finn/reminder
1
0
Fork 0
Code Issues 1 Pull requests 6 Projects Releases Packages 1 Wiki Activity Actions

Update dependency gunicorn to v26 #161

Open
renovate-bot wants to merge 1 commit from renovate/gunicorn-26.x into master
pull from: renovate/gunicorn-26.x
merge into: finn:master
Conversation 0 Commits 1 Files changed 1 +1 -1
renovate-bot commented 2026-05-05 10:00:25 +02:00
Collaborator
Copy link

This PR contains the following updates:

Package Change Age Confidence
gunicorn (changelog) ==25.3.0==26.0.0 age confidence

Release Notes

benoitc/gunicorn (gunicorn)

v26.0.0

Compare Source

Breaking Changes

  • Eventlet worker removed: The eventlet worker class has been dropped. Migrate to gevent, gthread, or tornado.

New Features

  • ASGI Framework Compatibility Suite: New end-to-end compatibility test harness covering Starlette, FastAPI, Litestar, Quart, Sanic, and BlackSheep. Current grid passes 438/444 tests (98%).
  • ASGI Test Suite Expansion: 134 additional ASGI unit tests covering protocol semantics, lifespan, websockets, and chunked framing.

Security

  • HTTP/1.1 Request-Target Validation (RFC 9112 sections 3.2.3, 3.2.4):
    • Reject authority-form request-target outside CONNECT
    • Reject asterisk-form request-target outside OPTIONS
    • Reject relative-reference request-targets
  • Header Field Hardening (RFC 9110):
    • Reject control characters in header field-value (section 5.5)
    • Reject forbidden trailer field-names (section 6.5.1)
    • Reject Content-Length list form (RFC 9112 section 6.3)
  • Request Smuggling Hardening:
    • Tighten keepalive gate and scope finish_body byte cap
    • Keep _body_receiver alive across the keepalive smuggling gate so pipelined requests cannot re-enter a closed body
    • Address parser/protocol findings from a six-point WSGI/ASGI audit
  • PROXY Protocol (ASGI): Enforce proxy_allow_ips and tighten v1/v2 parsing in the ASGI callback parser.
  • Connection Draining: Drain the connection on close per RFC 9112 section 9.6 to prevent reset-on-close truncation.

Bug Fixes

  • Body Framing on HEAD/204/304:
    • Keep Content-Length on HEAD and 304 responses (#​3621)
    • Drop body framing on HEAD/204/304 even when the framework set it
    • Warn once when an ASGI app emits a body for a no-body response
  • HTTP/2 ASGI:
    • Fix _handle_stream_ended to set _body_complete in the async HTTP/2 handler so request bodies finalize correctly on stream end
    • Add InvalidChunkExtension mapping and fast-parser support in ASGI tests (#​3565)
  • HTTP/1.1 100-Continue: Stop adding Transfer-Encoding: chunked to 100-Continue interim responses.
  • WebSocket Close Handshake (RFC 6455):
    • Comply with the close handshake state machine
    • Close the transport after the close handshake completes
    • Fix binary send when the text key is None
  • Early Hints: Validate headers in the early_hints callback to match process_headers; pass only the header name to InvalidHeader (#​3588).
  • ASGI Framework Fixes:
    • Fix ASGI disconnect handling for Django-style apps
    • Fix Litestar request handling (use raw ASGI receive for body/headers)
    • Fix Litestar HTTP endpoints for compatibility tests
    • Fix Quart headers endpoint to normalize keys to lowercase
    • Fix Quart WebSocket close test app (missing accept())
    • Fix duplicate Transfer-Encoding header for BlackSheep streaming

Refactoring

  • Split BodyReceiver._closed into separate transport and body-wait flags for clearer keepalive/EOF semantics.

Changes

  • Fast HTTP Parser: Require gunicorn_h1c >= 0.6.5. Drop the last python_only test markers; the C extension is now used wherever available (CPython only; PyPy continues to use the Python parser).
  • Test Dependencies: Add h2 and uvloop to the testing extra; remove eventlet.
  • Docker Build: Bump GitHub Actions docker/setup-qemu-action, docker/setup-buildx-action, docker/login-action, docker/build-push-action, and docker/metadata-action to current major versions.

Full changelog: https://github.com/benoitc/gunicorn/compare/25.3.0...26.0.0

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [gunicorn](https://github.com/benoitc/gunicorn) ([changelog](https://gunicorn.org/news/)) | `==25.3.0` → `==26.0.0` | ![age](https://developer.mend.io/api/mc/badges/age/pypi/gunicorn/26.0.0?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/gunicorn/25.3.0/26.0.0?slim=true) | --- ### Release Notes <details> <summary>benoitc/gunicorn (gunicorn)</summary> ### [`v26.0.0`](https://github.com/benoitc/gunicorn/releases/tag/26.0.0) [Compare Source](https://github.com/benoitc/gunicorn/compare/25.3.0...26.0.0) #### Breaking Changes - **Eventlet worker removed**: The `eventlet` worker class has been dropped. Migrate to `gevent`, `gthread`, or `tornado`. #### New Features - **ASGI Framework Compatibility Suite**: New end-to-end compatibility test harness covering Starlette, FastAPI, Litestar, Quart, Sanic, and BlackSheep. Current grid passes 438/444 tests (98%). - **ASGI Test Suite Expansion**: 134 additional ASGI unit tests covering protocol semantics, lifespan, websockets, and chunked framing. #### Security - **HTTP/1.1 Request-Target Validation** (RFC 9112 sections 3.2.3, 3.2.4): - Reject `authority-form` request-target outside `CONNECT` - Reject `asterisk-form` request-target outside `OPTIONS` - Reject `relative-reference` request-targets - **Header Field Hardening** (RFC 9110): - Reject control characters in header field-value (section 5.5) - Reject forbidden trailer field-names (section 6.5.1) - Reject `Content-Length` list form (RFC 9112 section 6.3) - **Request Smuggling Hardening**: - Tighten keepalive gate and scope `finish_body` byte cap - Keep `_body_receiver` alive across the keepalive smuggling gate so pipelined requests cannot re-enter a closed body - Address parser/protocol findings from a six-point WSGI/ASGI audit - **PROXY Protocol (ASGI)**: Enforce `proxy_allow_ips` and tighten v1/v2 parsing in the ASGI callback parser. - **Connection Draining**: Drain the connection on close per RFC 9112 section 9.6 to prevent reset-on-close truncation. #### Bug Fixes - **Body Framing on HEAD/204/304**: - Keep `Content-Length` on HEAD and 304 responses ([#&#8203;3621](https://github.com/benoitc/gunicorn/issues/3621)) - Drop body framing on HEAD/204/304 even when the framework set it - Warn once when an ASGI app emits a body for a no-body response - **HTTP/2 ASGI**: - Fix `_handle_stream_ended` to set `_body_complete` in the async HTTP/2 handler so request bodies finalize correctly on stream end - Add `InvalidChunkExtension` mapping and fast-parser support in ASGI tests ([#&#8203;3565](https://github.com/benoitc/gunicorn/issues/3565)) - **HTTP/1.1 100-Continue**: Stop adding `Transfer-Encoding: chunked` to 100-Continue interim responses. - **WebSocket Close Handshake** (RFC 6455): - Comply with the close handshake state machine - Close the transport after the close handshake completes - Fix binary send when the `text` key is `None` - **Early Hints**: Validate headers in the `early_hints` callback to match `process_headers`; pass only the header name to `InvalidHeader` ([#&#8203;3588](https://github.com/benoitc/gunicorn/issues/3588)). - **ASGI Framework Fixes**: - Fix ASGI disconnect handling for Django-style apps - Fix Litestar request handling (use raw ASGI receive for body/headers) - Fix Litestar HTTP endpoints for compatibility tests - Fix Quart headers endpoint to normalize keys to lowercase - Fix Quart WebSocket close test app (missing `accept()`) - Fix duplicate `Transfer-Encoding` header for BlackSheep streaming #### Refactoring - Split `BodyReceiver._closed` into separate transport and body-wait flags for clearer keepalive/EOF semantics. #### Changes - **Fast HTTP Parser**: Require `gunicorn_h1c >= 0.6.5`. Drop the last `python_only` test markers; the C extension is now used wherever available (CPython only; PyPy continues to use the Python parser). - **Test Dependencies**: Add `h2` and `uvloop` to the `testing` extra; remove `eventlet`. - **Docker Build**: Bump GitHub Actions `docker/setup-qemu-action`, `docker/setup-buildx-action`, `docker/login-action`, `docker/build-push-action`, and `docker/metadata-action` to current major versions. **Full changelog**: <https://github.com/benoitc/gunicorn/compare/25.3.0...26.0.0> </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNjAuMSIsInVwZGF0ZWRJblZlciI6IjQzLjE2MC4xIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIiwibGFiZWxzIjpbXX0=-->
Update dependency gunicorn to v26
All checks were successful
Python formatting PEP8 / Python-PEP8 (push) Successful in 12s
Details
Renovate / forgejo (push) Successful in 22s
Details
Test / test (push) Successful in 16s
Details
Test / test (pull_request) Successful in 15s
Details
2246344bcd
All checks were successful
Python formatting PEP8 / Python-PEP8 (push) Successful in 12s
Details
Renovate / forgejo (push) Successful in 22s
Details
Test / test (push) Successful in 16s
Details
Test / test (pull_request) Successful in 15s
Details
This pull request can be merged automatically.
This branch is out-of-date with the base branch
You are not authorized to merge this pull request.
View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.
git fetch -u origin renovate/gunicorn-26.x:renovate/gunicorn-26.x
git switch renovate/gunicorn-26.x

Merge

Merge the changes and update on Forgejo.

Warning: The "Autodetect manual merge" setting is not enabled for this repository, you will have to mark this pull request as manually merged afterwards.

git switch master
git merge --no-ff renovate/gunicorn-26.x
git switch renovate/gunicorn-26.x
git rebase master
git switch master
git merge --ff-only renovate/gunicorn-26.x
git switch renovate/gunicorn-26.x
git rebase master
git switch master
git merge --no-ff renovate/gunicorn-26.x
git switch master
git merge --squash renovate/gunicorn-26.x
git switch master
git merge --ff-only renovate/gunicorn-26.x
git switch master
git merge renovate/gunicorn-26.x
git push origin master
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
finn/reminder!161
No description provided.