Skip to content

Bump gunicorn from 20.0.4 to 22.0.0#269

Merged
eric-eclecticiq merged 4 commits into
masterfrom
dependabot/pip/gunicorn-22.0.0
Dec 9, 2025
Merged

Bump gunicorn from 20.0.4 to 22.0.0#269
eric-eclecticiq merged 4 commits into
masterfrom
dependabot/pip/gunicorn-22.0.0

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 17, 2024
edited
Loading

Bumps gunicorn from 20.0.4 to 22.0.0.

Release notes

Sourced from gunicorn's releases.

Gunicorn 22.0 has been released

Gunicorn 22.0.0 has been released. This version fix the numerous security vulnerabilities. You're invited to upgrade asap your own installation.

Changes:

22.0.0 - 2024-04-17
===================

    

  • use utime to notify workers liveness
    • 

  • migrate setup to pyproject.toml
    • 

  • fix numerous security vulnerabilities in HTTP parser (closing some request smuggling vectors)
    • 

  • parsing additional requests is no longer attempted past unsupported request framing
    • 

  • on HTTP versions < 1.1 support for chunked transfer is refused (only used in exploits)
    • 

  • requests conflicting configured or passed SCRIPT_NAME now produce a verbose error
    • 

  • Trailer fields are no longer inspected for headers indicating secure scheme
    • 

  • support Python 3.12
    • 



** Breaking changes **


    

  • minimum version is Python 3.7
    • 

  • the limitations on valid characters in the HTTP method have been bounded to Internet Standards
    • 

  • requests specifying unsupported transfer coding (order) are refused by default (rare)
    • 

  • HTTP methods are no longer casefolded by default (IANA method registry contains none affected)
    • 

  • HTTP methods containing the number sign (#) are no longer accepted by default (rare)
    • 

  • HTTP versions < 1.0 or >= 2.0 are no longer accepted by default (rare, only HTTP/1.1 is supported)
    • 

  • HTTP versions consisting of multiple digits or containing a prefix/suffix are no longer accepted
    • 

  • HTTP header field names Gunicorn cannot safely map to variables are silently dropped, as in other software
    • 

  • HTTP headers with empty field name are refused by default (no legitimate use cases, used in exploits)
    • 

  • requests with both Transfer-Encoding and Content-Length are refused by default (such a message might indicate an attempt to perform request smuggling)
    • 

  • empty transfer codings are no longer permitted (reportedly seen with really old & broken proxies)
    • 



** SECURITY **


    

  • fix CVE-2024-1135
  1. Documentation is available there: https://docs.gunicorn.org/en/stable/news.html
  2. Packages: https://pypi.org/project/gunicorn/

Gunicorn 21.2.0 has been released

Gunicorn 21.2.0 has been released. This version fix the issue introduced in the threaded worker.

Changes:

21.2.0 - 2023-07-19
===================
fix thread worker: revert change considering connection as idle .
</tr></table>

... (truncated)

Commits
  • f63d59e bump to 22.0
  • 4ac81e0 Merge pull request #3175 from e-kwsm/typo
  • 401cecf Merge pull request #3179 from dhdaines/exclude-eventlet-0360
  • 0243ec3 fix(deps): exclude eventlet 0.36.0
  • 628a0bc chore: fix typos
  • 88fc4a4 Merge pull request #3131 from pajod/patch-py12-rebased
  • deae2fc CI: back off the agressive timeout
  • f470382 docs: promise 3.12 compat
  • 5e30bfa add changelog to project.urls (updated for PEP621)
  • 481c3f9 remove setup.cfg - overridden by pyproject.toml
  • Additional commits viewable in compare view

Dependabot compatibility score

You can trigger a rebase of this PR by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

@dependabot
Bump gunicorn from 20.0.4 to 22.0.0
75014ac 
Bumps [gunicorn](https://github.com/benoitc/gunicorn) from 20.0.4 to 22.0.0.
- [Release notes](https://github.com/benoitc/gunicorn/releases)
- [Commits](benoitc/gunicorn@20.0.4...22.0.0)

---
updated-dependencies:
- dependency-name: gunicorn
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Apr 17, 2024
@Morikko
Merge remote-tracking branch 'origin' into dependabot/pip/gunicorn-22…
864e955 
….0.0

* origin: (62 commits)
  Fix merging
  Align isort check
  ignore blame to sort import
  Sort import on the codebase
  Add isort
  Ignore blame for black format applied to codebase
  Update python version for publishing
  Drop python 3.8 and 3.9
  Remove sqlalchemy 1.3
  Make it flake8 compatible
  Apply black format to the codebase
  Add black to the project and CI
  Install base dep for pypy
  Clean requirements
  Better tox config to install deps
  Force sqlalchemy 1.4 at least
  Fix pypy installation
  Add some docstrings
  Do not install mypy for Pypy env
  Remove sqlalchemy 1.3
  ...
@Morikko
Merge remote-tracking branch 'origin' into dependabot/pip/gunicorn-22…
4320100 
….0.0

* origin:
  Use constant containers
  Fix tests
  Fix test 2
  Fix test
  Add test forgotten
  Test Account model permission setter
  Fix test
  Pin SQLalchemy to less than 2.0
  Type OpenTAXIIAuthAPI and subclass
  Consider --admin flag in CLI
  Add TAXII2 in the default config
  Put back TAXII2 independant read write permission
  Move TAXII1 collection perssion check
  Fix types
  Fix can_read & can_write
  Fix legagy ENV in docker build
  Title case
@Morikko
Fix type
dbe7e1f
@eric-eclecticiq eric-eclecticiq merged commit 1030318 into master Dec 9, 2025
7 checks passed
@dependabot dependabot Bot deleted the dependabot/pip/gunicorn-22.0.0 branch December 9, 2025 10:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@eric-eclecticiq @Morikko