Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency httpx to v0.23.0 [SECURITY] #11

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update dependency httpx to v0.23.0 [SECURITY] #11

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Sep 20, 2023
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
httpx (changelog) ==0.14.1 -> ==0.23.0 age adoption passing confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2021-41945

Encode OSS httpx <=1.0.0.beta0 is affected by improper input validation in httpx.URL, httpx.Client and some functions using httpx.URL.copy_with.

Release Notes

encode/httpx (httpx)

v0.23.0

Compare Source

Changed
  • Drop support for Python 3.6. (#​2097)
  • Use utf-8 as the default character set, instead of falling back to charset-normalizer for auto-detection. To enable automatic character set detection, see the documentation. (#​2165)
Fixed
  • Fix URL.copy_with for some oddly formed URL cases. (#​2185)
  • Digest authentication should use case-insensitive comparison for determining which algorithm is being used. (#​2204)
  • Fix console markup escaping in command line client. (#​1866)
  • When files are used in multipart upload, ensure we always seek to the start of the file. (#​2065)
  • Ensure that iter_bytes never yields zero-length chunks. (#​2068)
  • Preserve Authorization header for redirects that are to the same origin, but are an http-to-https upgrade. (#​2074)
  • When responses have binary output, don't print the output to the console in the command line client. Use output like <16086 bytes of binary data> instead. (#​2076)
  • Fix display of --proxies argument in the command line client help. (#​2125)
  • Close responses when task cancellations occur during stream reading. (#​2156)
  • Fix type error on accessing .request on HTTPError exceptions. (#​2158)

v0.22.0

Compare Source

Added
Fixed
  • Don't perform unreliable close/warning on __del__ with unclosed clients. (#​2026)
  • Fix Headers.update(...) to correctly handle repeated headers (#​2038)

v0.21.3

Compare Source

Fixed
  • Fix streaming uploads using SyncByteStream or AsyncByteStream. Regression in 0.21.2. (#​2016)

v0.21.2

Compare Source

Fixed
  • HTTP/2 support for tunnelled proxy cases. (#​2009)
  • Improved the speed of large file uploads. (#​1948)

v0.21.1

Compare Source

Fixed
  • The response.url property is now correctly annotated as URL, instead of Optional[URL]. (#​1940)

v0.21.0

Compare Source

The 0.21.0 release integrates against a newly redesigned httpcore backend.

Both packages ought to automatically update to the required versions, but if you are
seeing any issues, you should ensure that you have httpx==0.21.* and httpcore==0.14.* installed.

Added
  • The command-line client will now display connection information when -v/--verbose is used.
  • The command-line client will now display server certificate information when -v/--verbose is used.
  • The command-line client is now able to properly detect if the outgoing request
    should be formatted as HTTP/1.1 or HTTP/2, based on the result of the HTTP/2 negotiation.
Removed
  • Curio support is no longer currently included. Please get in touch if you require this, so that we can assess priorities.

v0.20.0

Compare Source

The 0.20.0 release adds an integrated command-line client, and also includes some
design changes. The most notable of these is that redirect responses are no longer
automatically followed, unless specifically requested.

This design decision prioritises a more explicit approach to redirects, in order
to avoid code that unintentionally issues multiple requests as a result of
misconfigured URLs.

For example, previously a client configured to send requests to http://api.github.com/
would end up sending every API request twice, as each request would be redirected to https://api.github.com/.

If you do want auto-redirect behaviour, you can enable this either by configuring
the client instance with Client(follow_redirects=True), or on a per-request
basis, with .get(..., follow_redirects=True).

This change is a classic trade-off between convenience and precision, with no "right"
answer. See discussion #​1785 for more
context.

The other major design change is an update to the Transport API, which is the low-level
interface against which requests are sent. Previously this interface used only primitive
datastructures, like so...

(status_code, headers, stream, extensions) = transport.handle_request(method, url, headers, stream, extensions)
try
    ...
finally:
    stream.close()

Now the interface is much simpler...

response = transport.handle_request(request)
try
    ...
finally:
    response.close()
Changed
  • The allow_redirects flag is now follow_redirects and defaults to False.
  • The raise_for_status() method will now raise an exception for any responses
    except those with 2xx status codes. Previously only 4xx and 5xx status codes
    would result in an exception.
  • The low-level transport API changes to the much simpler response = transport.handle_request(request).
  • The client.send() method no longer accepts a timeout=... argument, but the
    client.build_request() does. This required by the signature change of the
    Transport API. The request timeout configuration is now stored on the request
    instance, as request.extensions['timeout'].
Added
  • Added the httpx command-line client.
  • Response instances now include .is_informational, .is_success, .is_redirect, .is_client_error, and .is_server_error
    properties for checking 1xx, 2xx, 3xx, 4xx, and 5xx response types. Note that the behaviour of .is_redirect is slightly different in that it now returns True for all 3xx responses, in order to allow for a consistent set of properties onto the different HTTP status code types. The response.has_redirect_location location may be used to determine responses with properly formed URL redirects.
Fixed
  • response.iter_bytes() no longer raises a ValueError when called on a response with no content. (Pull #​1827)
  • The 'wsgi.error' configuration now defaults to sys.stderr, and is corrected to be a TextIO interface, not a BytesIO interface. Additionally, the WSGITransport now accepts a wsgi_error configuration. (Pull #​1828)
  • Follow the WSGI spec by properly closing the iterable returned by the application. (Pull #​1830)

v0.19.0

Compare Source

Added
  • Add support for Client(allow_redirects=<bool>). (Pull #​1790)
  • Add automatic character set detection, when no charset is included in the response Content-Type header. (Pull #​1791)
Changed
  • Event hooks are now also called for any additional redirect or auth requests/responses. (Pull #​1806)
  • Strictly enforce that upload files must be opened in binary mode. (Pull #​1736)
  • Strictly enforce that client instances can only be opened and closed once, and cannot be re-opened. (Pull #​1800)
  • Drop mode argument from httpx.Proxy(..., mode=...). (Pull #​1795)

v0.18.2

Compare Source

Added
  • Support for Python 3.10. (Pull #​1687)
  • Expose httpx.USE_CLIENT_DEFAULT, used as the default to auth and timeout parameters in request methods. (Pull #​1634)
  • Support HTTP/2 "prior knowledge", using httpx.Client(http1=False, http2=True). (Pull #​1624)
Fixed
  • Clean up some cases where warnings were being issued. (Pull #​1687)
  • Prefer Content-Length over Transfer-Encoding: chunked for content= cases. (Pull #​1619)

v0.18.1

Compare Source

Changed
  • Update brotli support to use the brotlicffi package (Pull #​1605)
  • Ensure that Request(..., stream=...) does not auto-generate any headers on the request instance. (Pull #​1607)
Fixed
  • Pass through timeout=... in top-level httpx.stream() function. (Pull #​1613)
  • Map httpcore transport close exceptions to httpx exceptions. (Pull #​1606)

v0.18.0

Compare Source

The 0.18.x release series formalises our low-level Transport API, introducing the base classes httpx.BaseTransport and httpx.AsyncBaseTransport.

See the "Custom transports" documentation and the httpx.BaseTransport.handle_request() docstring for more complete details on implementing custom transports.

Pull request #​1522 includes a checklist of differences from the previous httpcore transport API, for developers implementing custom transports.

The following API changes have been issuing deprecation warnings since 0.17.0 onwards, and are now fully deprecated...

  • You should now use httpx.codes consistently instead of httpx.StatusCodes.
  • Use limits=... instead of pool_limits=....
  • Use proxies={"http://": ...} instead of proxies={"http": ...} for scheme-specific mounting.
Changed
  • Transport instances now inherit from httpx.BaseTransport or httpx.AsyncBaseTransport,
    and should implement either the handle_request method or handle_async_request method. (Pull #​1522, #​1550)
  • The response.ext property and Response(ext=...) argument are now named extensions. (Pull #​1522)
  • The recommendation to not use data=<bytes|str|bytes (a)iterator> in favour of content=<bytes|str|bytes (a)iterator> has now been escalated to a deprecation warning. (Pull #​1573)
  • Drop Response(on_close=...) from API, since it was a bit of leaking implementation detail. (Pull #​1572)
  • When using a client instance, cookies should always be set on the client, rather than on a per-request basis. We prefer enforcing a stricter API here because it provides clearer expectations around cookie persistence, particularly when redirects occur. (Pull #​1574)
  • The runtime exception httpx.ResponseClosed is now named httpx.StreamClosed. (#​1584)
  • The httpx.QueryParams model now presents an immutable interface. There is a discussion on the design and motivation here. Use client.params = client.params.merge(...) instead of client.params.update(...). The basic query manipulation methods are query.set(...), query.add(...), and query.remove(). (#​1600)
Added
  • The Request and Response classes can now be serialized using pickle. (#​1579)
  • Handle data={"key": [None|int|float|bool]} cases. (Pull #​1539)
  • Support httpx.URL(**kwargs), for example httpx.URL(scheme="https", host="www.example.com", path="/'), or httpx.URL("https://www.example.com/", username="[email protected]", password="123 456"). (Pull #​1601)
  • Support url.copy_with(params=...). (Pull #​1601)
  • Add url.params parameter, returning an immutable QueryParams instance. (Pull #​1601)
  • Support query manipulation methods on the URL class. These are url.copy_set_param(), url.copy_add_param(), url.copy_remove_param(), url.copy_merge_params(). (Pull #​1601)
  • The httpx.URL class now performs port normalization, so :80 ports are stripped from http URLs and :443 ports are stripped from https URLs. (Pull #​1603)
  • The URL.host property returns unicode strings for internationalized domain names. The URL.raw_host property returns byte strings with IDNA escaping applied. (Pull #​1590)
Fixed
  • Fix Content-Length for cases of files=... where unicode string is used as the file content. (Pull #​1537)
  • Fix some cases of merging relative URLs against Client(base_url=...). (Pull #​1532)
  • The request.content attribute is now always available except for streaming content, which requires an explicit .read(). (Pull #​1583)

v0.17.1

Compare Source

Fixed
  • Type annotation on CertTypes allows keyfile and password to be optional. (Pull #​1503)
  • Fix httpcore pinned version. (Pull #​1495)

v0.17.0

Compare Source

Added
  • Add httpx.MockTransport(), allowing to mock out a transport using pre-determined responses. (Pull #​1401, Pull #​1449)
  • Add httpx.HTTPTransport() and httpx.AsyncHTTPTransport() default transports. (Pull #​1399)
  • Add mount API support, using httpx.Client(mounts=...). (Pull #​1362)
  • Add chunk_size parameter to iter_raw(), iter_bytes(), iter_text(). (Pull #​1277)
  • Add keepalive_expiry parameter to httpx.Limits() configuration. (Pull #​1398)
  • Add repr to httpx.Cookies to display available cookies. (Pull #​1411)
  • Add support for params=<tuple> (previously only params=<list> was supported). (Pull #​1426)
Fixed
  • Add missing raw_path to ASGI scope. (Pull #​1357)
  • Tweak create_ssl_context defaults to use trust_env=True. (Pull #​1447)
  • Properly URL-escape WSGI PATH_INFO. (Pull #​1391)
  • Properly set default ports in WSGI transport. (Pull #​1469)
  • Properly encode slashes when using base_url. (Pull #​1407)
  • Properly map exceptions in request.aclose(). (Pull #​1465)

v0.16.1

Compare Source

Fixed
  • Support literal IPv6 addresses in URLs. (Pull #​1349)
  • Force lowercase headers in ASGI scope dictionaries. (Pull #​1351)

v0.16.0

Compare Source

Changed
Added
  • Add Python 3.9 to officially supported versions.
  • Type annotate __enter__/__exit__/__aenter__/__aexit__ in a way that supports subclasses of Client and AsyncClient. (Pull #​1336)

v0.15.5

Compare Source

Added
  • Add response.next_request (Pull #​1334)

v0.15.4

Compare Source

Added
  • Support direct comparisons between Headers and dicts or lists of two-tuples. Eg. assert response.headers == {"Content-Length": 24} (Pull #​1326)
Fixed
  • Fix automatic .read() when Response instances are created with content=<str> (Pull #​1324)

v0.15.3

Compare Source

Fixed
  • Fixed connection leak in async client due to improper closing of response streams. (Pull #​1316)

v0.15.2

Compare Source

Fixed
  • Fixed response.elapsed property. (Pull #​1313)
  • Fixed client authentication interaction with .stream(). (Pull #​1312)

v0.15.1

Compare Source

Fixed
  • ASGITransport now properly applies URL decoding to the path component, as-per the ASGI spec. (Pull #​1307)

v0.15.0

Compare Source

Added
  • Added support for curio. (Pull https://github.com/encode/httpcore/pull/168)
  • Added support for event hooks. (Pull #​1246)
  • Added support for authentication flows which require either sync or async I/O. (Pull #​1217)
  • Added support for monitoring download progress with response.num_bytes_downloaded. (Pull #​1268)
  • Added Request(content=...) for byte content, instead of overloading Request(data=...) (Pull #​1266)
  • Added support for all URL components as parameter names when using url.copy_with(...). (Pull #​1285)
  • Neater split between automatically populated headers on Request instances, vs default client.headers. (Pull #​1248)
  • Unclosed AsyncClient instances will now raise warnings if garbage collected. (Pull #​1197)
  • Support Response(content=..., text=..., html=..., json=...) for creating usable response instances in code. (Pull #​1265, #​1297)
  • Support instantiating requests from the low-level transport API. (Pull #​1293)
  • Raise errors on invalid URL types. (Pull #​1259)
Changed
  • Cleaned up expected behaviour for URL escaping. url.path is now URL escaped. (Pull #​1285)
  • Cleaned up expected behaviour for bytes vs str in URL components. url.userinfo and url.query are not URL escaped, and so return bytes. (Pull #​1285)
  • Drop url.authority property in favour of url.netloc, since "authority" was semantically incorrect. (Pull #​1285)
  • Drop url.full_path property in favour of url.raw_path, for better consistency with other parts of the API. (Pull #​1285)
  • No longer use the chardet library for auto-detecting charsets, instead defaulting to a simpler approach when no charset is specified. (#​1269)
Fixed
  • Swapped ordering of redirects and authentication flow. (Pull #​1267)
  • .netrc lookups should use host, not host+port. (Pull #​1298)
Removed
  • The URLLib3Transport class no longer exists. We've published it instead as an example of a custom transport class. (Pull #​1182)
  • Drop request.timer attribute, which was being used internally to set response.elapsed. (Pull #​1249)
  • Drop response.decoder attribute, which was being used internally. (Pull #​1276)
  • Request.prepare() is now a private method. (Pull #​1284)
  • The Headers.getlist() method had previously been deprecated in favour of Headers.get_list(). It is now fully removed.
  • The QueryParams.getlist() method had previously been deprecated in favour of QueryParams.get_list(). It is now fully removed.
  • The URL.is_ssl property had previously been deprecated in favour of URL.scheme == "https". It is now fully removed.
  • The httpx.PoolLimits class had previously been deprecated in favour of httpx.Limits. It is now fully removed.
  • The max_keepalive setting had previously been deprecated in favour of the more explicit max_keepalive_connections. It is now fully removed.
  • The verbose httpx.Timeout(5.0, connect_timeout=60.0) style had previously been deprecated in favour of httpx.Timeout(5.0, connect=60.0). It is now fully removed.
  • Support for instantiating a timeout config missing some defaults, such as httpx.Timeout(connect=60.0), had previously been deprecated in favour of enforcing a more explicit style, such as httpx.Timeout(5.0, connect=60.0). This is now strictly enforced.

v0.14.3

Compare Source

Added
  • http.Response() may now be instantiated without a request=... parameter. Useful for some unit testing cases. (Pull #​1238)
  • Add 103 Early Hints and 425 Too Early status codes. (Pull #​1244)
Fixed
  • DigestAuth now handles responses that include multiple 'WWW-Authenticate' headers. (Pull #​1240)
  • Call into transport __enter__/__exit__ or __aenter__/__aexit__ when client is used in a context manager style. (Pull #​1218)

v0.14.2

Compare Source

Added
  • Support client.get(..., auth=None) to bypass the default authentication on a clients. (Pull #​1115)
  • Support client.auth = ... property setter. (Pull #​1185)
  • Support httpx.get(..., proxies=...) on top-level request functions. (Pull #​1198)
  • Display instances with nicer import styles. (Eg. <httpx.ReadTimeout ...>) (Pull #​1155)
  • Support cookies=[(key, value)] list-of-two-tuples style usage. (Pull #​1211)
Fixed
  • Ensure that automatically included headers on a request may be modified. (Pull #​1205)
  • Allow explicit Content-Length header on streaming requests. (Pull #​1170)
  • Handle URL quoted usernames and passwords properly. (Pull #​1159)
  • Use more consistent default for HEAD requests, setting allow_redirects=True. (Pull #​1183)
  • If a transport error occurs while streaming the response, raise an httpx exception, not the underlying httpcore exception. (Pull #​1190)
  • Include the underlying httpcore traceback, when transport exceptions occur. (Pull #​1199)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants