-hooks-contrib@v2026.2...v2026.3) --- updated-dependencies: - dependency-name: pyinstaller-hooks-contrib dependency-version: '2026.3' dependency-type: direct:development update-type: version-update:semver-minor dependency-group: pyinstaller ... Signed-off-by: dependabot[bot] <support@github.com> * [autofix.ci] apply automated fixes --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
…RFC 5280 §4.2.1.2) (mitmproxy#8214) * Copy issuer's SubjectKeyIdentifier into leaf AuthorityKeyIdentifier mitmproxy.certs.dummy_cert previously built the leaf's AuthorityKeyIdentifier with `from_issuer_public_key()`, which always derives the keyIdentifier as the SHA-1 of the issuer's BIT STRING public key. This violates RFC 5280 §4.2.1.2: The value of the subject key identifier MUST be the value placed in the key identifier field of the authority key identifier extension of certificates issued by the subject of this certificate. Whenever the issuer's stored SKI was generated by any other method (RFC 7093 truncated SHA-256/384/512, hardware-rooted CAs, or any custom value), the recomputed AKI mismatches the issuer's SKI and strict TLS chain builders (`X509_V_FLAG_X509_STRICT`, Python `ssl`, Go `crypto/x509`) reject the chain with "authority and subject key identifier mismatch". The most common modern trigger: cert-manager >=1.18 and Go >=1.25 default to truncated SHA-256 SKIs for FIPS 140-3 compliance, so any mitmproxy deployment fed a CA from those toolchains breaks. Fix: prefer the issuer's stored SKI extension verbatim (AuthorityKeyIdentifier.from_issuer_subject_key_identifier), and only fall back to the previous behavior when the issuer cert has no SKI extension at all. Adds two regression tests: - test_aki_copies_issuer_ski_non_sha1 verifies that a CA with a truncated SHA-256 SKI (as produced by cert-manager / Go 1.25+) yields a leaf whose AKI is byte-equal to the issuer's stored SKI. - test_aki_falls_back_when_issuer_has_no_ski verifies the SKI-absent fallback still produces the previous AKI value. * [autofix.ci] apply automated fixes * shorten changelog --------- Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> Co-authored-by: Maximilian Hils <git@maximilianhils.com>
* Reduce generated certificate validity * [autofix.ci] apply automated fixes * make cert backdating more clear --------- Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> Co-authored-by: Maximilian Hils <github@maximilianhils.com> Co-authored-by: Maximilian Hils <git@maximilianhils.com>
* docs: document addon live-reload + testing pattern Issue mitmproxy#6377 asked for addon development docs covering hot reload and testing. mitmproxy already watches scripts loaded with -s for changes and re-imports them on save (mitmproxy/addons/script.py: Script.watcher and the unconditional Script(s, True) at line 218), but that behavior was undocumented, and there was no canonical example of how to unit-test a custom addon with mitmproxy.test.taddons / mitmproxy.test.tflow. Add a "Developing Addons" section to docs/src/content/addons/overview.md with two subsections: - Live Reloading: explains the file-watcher behavior, including which errors leave the previous version unloaded and which don't. - Testing Addons: a small example that unit-tests the Counter addon from anatomy.py using taddons.context() and tflow.tflow(), plus a pointer to tctx.cycle() and the existing test/mitmproxy/addons/ tests for patterns that need the full event sequence. No code changes. * reduce testing section Testing helpers are currently a bit ugly and not part of the public API, so let's not put them front center in the docs. --------- Co-authored-by: Chris (ChrisJr404) <11917633+ChrisJr404@users.noreply.github.com> Co-authored-by: Maximilian Hils <git@maximilianhils.com>
…efox sessions (mitmproxy#8224) Co-authored-by: Maximilian Hils <git@maximilianhils.com>
* Bump requests from 2.32.5 to 2.33.1 Bumps [requests](https://github.com/psf/requests) from 2.32.5 to 2.33.1. - [Release notes](https://github.com/psf/requests/releases) - [Changelog](https://github.com/psf/requests/blob/main/HISTORY.md) - [Commits](psf/requests@v2.32.5...v2.33.1) --- updated-dependencies: - dependency-name: requests dependency-version: 2.33.1 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * [autofix.ci] apply automated fixes --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
* Bump awscli from 1.44.63 to 1.44.69 in the deploy group Bumps the deploy group with 1 update: [awscli](https://github.com/aws/aws-cli). Updates `awscli` from 1.44.63 to 1.44.69 - [Release notes](https://github.com/aws/aws-cli/releases) - [Commits](aws/aws-cli@1.44.63...1.44.69) --- updated-dependencies: - dependency-name: awscli dependency-version: 1.44.69 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: deploy ... Signed-off-by: dependabot[bot] <support@github.com> * [autofix.ci] apply automated fixes --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
…py group (mitmproxy#8225) * Bump types-requests in the mypy group Bumps the mypy group with 1 update: [types-requests](https://github.com/python/typeshed). Updates `types-requests` from 2.32.4.20260107 to 2.33.0.20260327 - [Commits](https://github.com/python/typeshed/commits) --- updated-dependencies: - dependency-name: types-requests dependency-version: 2.33.0.20260327 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: mypy ... Signed-off-by: dependabot[bot] <support@github.com> * [autofix.ci] apply automated fixes --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
…mproxy#8147) * migrate bootstrap decoupling with dual classes and local less tokens * migrate form and utility bootstrap classes to m-/u- styles * remove remaining Bootstrap class aliases and migrate to internal m-* / u-* classes * fix tab link colors to match previous blue styling * update snapshots * adjust table styling and alignment * adjust divider style * adjust flowdetails panel style * adjust options modal style * fix icons position and color in capture tab page * adjust style search,highlight, intercept popovers * update snapshots * extract global styles into global.less * keep behavior aligned with pre-migration Bootstrap (same class names) * update snapshots * [autofix.ci] apply automated fixes --------- Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
…itmproxy#8229) * Update urwid requirement from <=3.0.5,>=2.6.14 to >=2.6.14,<=4.0.0 Updates the requirements on [urwid](https://github.com/urwid/urwid) to permit the latest version. - [Release notes](https://github.com/urwid/urwid/releases) - [Changelog](https://github.com/urwid/urwid/blob/master/docs/changelog.rst) - [Commits](urwid/urwid@2.6.14...4.0.0) --- updated-dependencies: - dependency-name: urwid dependency-version: 4.0.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> * [autofix.ci] apply automated fixes --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
* Bump the tox group across 1 directory with 2 updates Bumps the tox group with 2 updates in the / directory: [tox](https://github.com/tox-dev/tox) and [tox-uv](https://github.com/tox-dev/tox-uv). Updates `tox` from 4.50.3 to 4.52.0 - [Release notes](https://github.com/tox-dev/tox/releases) - [Changelog](https://github.com/tox-dev/tox/blob/main/docs/changelog.rst) - [Commits](tox-dev/tox@4.50.3...4.52.0) Updates `tox-uv` from 1.33.4 to 1.34.0 - [Release notes](https://github.com/tox-dev/tox-uv/releases) - [Commits](tox-dev/tox-uv@1.33.4...1.34.0) --- updated-dependencies: - dependency-name: tox dependency-version: 4.52.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: tox - dependency-name: tox-uv dependency-version: 1.34.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: tox ... Signed-off-by: dependabot[bot] <support@github.com> * [autofix.ci] apply automated fixes --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
…ab (mitmproxy#8232) * fix(web): render AVIF images and IANA icon favicons in the response tab The `ViewImage` regex in `HttpMessage.tsx` rejected two valid image content types, so the response tab did not render them inline: 1. `image/avif` was missing from the alternation. AVIF is widely served by image CDNs and decoded natively in `<img>` by Chrome 85+, Firefox 93+, and Safari 16.1+. 2. `image/vnd.microsoft.icon` (the IANA-canonical `.ico` MIME) never matched because the alternation had `vnc.microsoft.icon` — a `vnc`/`vnd` typo. The de-facto legacy `image/x-icon` continued to work, which made the bug easy to miss. The dots are also unescaped, so the regex coincidentally matches `image/vncXmicrosoftXicon` for any single character `X`. Added `avif`, corrected `vnc` → `vnd`, and escaped the dots. Added a `ViewImage.matches` unit test covering both the additions and the existing image MIME types. * [autofix.ci] apply automated fixes --------- Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
…oxy#8233) * fix(web): avoid infinite componentDidUpdate loop in FlowTable `FlowTable.componentDidUpdate` calls `this.onViewportUpdate()` on every update, even when the inputs to `calcVScroll` (the flow list and the row height) did not change. `onViewportUpdate` reads the current `viewport.scrollTop`, recomputes `vScroll`, and `setState`s when `state.viewportTop !== scrollTop` or `vScroll` shape changed. The new `state.viewportTop` is `Math.min(scrollTop, vScroll.end * rowHeight)`, so when `vScroll.end * rowHeight < scrollTop` the new state stays strictly below `scrollTop`, the inequality holds on the next iteration, and the cycle spins until the browser kills the JS thread. Gated the call on `prevProps.flowView !== this.props.flowView || prevProps.rowHeight !== this.props.rowHeight`. The other `onViewportUpdate` call sites — `componentDidMount`, the window resize listener, the viewport `onScroll` handler, and the post-scroll-into-view call — are unchanged, so user scrolling and resizing still drive the virtual-scroll window normally. Added a `FlowTableSpec.tsx` regression test that spies on `PureFlowTable.prototype.onViewportUpdate` and asserts it is NOT called after a `select` dispatch (which changes connect-mapped props but leaves `flowView` and `rowHeight` alone). The test fails without the fix. * [autofix.ci] apply automated fixes --------- Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> Co-authored-by: Maximilian Hils <git@maximilianhils.com>
…itmproxy#8234) * fix(web): preserve in-progress filter input across parent re-renders `FilterInput`'s `onChange` only propagates valid filters to the parent, so while the user is mid-typing an incomplete or invalid filter (e.g. `~foo bar`) the local `state.value` intentionally diverges from `props.value` — the parent still holds the last valid filter. Any unrelated parent re-render then fires `UNSAFE_componentWillReceiveProps`, which unconditionally called `this.setState({ value: nextProps.value })` and clobbered the user's in-progress text back to the last valid filter. Gated the sync on `nextProps.value !== this.props.value` so the component only adopts an externally-changed value. When the parent re-renders without changing the value prop, the local state is preserved. Added a `FilterInputSpec.tsx` regression test alongside the existing `should handle componentWillReceiveProps` test (which covers the positive path — external value change still wins). The new test types `~foo bar` (asserted invalid by the existing `should handle isValid` test), rerenders with the same value prop, and asserts the in-progress text survives. The test fails without the fix. * [autofix.ci] apply automated fixes --------- Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> Co-authored-by: Maximilian Hils <git@maximilianhils.com>
* Treat carriage return as whitespace in strutils.is_xml is_xml() skipped only tab, LF and space before checking for the opening "<", so a response body that started with a leading CR or CRLF (which is what HTTP frames look like, and what some Windows-side XML producers emit) was not detected as XML. The XML/HTML content view's auto-detection score then dropped to 0 instead of the usual 0.4 for those bodies. XML 1.0 §2.3 defines whitespace as (#x20 | #x9 | #xD | #xA), so \r (0x0D) belongs in the skip set alongside the other three. Adds the missing byte plus three assertions in the existing test_is_xml: \r<foo and \r\n<foo are now recognised, and a sanity check that \r\nfoo is still rejected. * [autofix.ci] apply automated fixes * simplify wording --------- Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> Co-authored-by: Maximilian Hils <git@maximilianhils.com>
Picks up the pyOpenSSL cap bump (mitmproxy#8180, mitmproxy#8219) so downstream consumers (citusdata/citus -> citusdata/the-process) can move to pyOpenSSL 26.x for CVE-2026-27448 / CVE-2026-27459 / CVE-2026-40475. Also includes upstream changes through 12a292c (post v12.2.3): - 30 upstream commits since our last sync - pyOpenSSL upper bound now <=27.0.0 (was <=25.3.0) - cryptography upper bound now <=48.1 (was <=46.1) - dependabot bumps for awscli, requests, urwid, tox, types-requests, pyinstaller-hooks-contrib, github-actions - mitmweb UI rewrites (Bootstrap removal, FlowTable fixes, etc.) - not consumed by citus/mitmdump - TLS leaf cert SubjectKeyIdentifier fix (mitmproxy#8214, RFC 5280) - v12.2.3 release commit + post-release housekeeping Our TCP-kill patches (mitmproxy/proxy/layers/tcp.py + test/mitmproxy/proxy/layers/test_tcp.py) are preserved - upstream did not touch these files in this window so no conflicts.
This was referenced May 28, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Merges upstream
mitmproxy/mitmproxy@maininto our fork'smainto pick up the pyOpenSSL upper-bound bump (mitmproxy#8180 + mitmproxy#8219), unblocking downstream consumers (citusdata/citus → citusdata/the-process) from moving to pyOpenSSL 26.x.Without this, the-process
circleci/images/*/requirements.txtcannot pull pyOpenSSL >= 26.0.0 (which contains CVE fixes CVE-2026-27448 / CVE-2026-27459 / CVE-2026-40475).What's in the merge
Cap changes (the reason we're merging):
pyOpenSSL>=24.3,<=25.3.0→pyOpenSSL>=24.3,<=27.0.0cryptography>=42.0,<=46.1→cryptography>=42.0,<=48.130 upstream commits (range
origin/main..upstream/main), all low-risk:strutils.is_xmlCR handling,is_mostly_binIndexError)mitmproxy 12.2.3release tag + post-release housekeepingWhat's preserved
Our citusdata-specific TCP-kill patches are unchanged:
mitmproxy/proxy/layers/tcp.py—self.flow.liveguard aroundSendDatatest/mitmproxy/proxy/layers/test_tcp.py— regression testtest_kill_closes_connection_when_flow_not_liveUpstream touched neither of these files in the 30 merged commits, so the merge required no conflict resolution.
Verification
Follow-up (downstream)
Once this lands, the new merge commit SHA needs to be referenced in:
citusdata/citus@main:src/test/regress/Pipfile— bump themitmproxy = {git=..., ref=...}ref + re-lockcitusdata/the-process:circleci/images/{pgupgradetester,failtester,citusupgradetester}/files/etc/requirements.txt— regenerate viapipenv requirements