Skip to content

build(deps): bump daphne from 4.2.1 to 4.2.2#600

Merged
github-actions[bot] merged 1 commit into
mainfrom
dependabot/pip/daphne-4.2.2
Jul 11, 2026
Merged

build(deps): bump daphne from 4.2.1 to 4.2.2#600
github-actions[bot] merged 1 commit into
mainfrom
dependabot/pip/daphne-4.2.2

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 11, 2026

Copy link
Copy Markdown
Contributor

Bumps daphne from 4.2.1 to 4.2.2.

Changelog

Sourced from daphne's changelog.

4.2.2 (2026-06-03)

  • Fixed a denial of service vulnerability via unbounded WebSocket message sizes. Daphne previously passed no message or frame size limits to autobahn, whose defaults are unbounded. This allowed an unauthenticated client to exhaust server memory by sending a very large WebSocket messages/frames (CVE-2026-44545).

    Both limits now default to 1 MiB and can be configured via the new --websocket-max-message-size and --websocket-max-frame-size CLI flags (or the matching Server constructor arguments). Pass 0 to restore the previous unlimited behaviour.

    Thanks to ParkHyunWoo for the report.

  • Fixed a header injection vulnerability on the WebSocket upgrade path (CVE-2026-44546).

    Header values containing \x0b, \x0c, \x1c, \x1d, \x1e, or \x85 were parsed as a single header by Twisted but split into multiple headers by autobahn during the WebSocket handshake. An attacker could exploit this parser differential to smuggle additional headers (e.g. authentication tokens, X-Forwarded-For, Origin, Daphne-Root-Path) into the ASGI scope passed to the application.

    Daphne now rejects requests carrying these bytes in any header value with a 400 Bad Request response, as required by RFC 9110 §5.5.

    Thanks to Rene Henningsen for the report.

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [daphne](https://github.com/django/daphne) from 4.2.1 to 4.2.2.
- [Changelog](https://github.com/django/daphne/blob/main/CHANGELOG.txt)
- [Commits](django/daphne@4.2.1...4.2.2)

---
updated-dependencies:
- dependency-name: daphne
  dependency-version: 4.2.2
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update Python code labels Jul 11, 2026
@github-actions
github-actions Bot enabled auto-merge (squash) July 11, 2026 23:03
@github-actions
github-actions Bot merged commit c78e974 into main Jul 11, 2026
12 checks passed
@github-actions
github-actions Bot deleted the dependabot/pip/daphne-4.2.2 branch July 11, 2026 23:04
@codecov

codecov Bot commented Jul 11, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 89.16%. Comparing base (217331b) to head (2e1cd70).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files
@@           Coverage Diff           @@
##             main     #600   +/-   ##
=======================================
  Coverage   89.16%   89.16%           
=======================================
  Files          40       40           
  Lines        2224     2224           
  Branches      227      237   +10     
=======================================
  Hits         1983     1983           
  Misses        231      231           
  Partials       10       10           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file python Pull requests that update Python code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants