Skip to content

deps(deps): bump gunicorn from 23.0.0 to 26.0.0 in /sample-app#2

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/sample-app/gunicorn-26.0.0
Open

deps(deps): bump gunicorn from 23.0.0 to 26.0.0 in /sample-app#2
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/sample-app/gunicorn-26.0.0

Conversation

@dependabot
Copy link
Copy Markdown

@dependabot dependabot Bot commented on behalf of github May 12, 2026
edited
Loading

Bumps gunicorn from 23.0.0 to 26.0.0.

Release notes

Sourced from gunicorn's releases.

26.0.0

Breaking Changes

  • Eventlet worker removed: The eventlet worker class has been dropped. Migrate to gevent, gthread, or tornado.

New Features

  • ASGI Framework Compatibility Suite: New end-to-end compatibility test harness covering Starlette, FastAPI, Litestar, Quart, Sanic, and BlackSheep. Current grid passes 438/444 tests (98%).
  • ASGI Test Suite Expansion: 134 additional ASGI unit tests covering protocol semantics, lifespan, websockets, and chunked framing.

Security

  • HTTP/1.1 Request-Target Validation (RFC 9112 sections 3.2.3, 3.2.4):
    • Reject authority-form request-target outside CONNECT
    • Reject asterisk-form request-target outside OPTIONS
    • Reject relative-reference request-targets
  • Header Field Hardening (RFC 9110):
    • Reject control characters in header field-value (section 5.5)
    • Reject forbidden trailer field-names (section 6.5.1)
    • Reject Content-Length list form (RFC 9112 section 6.3)
  • Request Smuggling Hardening:
    • Tighten keepalive gate and scope finish_body byte cap
    • Keep _body_receiver alive across the keepalive smuggling gate so pipelined requests cannot re-enter a closed body
    • Address parser/protocol findings from a six-point WSGI/ASGI audit
  • PROXY Protocol (ASGI): Enforce proxy_allow_ips and tighten v1/v2 parsing in the ASGI callback parser.
  • Connection Draining: Drain the connection on close per RFC 9112 section 9.6 to prevent reset-on-close truncation.

Bug Fixes

  • Body Framing on HEAD/204/304:
    • Keep Content-Length on HEAD and 304 responses (#3621)
    • Drop body framing on HEAD/204/304 even when the framework set it
    • Warn once when an ASGI app emits a body for a no-body response
  • HTTP/2 ASGI:
    • Fix _handle_stream_ended to set _body_complete in the async HTTP/2 handler so request bodies finalize correctly on stream end
    • Add InvalidChunkExtension mapping and fast-parser support in ASGI tests (#3565)
  • HTTP/1.1 100-Continue: Stop adding Transfer-Encoding: chunked to 100-Continue interim responses.
  • WebSocket Close Handshake (RFC 6455):
    • Comply with the close handshake state machine
    • Close the transport after the close handshake completes
    • Fix binary send when the text key is None
  • Early Hints: Validate headers in the early_hints callback to match process_headers; pass only the header name to InvalidHeader (#3588).
  • ASGI Framework Fixes:
    • Fix ASGI disconnect handling for Django-style apps
    • Fix Litestar request handling (use raw ASGI receive for body/headers)
    • Fix Litestar HTTP endpoints for compatibility tests
    • Fix Quart headers endpoint to normalize keys to lowercase
    • Fix Quart WebSocket close test app (missing accept())
    • Fix duplicate Transfer-Encoding header for BlackSheep streaming

... (truncated)

Commits
  • 5d819cf release: 26.0.0
  • b45c70d Merge pull request #3611 from zc-mattcen/docs-typo
  • 99c8d48 Merge pull request #3623 from benoitc/chore/drop-eventlet-add-h2-uvloop-test-...
  • 5a655af Merge pull request #3622 from benoitc/test/docker-port-and-ipv4-fixes
  • 201df19 chore: remove eventlet worker; add h2 and uvloop to test deps
  • f4ac8e1 test: pass action name to dirty client and stabilize after TTOU spam
  • 54d38af test: unblock docker fixtures on macOS hosts
  • 68843c8 Merge pull request #3621 from benoitc/fix/asgi-preserve-content-length-on-hea...
  • 31f2618 Merge pull request #3620 from benoitc/fix/asgi-proxy-protocol-trust-and-parsing
  • 41ec752 fix: keep Content-Length on HEAD and 304 responses
  • Additional commits viewable in compare view

@dependabot @github
Copy link
Copy Markdown
Author

dependabot Bot commented on behalf of github May 12, 2026

Labels

The following labels could not be found: dependencies, ecosystem:pip. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot dependabot Bot requested a review from morbidsteve as a code owner May 12, 2026 21:03
morbidsteve added a commit that referenced this pull request May 12, 2026
@morbidsteve @claude
Fix run #2 failures: conftest install URL, SLSA subject-name (tagless…
6f7080e 
…), artifact download

- iac job: 'latest/download/conftest_Linux_x86_64.tar.gz' 404s (conftest assets
  are version-named) -> pin v0.56.0, extract to cwd, run ./conftest; also run
  'conftest verify' so Rego compile errors surface in the log.
- container job: actions/attest-build-provenance needs the TAGLESS image name as
  subject-name -> push step now also emits image-name (ghcr.io/<org>/<repo>/sample-app);
  cosign uses name@digest. (Image push + cosign sign already worked; only the SLSA
  attestation step was failing.)
- body-of-evidence: 'download all artifacts' flaked -> download only 'evidence-*'
  (what the aggregator needs) + an optional build-test-results download; dropped the
  redundant standalone SBOM artifacts (anchore/sbom-action artifact-name:) that the
  evidence-* folders already contain.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@dependabot
deps(deps): bump gunicorn from 23.0.0 to 26.0.0 in /sample-app
569be77 
Bumps [gunicorn](https://github.com/benoitc/gunicorn) from 23.0.0 to 26.0.0.
- [Release notes](https://github.com/benoitc/gunicorn/releases)
- [Commits](benoitc/gunicorn@23.0.0...26.0.0)

---
updated-dependencies:
- dependency-name: gunicorn
  dependency-version: 26.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/pip/sample-app/gunicorn-26.0.0 branch from d654f2e to 569be77 Compare May 12, 2026 22:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@morbidsteve morbidsteve Awaiting requested review from morbidsteve morbidsteve is a code owner

Assignees

No one assigned

Labels

dependencies ecosystem:pip semver:major

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants