Skip to content

Bump h11 #2621

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 11, 2025
Merged

Bump h11 #2621

merged 1 commit into from
May 11, 2025

Conversation

LifeLex
Copy link
Contributor

@LifeLex LifeLex commented Apr 24, 2025
edited
Loading

Summary

h11 has now released version 0.16.0 which amongst other things fixes a vulnerability, I've updated the requirements in uvicorn to use this release instead of targeting the main branch so we can use the latest tagged release and avoid this vulnerability

                            Vulnerable Dependencies                             
┏━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━┓
┃ Package     ┃ Version        ┃ Vulnerability ID            ┃ Fix Versions    ┃
┡━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━┩
│ h11         │ 0.14.0         │ GHSA-vqfr-h8mv-ghfj         │ 0.16.0          │
└─────────────┴────────────────┴─────────────────────────────┴─────────────────┘

Checklist

  • I understand that this PR may be closed in case there was no previous discussion. (This doesn't apply to typos!)
  • I've added a test for each change that was introduced, and I tried as much as possible to make a single atomic change.
  • I've updated the documentation accordingly.

@LifeLex LifeLex changed the title Update h11 dependency to latest version Update h11 dependency to fix security vulnerability Apr 24, 2025
@Kludex
Copy link
Member

Kludex commented Apr 25, 2025
edited
Loading

A note that when a dependency has a vulnerability issue, we are not forced to update the constraints. Users can already bump their h11 version.

The vulnerability is on the dependency, not on uvicorn.

That said, I'll merge this soon.

@Kludex Kludex changed the title Update h11 dependency to fix security vulnerability Bump h11 Apr 25, 2025
@MadhavVij
Copy link

Any update on when will this be merged and released?

@Kludex
Copy link
Member

Kludex commented May 1, 2025

I think there's a TODO on h11_impl.py about changing something when this is released. I'll check later.

@MadhavVij
Copy link

Thanks for the update!

@Kludex
Copy link
Member

Kludex commented May 11, 2025

Well... I'm not sure if you intended to create this PR... This PR doesn't make you require h11 >= 0.16 when installing uvicorn - it just bumps when developing in this repository.

@Kludex
Copy link
Member

Kludex commented May 11, 2025

I'll merge this because it removes the git installation.

@Kludex Kludex merged commit bc79505 into encode:master May 11, 2025
16 checks passed
@seth-addepar
Copy link

To Kludex's point, should we update https://github.com/encode/uvicorn/blob/master/pyproject.toml#L34 to ensure that consumers of uvicorn are not pulling in a vulnerable version of h11?

@Kludex
Copy link
Member

Kludex commented May 14, 2025

No.

There's no need for it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Kludex Kludex Kludex approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@LifeLex @Kludex @MadhavVij @seth-addepar @alejandro-perez-faculty