Skip to content

Bump h11 #2621

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Kludex merged 1 commit into from
May 11, 2025
Merged

Bump h11 #2621

Kludex merged 1 commit into from
May 11, 2025

Conversation

@LifeLex
Copy link
Contributor

@LifeLex LifeLex commented Apr 24, 2025
edited
Loading

Summary

h11 has now released version 0.16.0 which amongst other things fixes a vulnerability, I've updated the requirements in uvicorn to use this release instead of targeting the main branch so we can use the latest tagged release and avoid this vulnerability

                            Vulnerable Dependencies                             
┏━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━┓
┃ Package     ┃ Version        ┃ Vulnerability ID            ┃ Fix Versions    ┃
┡━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━┩
│ h11         │ 0.14.0         │ GHSA-vqfr-h8mv-ghfj         │ 0.16.0          │
└─────────────┴────────────────┴─────────────────────────────┴─────────────────┘

Checklist

  • I understand that this PR may be closed in case there was no previous discussion. (This doesn't apply to typos!)
  • I've added a test for each change that was introduced, and I tried as much as possible to make a single atomic change.
  • I've updated the documentation accordingly.

@LifeLex LifeLex changed the title Update h11 dependency to latest version Update h11 dependency to fix security vulnerability Apr 24, 2025
@Kludex
Copy link
Owner

Kludex commented Apr 25, 2025
edited
Loading

A note that when a dependency has a vulnerability issue, we are not forced to update the constraints. Users can already bump their h11 version.

The vulnerability is on the dependency, not on uvicorn.

That said, I'll merge this soon.

@Kludex Kludex changed the title Update h11 dependency to fix security vulnerability Bump h11 Apr 25, 2025
@MadhavVij
Copy link

MadhavVij commented Apr 29, 2025

Any update on when will this be merged and released?

@Kludex
Copy link
Owner

Kludex commented May 1, 2025

I think there's a TODO on h11_impl.py about changing something when this is released. I'll check later.

@MadhavVij
Copy link

MadhavVij commented May 2, 2025

Thanks for the update!

@Kludex
Copy link
Owner

Kludex commented May 11, 2025

Well... I'm not sure if you intended to create this PR... This PR doesn't make you require h11 >= 0.16 when installing uvicorn - it just bumps when developing in this repository.

@Kludex
Copy link
Owner

Kludex commented May 11, 2025

I'll merge this because it removes the git installation.

@Kludex Kludex merged commit bc79505 into Kludex:master May 11, 2025
16 checks passed
@seth-addepar
Copy link

seth-addepar commented May 14, 2025

To Kludex's point, should we update https://github.com/encode/uvicorn/blob/master/pyproject.toml#L34 to ensure that consumers of uvicorn are not pulling in a vulnerable version of h11?

@Kludex
Copy link
Owner

Kludex commented May 14, 2025

No.

There's no need for it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Kludex Kludex Kludex approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@LifeLex @Kludex @MadhavVij @seth-addepar @alejandro-perez-faculty