Skip to content

Bump gunicorn from 25.2.0 to 25.3.0 in the infra group across 1 directory#1285

Merged
malcolmbaig merged 1 commit intomainfrom
dependabot/uv/infra-24a0d73f5d
Apr 8, 2026
Merged

Bump gunicorn from 25.2.0 to 25.3.0 in the infra group across 1 directory#1285
malcolmbaig merged 1 commit intomainfrom
dependabot/uv/infra-24a0d73f5d

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Apr 3, 2026
edited
Loading

Bumps the infra group with 1 update in the / directory: gunicorn.

Updates gunicorn from 25.2.0 to 25.3.0

Release notes

Sourced from gunicorn's releases.

Gunicorn 25.3.0

Bug Fixes

  • HTTP/2 ASGI Body Duplication: Fix request body being received twice in HTTP/2 ASGI requests, causing JSON parsing errors with "Extra data" messages (#3558)

  • ASGI Chunked EOF Handling: Add finish() method to callback parser to handle chunked encoding edge case where connection closes before final CRLF after zero-chunk

  • HTTP/2 Documentation: Fix http_protocols examples to use comma-separated string instead of list syntax (#3561)

  • Chunked Encoding: Reject chunk extensions containing bare CR bytes per RFC 9112 (#3556)

  • Request Line Limit: Fix --limit-request-line 0 to mean unlimited as documented, instead of using default maximum. Works with both Python and fast C parser. (#3563)

Security

  • ASGI Parser Header Validation: Add security checks per RFC 9110/9112:
    • Reject duplicate Content-Length headers
    • Reject requests with both Content-Length and Transfer-Encoding
    • Reject chunked transfer encoding in HTTP/1.0
    • Reject stacked chunked encoding
    • Validate Transfer-Encoding values
    • Strict chunk size validation

Changes

  • Fast HTTP Parser: Update to gunicorn_h1c >= 0.6.3 for asgi_headers property and InvalidChunkExtension validation for bare CR rejection

  • ASGI PROXY Protocol: Add PROXY protocol v1/v2 support to callback parser

  • Docker Images: Update to Python 3.14

Commits
  • 9bce72c Update changelog with missing 25.3.0 changes
  • 2a15fdb Fix pylint isinstance-second-argument-not-valid-type warning
  • 8d08aaa Fix --limit-request-line 0 to mean unlimited
  • d40a374 Fix pytest-asyncio configuration and treq_asgi hex escapes
  • da8bd48 Remove unused AsyncRequest class
  • b00f125 Integrate gunicorn_h1c 0.6.3 with InvalidChunkExtension support
  • bdb2ebd Reject chunk extensions with bare CR bytes (RFC 9112)
  • 7057fc9 Fix http_protocols documentation to use string syntax
  • d43acb8 Update to gunicorn_h1c >= 0.6.2 for asgi_headers support
  • cbd27e8 Merge pull request #3559 from benleembruggen/fix/http2-asgi-body-duplication
  • Additional commits viewable in compare view

@dependabot dependabot bot added dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code labels Apr 3, 2026
@dependabot
Bump gunicorn from 25.2.0 to 25.3.0 in the infra group
50d4037 
Bumps the infra group with 1 update: [gunicorn](https://github.com/benoitc/gunicorn).


Updates `gunicorn` from 25.2.0 to 25.3.0
- [Release notes](https://github.com/benoitc/gunicorn/releases)
- [Commits](benoitc/gunicorn@25.2.0...25.3.0)

---
updated-dependencies:
- dependency-name: gunicorn
  dependency-version: 25.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: infra
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot changed the title Bump gunicorn from 25.2.0 to 25.3.0 in the infra group Bump gunicorn from 25.2.0 to 25.3.0 in the infra group across 1 directory Apr 8, 2026
@dependabot dependabot bot force-pushed the dependabot/uv/infra-24a0d73f5d branch from e3ffe4f to 50d4037 Compare April 8, 2026 08:46
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud bot commented Apr 8, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@malcolmbaig malcolmbaig merged commit 4af401c into main Apr 8, 2026
12 checks passed
@malcolmbaig malcolmbaig deleted the dependabot/uv/infra-24a0d73f5d branch April 8, 2026 13:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@malcolmbaig malcolmbaig malcolmbaig approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@malcolmbaig