Update dependency uvicorn to v0.36.0

[renovate]

Coming soon: The Renovate bot (GitHub App) will be renamed to Mend. PRs from Renovate will soon appear from 'Mend'. Learn more here.

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
uvicorn (changelog)	==0.23.2 -> ==0.36.0

---

Release Notes

Kludex/uvicorn (uvicorn)

v0.36.0: Version 0.36.0

Compare Source

Added

• Support custom IOLOOPs by @​gnir-work in #​2435
• Allow to provide importable string in --http, --ws and --loop by @​Kludex in #​2658

---

New Contributors

• @​gnir-work made their first contribution in #​2435
• @​musicinmybrain made their first contribution in #​2659
• @​secrett2633 made their first contribution in #​2684

Full Changelog: Kludex/uvicorn@0.35.0...0.36.0

v0.35.0: Version 0.35.0

Compare Source

Added

• Add WebSocketsSansIOProtocol by @​Kludex in encode#2540

Changed

• Refine help message for option --proxy-headers by @​zhangyoufu in encode#2653

New Contributors

• @​zhangyoufu made their first contribution in encode#2653

Full Changelog: Kludex/uvicorn@0.34.3...0.35.0

v0.34.3: Version 0.34.3

Compare Source

What's Changed

• Don't include cwd() when non-empty --reload-dirs is passed by @​stinovlas in encode#2598
• Apply get_client_addr formatting to WebSocket logging by @​Harry-Lees in encode#2636
• chore: improve type hints by @​waketzheng in encode#2638

New Contributors

• @​stinovlas made their first contribution in encode#2598
• @​LifeLex made their first contribution in encode#2621
• @​Harry-Lees made their first contribution in encode#2636
• @​waketzheng made their first contribution in encode#2638

Full Changelog: Kludex/uvicorn@0.34.2...0.34.3

v0.34.2: Version 0.34.2

Compare Source

What's Changed

• Flush the stdout buffer on Windows to trigger reload by @​jamesh1999 in encode#2604

New Contributors

• @​jamesh1999 made their first contribution in encode#2604

Full Changelog: Kludex/uvicorn@0.34.1...0.34.2

v0.34.1: Version 0.34.1

Compare Source

What's Changed

• Deprecate ServerState in the main module by @​Kludex in encode#2581

New Contributors

• @​RakhimovRamis made their first contribution in encode#2567
• @​carlwgeorge made their first contribution in encode#2590

Full Changelog: Kludex/uvicorn@0.34.0...0.34.1

v0.34.0: Version 0.34.0

Compare Source

What's Changed

• Add content-length to 500 response in wsproto by @​Kludex in encode#2542
• Drop Python 3.8 by @​Kludex in encode#2543

---

Full Changelog: Kludex/uvicorn@0.33.0...0.34.0

v0.33.0: Version 0.33.0

Compare Source

What's Changed

• Remove WatchGod by @​Kludex in encode#2536

New Contributors

• @​bwells made their first contribution in encode#2491
• @​tback made their first contribution in encode#2528

Full Changelog: Kludex/uvicorn@0.32.1...0.33.0

v0.32.1: Version 0.32.1

Compare Source

What's Changed

• Enable httptools lenient data by @​vvanglro in encode#2488
• Drop ASGI spec version to 2.3 on HTTP scope by @​Kludex in encode#2513

---

Full Changelog: Kludex/uvicorn@0.32.0...0.32.1

v0.32.0: Version 0.32.0

Compare Source

Added

• Officially support Python 3.13 (#​2482)
• Warn when max_request_limit is exceeded (#​2430)

---

Full Changelog: Kludex/uvicorn@0.31.1...0.32.0

v0.31.1: Version 0.31.1

Compare Source

Fixed

• Support WebSockets 0.13.1 #​2471
• Restore support for [*] in trusted hosts #​2480
• Add PathLike[str] type hint for ssl_keyfile #​2481

---

Full Changelog: Kludex/uvicorn@0.31.0...0.31.1

v0.31.0: Version 0.31.0

Compare Source

Added

Improve ProxyHeadersMiddleware (#​2468) and (#​2231):

• Fix the host for requests from clients running on the proxy server itself.
• Fallback to host that was already set for empty x-forwarded-for headers.
• Also allow specifying IP Networks as trusted hosts. This greatly simplifies deployments
  on docker swarm/Kubernetes, where the reverse proxy might have a dynamic IP.
  • This includes support for IPv6 Address/Networks.

---

Full Changelog: Kludex/uvicorn@0.30.6...0.31.0

v0.30.6: Version 0.30.6

Compare Source

Fixed

• Don't warn when upgrade is not WebSocket and depedencies are installed (#​2360)

---

Full Changelog: Kludex/uvicorn@0.30.5...0.30.6

v0.30.5: Version 0.30.5

Compare Source

Fixed

• Don't close connection before receiving body on H11 (#​2408)

---

Full Changelog: Kludex/uvicorn@0.30.4...0.30.5

v0.30.4: Version 0.30.4

Compare Source

Fixed

• Close connection when h11 sets client state to MUST_CLOSE #​2375

---

Full Changelog: Kludex/uvicorn@0.30.3...0.30.4

v0.30.3: Version 0.30.3

Compare Source

Fixed

• Suppress KeyboardInterrupt from CLI and programmatic usage (#​2384)
• ClientDisconnect inherits from OSError instead of IOError (#​2393)

---

Full Changelog: Kludex/uvicorn@0.30.2...0.30.3

v0.30.2: Version 0.30.2

Compare Source

Added

• Add reason support to websocket.disconnect event (#​2324)

Fixed

• Iterate subprocesses in-place on the process manager (#​2373)

---

Full Changelog: Kludex/uvicorn@0.30.1...0.30.2

v0.30.1: Version 0.30.1

Compare Source

Fixed

• Allow horizontal tabs \t in response header values (#​2345)

---

Full Changelog: Kludex/uvicorn@0.30.0...0.30.1

v0.30.0: Version 0.30.0

Compare Source

Added

• New multiprocess manager (#​2183)
• Allow ConfigParser or a io.IO[Any] on log_config (#​1976)

Fixed

• Suppress side effects of signal propagation (#​2317)
• Send content-length header on 5xx (#​2304)

Deprecated

• Deprecate the uvicorn.workers module (#​2302)

---

Full Changelog: Kludex/uvicorn@0.29.0...0.30.0

v0.29.0: Version 0.29.0

Compare Source

Added

• Cooperative signal handling by @​maxfischer2781 in encode#1600

---

Full Changelog: Kludex/uvicorn@0.28.1...0.29.0

v0.28.1: Version 0.28.1

Compare Source

Fixed

• Revert raise ClientDisconnected on HTTP (#​2276)

---

Full Changelog: Kludex/uvicorn@0.28.0...0.28.1

v0.28.0: Version 0.28.0

Compare Source

Added

• Raise ClientDisconnected on send() when client disconnected (#​2220) 12/02/24

Fixed

• Except AttributeError on sys.stdin.fileno() for Windows IIS10 (#​1947) 29/02/24
• Use X-Forwarded-Proto for WebSockets scheme when the proxy provides it (#​2258) 01/03/24

---

Full Changelog: Kludex/uvicorn@0.27.1...0.28.0

v0.27.1: Version 0.27.1

Compare Source

Fixed

• Fix spurious h11.LocalProtocolError errors when processing pipelined requests (#​2243) 10/02/24

---

Full Changelog: Kludex/uvicorn@0.27.0.post1...0.27.1

v0.27.0.post1: Version 0.27.0.post1

Compare Source

Fixed

• Fix nav overrides for newer version of Mkdocs Material (#​2233) 26/01/24

---

Full Changelog: Kludex/uvicorn@0.27.0...0.27.0.post1

v0.27.0: Version 0.27.0

Compare Source

Added

• Raise ClientDisconnect(IOError) on send() when client disconnected (#​2218) 19/01/24
• Bump ASGI WebSocket spec version to 2.4 (#​2221) 20/01/24

---

Full Changelog: Kludex/uvicorn@0.26.0...0.27.0

v0.26.0: Version 0.26.0

Compare Source

Changed

• Update --root-path to include the root path prefix in the full ASGI path as per the ASGI spec (#​2213) 16/01/24
• Use __future__.annotations on some internal modules (#​2199) 16/01/24

---

Full Changelog: Kludex/uvicorn@0.25.0...0.26.0

v0.25.0: Version 0.25.0

Compare Source

Added

• Support the WebSocket Denial Response ASGI extension (#​1916) 17/12/23

Fixed

• Allow explicit hidden file paths on --reload-include (#​2176) 08/12/23
• Properly annotate uvicorn.run() (#​2158) 22/11/23

---

Full Changelog: Kludex/uvicorn@0.24.0...0.25.0

v0.24.0.post1: Version 0.24.0.post1

Compare Source

Fixed

• Revert mkdocs-material from 9.1.21 to 9.2.6 (#​2148) 05/11/23

v0.24.0: Version 0.24.0

Compare Source

Added

• Support Python 3.12 (#​2145) 04/11/23
• Allow setting app via environment variable UVICORN_APP (#​2106)

---

Full Changelog: Kludex/uvicorn@0.23.2...0.24.0

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[dryrunsecurity]

No security concerns detected in this pull request.

---

All finding details can be found in the DryRun Security Dashboard.

[dryrunsecurity]

This pull request introduces new dependencies (uvicorn and fastapi) which theoretically expand the potential attack surface, but no specific known vulnerabilities were identified for the current versions at the time of review.

Supply Chain Risk in requirements.txt

Vulnerability

Supply Chain Risk

Description

While the addition of new dependencies (uvicorn and fastapi) does theoretically increase the potential attack surface, no specific known vulnerabilities were found for the exact versions (uvicorn 0.35.0 and fastapi 0.103.1) at the time of this review. The suggested vulnerability is partially valid in principle - adding dependencies can introduce risks - but lacks concrete evidence of an immediate security threat for these specific versions.

scsctl/requirements.txt

Lines 5 to 9 in 637f050

	questionary==1.10.0
	tabulate==0.9.0
	kubernetes==27.2.0
	uvicorn==0.35.0
	fastapi==0.103.1

---

All finding details can be found in the DryRun Security Dashboard.