Skip to content

fix(deps): update dependency httpx to v0.23.0 [security] #4

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

fix(deps): update dependency httpx to v0.23.0 [security] #4

wants to merge 1 commit into from

Conversation

@renovate
Copy link

@renovate renovate bot commented May 15, 2025

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
httpx (changelog) ==0.18.2 -> ==0.23.0 age adoption passing confidence
httpx (changelog) >=0.18.0 -> >=0.23.0 age adoption passing confidence
httpx (changelog) >= 0.18.0 -> >=0.23.0 age adoption passing confidence

CVE-2021-41945 / GHSA-h8pj-cxx2-jfg2 / PYSEC-2022-183

More information

Details

Encode OSS httpx <=1.0.0.beta0 is affected by improper input validation in httpx.URL, httpx.Client and some functions using httpx.URL.copy_with.

Severity

Unknown

References

This data is provided by OSV and the PyPI Advisory Database (CC-BY 4.0).

Improper Input Validation in httpx

CVE-2021-41945 / GHSA-h8pj-cxx2-jfg2 / PYSEC-2022-183

More information

Details

Encode OSS httpx <=1.0.0.beta0 is affected by improper input validation in httpx.URL, httpx.Client and some functions using httpx.URL.copy_with.

Severity

  • CVSS Score: 9.1 / 10 (Critical)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

encode/httpx (httpx)

v0.23.0

Compare Source

Changed
  • Drop support for Python 3.6. (#​2097)
  • Use utf-8 as the default character set, instead of falling back to charset-normalizer for auto-detection. To enable automatic character set detection, see the documentation. (#​2165)
Fixed
  • Fix URL.copy_with for some oddly formed URL cases. (#​2185)
  • Digest authentication should use case-insensitive comparison for determining which algorithm is being used. (#​2204)
  • Fix console markup escaping in command line client. (#​1866)
  • When files are used in multipart upload, ensure we always seek to the start of the file. (#​2065)
  • Ensure that iter_bytes never yields zero-length chunks. (#​2068)
  • Preserve Authorization header for redirects that are to the same origin, but are an http-to-https upgrade. (#​2074)
  • When responses have binary output, don't print the output to the console in the command line client. Use output like <16086 bytes of binary data> instead. (#​2076)
  • Fix display of --proxies argument in the command line client help. (#​2125)
  • Close responses when task cancellations occur during stream reading. (#​2156)
  • Fix type error on accessing .request on HTTPError exceptions. (#​2158)

v0.22.0

Compare Source

Added
Fixed
  • Don't perform unreliable close/warning on __del__ with unclosed clients. (#​2026)
  • Fix Headers.update(...) to correctly handle repeated headers (#​2038)

v0.21.3

Compare Source

Fixed
  • Fix streaming uploads using SyncByteStream or AsyncByteStream. Regression in 0.21.2. (#​2016)

v0.21.2

Compare Source

Fixed
  • HTTP/2 support for tunnelled proxy cases. (#​2009)
  • Improved the speed of large file uploads. (#​1948)

v0.21.1

Compare Source

Fixed
  • The response.url property is now correctly annotated as URL, instead of Optional[URL]. (#​1940)

v0.21.0

Compare Source

The 0.21.0 release integrates against a newly redesigned httpcore backend.

Both packages ought to automatically update to the required versions, but if you are
seeing any issues, you should ensure that you have httpx==0.21.* and httpcore==0.14.* installed.

Added
  • The command-line client will now display connection information when -v/--verbose is used.
  • The command-line client will now display server certificate information when -v/--verbose is used.
  • The command-line client is now able to properly detect if the outgoing request
    should be formatted as HTTP/1.1 or HTTP/2, based on the result of the HTTP/2 negotiation.
Removed
  • Curio support is no longer currently included. Please get in touch if you require this, so that we can assess priorities.

v0.20.0

Compare Source

The 0.20.0 release adds an integrated command-line client, and also includes some
design changes. The most notable of these is that redirect responses are no longer
automatically followed, unless specifically requested.

This design decision prioritises a more explicit approach to redirects, in order
to avoid code that unintentionally issues multiple requests as a result of
misconfigured URLs.

For example, previously a client configured to send requests to http://api.github.com/
would end up sending every API request twice, as each request would be redirected to https://api.github.com/.

If you do want auto-redirect behaviour, you can enable this either by configuring
the client instance with Client(follow_redirects=True), or on a per-request
basis, with .get(..., follow_redirects=True).

This change is a classic trade-off between convenience and precision, with no "right"
answer. See discussion #​1785 for more
context.

The other major design change is an update to the Transport API, which is the low-level
interface against which requests are sent. Previously this interface used only primitive
datastructures, like so...

(status_code, headers, stream, extensions) = transport.handle_request(method, url, headers, stream, extensions)
try
    ...
finally:
    stream.close()

Now the interface is much simpler...

response = transport.handle_request(request)
try
    ...
finally:
    response.close()
Changed
  • The allow_redirects flag is now follow_redirects and defaults to False.
  • The raise_for_status() method will now raise an exception for any responses
    except those with 2xx status codes. Previously only 4xx and 5xx status codes
    would result in an exception.
  • The low-level transport API changes to the much simpler response = transport.handle_request(request).
  • The client.send() method no longer accepts a timeout=... argument, but the
    client.build_request() does. This required by the signature change of the
    Transport API. The request timeout configuration is now stored on the request
    instance, as request.extensions['timeout'].
Added
  • Added the httpx command-line client.
  • Response instances now include .is_informational, .is_success, .is_redirect, .is_client_error, and .is_server_error
    properties for checking 1xx, 2xx, 3xx, 4xx, and 5xx response types. Note that the behaviour of .is_redirect is slightly different in that it now returns True for all 3xx responses, in order to allow for a consistent set of properties onto the different HTTP status code types. The response.has_redirect_location location may be used to determine responses with properly formed URL redirects.
Fixed
  • response.iter_bytes() no longer raises a ValueError when called on a response with no content. (Pull #​1827)
  • The 'wsgi.error' configuration now defaults to sys.stderr, and is corrected to be a TextIO interface, not a BytesIO interface. Additionally, the WSGITransport now accepts a wsgi_error configuration. (Pull #​1828)
  • Follow the WSGI spec by properly closing the iterable returned by the application. (Pull #​1830)

v0.19.0

Compare Source

Added
  • Add support for Client(allow_redirects=<bool>). (Pull #​1790)
  • Add automatic character set detection, when no charset is included in the response Content-Type header. (Pull #​1791)
Changed
  • Event hooks are now also called for any additional redirect or auth requests/responses. (Pull #​1806)
  • Strictly enforce that upload files must be opened in binary mode. (Pull #​1736)
  • Strictly enforce that client instances can only be opened and closed once, and cannot be re-opened. (Pull #​1800)
  • Drop mode argument from httpx.Proxy(..., mode=...). (Pull #​1795)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@emdneto emdneto closed this May 15, 2025
@renovate
Copy link
Author

renovate bot commented May 15, 2025

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (==0.23.0). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.

@renovate renovate bot deleted the renovate/pypi-httpx-vulnerability branch May 15, 2025 12:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@emdneto