[pull] master from aio-libs:master#559
Merged
Merged
Conversation
Bumps [gunicorn](https://github.com/benoitc/gunicorn) from 25.3.0 to 26.0.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/benoitc/gunicorn/releases">gunicorn's releases</a>.</em></p> <blockquote> <h2>26.0.0</h2> <h2>Breaking Changes</h2> <ul> <li><strong>Eventlet worker removed</strong>: The <code>eventlet</code> worker class has been dropped. Migrate to <code>gevent</code>, <code>gthread</code>, or <code>tornado</code>.</li> </ul> <h2>New Features</h2> <ul> <li><strong>ASGI Framework Compatibility Suite</strong>: New end-to-end compatibility test harness covering Starlette, FastAPI, Litestar, Quart, Sanic, and BlackSheep. Current grid passes 438/444 tests (98%).</li> <li><strong>ASGI Test Suite Expansion</strong>: 134 additional ASGI unit tests covering protocol semantics, lifespan, websockets, and chunked framing.</li> </ul> <h2>Security</h2> <ul> <li><strong>HTTP/1.1 Request-Target Validation</strong> (RFC 9112 sections 3.2.3, 3.2.4): <ul> <li>Reject <code>authority-form</code> request-target outside <code>CONNECT</code></li> <li>Reject <code>asterisk-form</code> request-target outside <code>OPTIONS</code></li> <li>Reject <code>relative-reference</code> request-targets</li> </ul> </li> <li><strong>Header Field Hardening</strong> (RFC 9110): <ul> <li>Reject control characters in header field-value (section 5.5)</li> <li>Reject forbidden trailer field-names (section 6.5.1)</li> <li>Reject <code>Content-Length</code> list form (RFC 9112 section 6.3)</li> </ul> </li> <li><strong>Request Smuggling Hardening</strong>: <ul> <li>Tighten keepalive gate and scope <code>finish_body</code> byte cap</li> <li>Keep <code>_body_receiver</code> alive across the keepalive smuggling gate so pipelined requests cannot re-enter a closed body</li> <li>Address parser/protocol findings from a six-point WSGI/ASGI audit</li> </ul> </li> <li><strong>PROXY Protocol (ASGI)</strong>: Enforce <code>proxy_allow_ips</code> and tighten v1/v2 parsing in the ASGI callback parser.</li> <li><strong>Connection Draining</strong>: Drain the connection on close per RFC 9112 section 9.6 to prevent reset-on-close truncation.</li> </ul> <h2>Bug Fixes</h2> <ul> <li><strong>Body Framing on HEAD/204/304</strong>: <ul> <li>Keep <code>Content-Length</code> on HEAD and 304 responses (<a href="https://redirect.github.com/benoitc/gunicorn/issues/3621">#3621</a>)</li> <li>Drop body framing on HEAD/204/304 even when the framework set it</li> <li>Warn once when an ASGI app emits a body for a no-body response</li> </ul> </li> <li><strong>HTTP/2 ASGI</strong>: <ul> <li>Fix <code>_handle_stream_ended</code> to set <code>_body_complete</code> in the async HTTP/2 handler so request bodies finalize correctly on stream end</li> <li>Add <code>InvalidChunkExtension</code> mapping and fast-parser support in ASGI tests (<a href="https://redirect.github.com/benoitc/gunicorn/issues/3565">#3565</a>)</li> </ul> </li> <li><strong>HTTP/1.1 100-Continue</strong>: Stop adding <code>Transfer-Encoding: chunked</code> to 100-Continue interim responses.</li> <li><strong>WebSocket Close Handshake</strong> (RFC 6455): <ul> <li>Comply with the close handshake state machine</li> <li>Close the transport after the close handshake completes</li> <li>Fix binary send when the <code>text</code> key is <code>None</code></li> </ul> </li> <li><strong>Early Hints</strong>: Validate headers in the <code>early_hints</code> callback to match <code>process_headers</code>; pass only the header name to <code>InvalidHeader</code> (<a href="https://redirect.github.com/benoitc/gunicorn/issues/3588">#3588</a>).</li> <li><strong>ASGI Framework Fixes</strong>: <ul> <li>Fix ASGI disconnect handling for Django-style apps</li> <li>Fix Litestar request handling (use raw ASGI receive for body/headers)</li> <li>Fix Litestar HTTP endpoints for compatibility tests</li> <li>Fix Quart headers endpoint to normalize keys to lowercase</li> <li>Fix Quart WebSocket close test app (missing <code>accept()</code>)</li> <li>Fix duplicate <code>Transfer-Encoding</code> header for BlackSheep streaming</li> </ul> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/benoitc/gunicorn/commit/5d819cf36040f6cc6175fcc804d703fb899509dd"><code>5d819cf</code></a> release: 26.0.0</li> <li><a href="https://github.com/benoitc/gunicorn/commit/b45c70df105f7d5dcbc5abfb732804d6464edc21"><code>b45c70d</code></a> Merge pull request <a href="https://redirect.github.com/benoitc/gunicorn/issues/3611">#3611</a> from zc-mattcen/docs-typo</li> <li><a href="https://github.com/benoitc/gunicorn/commit/99c8d48acf453deb5c49fe12e195dbc00d888d1e"><code>99c8d48</code></a> Merge pull request <a href="https://redirect.github.com/benoitc/gunicorn/issues/3623">#3623</a> from benoitc/chore/drop-eventlet-add-h2-uvloop-test-...</li> <li><a href="https://github.com/benoitc/gunicorn/commit/5a655af50f20e005dd9e32e6078dc82fa45f3d4b"><code>5a655af</code></a> Merge pull request <a href="https://redirect.github.com/benoitc/gunicorn/issues/3622">#3622</a> from benoitc/test/docker-port-and-ipv4-fixes</li> <li><a href="https://github.com/benoitc/gunicorn/commit/201df19a8011c0a1d6a0e75ebe22e89d48eb935e"><code>201df19</code></a> chore: remove eventlet worker; add h2 and uvloop to test deps</li> <li><a href="https://github.com/benoitc/gunicorn/commit/f4ac8e1f1bf1d365e77f41915da55bec31873f84"><code>f4ac8e1</code></a> test: pass action name to dirty client and stabilize after TTOU spam</li> <li><a href="https://github.com/benoitc/gunicorn/commit/54d38afddf1f0db0c15b5f4ff63f3c7bfad96961"><code>54d38af</code></a> test: unblock docker fixtures on macOS hosts</li> <li><a href="https://github.com/benoitc/gunicorn/commit/68843c8893dd938456f0a2da62085ab5776f8871"><code>68843c8</code></a> Merge pull request <a href="https://redirect.github.com/benoitc/gunicorn/issues/3621">#3621</a> from benoitc/fix/asgi-preserve-content-length-on-hea...</li> <li><a href="https://github.com/benoitc/gunicorn/commit/31f2618f733cc0c78690df63f4e344aaf3f56b20"><code>31f2618</code></a> Merge pull request <a href="https://redirect.github.com/benoitc/gunicorn/issues/3620">#3620</a> from benoitc/fix/asgi-proxy-protocol-trust-and-parsing</li> <li><a href="https://github.com/benoitc/gunicorn/commit/41ec7527dbd8a9e52728477700707ad40e41d9dc"><code>41ec752</code></a> fix: keep Content-Length on HEAD and 304 responses</li> <li>Additional commits viewable in <a href="https://github.com/benoitc/gunicorn/compare/25.3.0...26.0.0">compare view</a></li> </ul> </details> <br /> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.4)
Can you help keep this open source service alive? 💖 Please sponsor : )