Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update dependency httpx to v0.23.0 [security] #1401

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

chore(deps): update dependency httpx to v0.23.0 [security] #1401

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Aug 6, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
httpx (changelog) ==0.19.0 -> ==0.23.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2021-41945

Encode OSS httpx <=1.0.0.beta0 is affected by improper input validation in httpx.URL, httpx.Client and some functions using httpx.URL.copy_with.

Release Notes

encode/httpx (httpx)

v0.23.0

Compare Source

Changed
  • Drop support for Python 3.6. (#​2097)
  • Use utf-8 as the default character set, instead of falling back to charset-normalizer for auto-detection. To enable automatic character set detection, see the documentation. (#​2165)
Fixed
  • Fix URL.copy_with for some oddly formed URL cases. (#​2185)
  • Digest authentication should use case-insensitive comparison for determining which algorithm is being used. (#​2204)
  • Fix console markup escaping in command line client. (#​1866)
  • When files are used in multipart upload, ensure we always seek to the start of the file. (#​2065)
  • Ensure that iter_bytes never yields zero-length chunks. (#​2068)
  • Preserve Authorization header for redirects that are to the same origin, but are an http-to-https upgrade. (#​2074)
  • When responses have binary output, don't print the output to the console in the command line client. Use output like <16086 bytes of binary data> instead. (#​2076)
  • Fix display of --proxies argument in the command line client help. (#​2125)
  • Close responses when task cancellations occur during stream reading. (#​2156)
  • Fix type error on accessing .request on HTTPError exceptions. (#​2158)

v0.22.0

Compare Source

Added
Fixed
  • Don't perform unreliable close/warning on __del__ with unclosed clients. (#​2026)
  • Fix Headers.update(...) to correctly handle repeated headers (#​2038)

v0.21.3

Compare Source

Fixed
  • Fix streaming uploads using SyncByteStream or AsyncByteStream. Regression in 0.21.2. (#​2016)

v0.21.2

Compare Source

Fixed
  • HTTP/2 support for tunnelled proxy cases. (#​2009)
  • Improved the speed of large file uploads. (#​1948)

v0.21.1

Compare Source

Fixed
  • The response.url property is now correctly annotated as URL, instead of Optional[URL]. (#​1940)

v0.21.0

Compare Source

The 0.21.0 release integrates against a newly redesigned httpcore backend.

Both packages ought to automatically update to the required versions, but if you are
seeing any issues, you should ensure that you have httpx==0.21.* and httpcore==0.14.* installed.

Added
  • The command-line client will now display connection information when -v/--verbose is used.
  • The command-line client will now display server certificate information when -v/--verbose is used.
  • The command-line client is now able to properly detect if the outgoing request
    should be formatted as HTTP/1.1 or HTTP/2, based on the result of the HTTP/2 negotiation.
Removed
  • Curio support is no longer currently included. Please get in touch if you require this, so that we can assess priorities.

v0.20.0

Compare Source

The 0.20.0 release adds an integrated command-line client, and also includes some
design changes. The most notable of these is that redirect responses are no longer
automatically followed, unless specifically requested.

This design decision prioritises a more explicit approach to redirects, in order
to avoid code that unintentionally issues multiple requests as a result of
misconfigured URLs.

For example, previously a client configured to send requests to http://api.github.com/
would end up sending every API request twice, as each request would be redirected to https://api.github.com/.

If you do want auto-redirect behaviour, you can enable this either by configuring
the client instance with Client(follow_redirects=True), or on a per-request
basis, with .get(..., follow_redirects=True).

This change is a classic trade-off between convenience and precision, with no "right"
answer. See discussion #​1785 for more
context.

The other major design change is an update to the Transport API, which is the low-level
interface against which requests are sent. Previously this interface used only primitive
datastructures, like so...

(status_code, headers, stream, extensions) = transport.handle_request(method, url, headers, stream, extensions)
try
    ...
finally:
    stream.close()

Now the interface is much simpler...

response = transport.handle_request(request)
try
    ...
finally:
    response.close()
Changed
  • The allow_redirects flag is now follow_redirects and defaults to False.
  • The raise_for_status() method will now raise an exception for any responses
    except those with 2xx status codes. Previously only 4xx and 5xx status codes
    would result in an exception.
  • The low-level transport API changes to the much simpler response = transport.handle_request(request).
  • The client.send() method no longer accepts a timeout=... argument, but the
    client.build_request() does. This required by the signature change of the
    Transport API. The request timeout configuration is now stored on the request
    instance, as request.extensions['timeout'].
Added
  • Added the httpx command-line client.
  • Response instances now include .is_informational, .is_success, .is_redirect, .is_client_error, and .is_server_error
    properties for checking 1xx, 2xx, 3xx, 4xx, and 5xx response types. Note that the behaviour of .is_redirect is slightly different in that it now returns True for all 3xx responses, in order to allow for a consistent set of properties onto the different HTTP status code types. The response.has_redirect_location location may be used to determine responses with properly formed URL redirects.
Fixed
  • response.iter_bytes() no longer raises a ValueError when called on a response with no content. (Pull #​1827)
  • The 'wsgi.error' configuration now defaults to sys.stderr, and is corrected to be a TextIO interface, not a BytesIO interface. Additionally, the WSGITransport now accepts a wsgi_error configuration. (Pull #​1828)
  • Follow the WSGI spec by properly closing the iterable returned by the application. (Pull #​1830)

Configuration

📅 Schedule: Branch creation - "" in timezone UTC, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants