dryrunsecurity[bot]
commented
7 months ago Hi there :wave:, @dryrunsecurity here, below is a summary of our analysis and findings.
| DryRun Security | Status | Findings |
|---|---|---|
| Configured Codepaths Analyzer | :white_check_mark: | 0 findings |
| Sensitive Files Analyzer | :grey_exclamation: | 1 finding |
| Authn/Authz Analyzer | :white_check_mark: | 0 findings |
| AppSec Analyzer | :white_check_mark: | 0 findings |
| Secrets Analyzer | :white_check_mark: | 0 findings |
[!Note] :green_circle: Risk threshold not exceeded.
Change Summary (click to expand)
The following is a summary of changes in this pull request made by me, your security buddy :robot:. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective. **Summary:** The changes in this pull request primarily focus on updating the dependency versions in the `requirements.txt` file, with the most notable change being the update of the `uvicorn` package from version `0.23.2` to `0.30.1`. As an application security engineer, this update is the most relevant from a security perspective, as `uvicorn` is a critical component of the application's infrastructure, serving as the ASGI server for the FastAPI application. Keeping dependencies up-to-date is a good security practice, as it helps address known vulnerabilities in the dependencies. However, it's important to review the release notes and change logs for the `uvicorn` package update to ensure that the new version does not introduce any new security risks or vulnerabilities. Additionally, it's recommended to review the entire `requirements.txt` file to ensure that all other dependencies are also up-to-date and that there are no other potential security concerns. **Files Changed:** - `requirements.txt`: This file has been updated to change the version of the `uvicorn` package from `0.23.2` to `0.30.1`. No other changes are present in the patch. It's important to review the release notes and change logs for the `uvicorn` package update to ensure that the new version does not introduce any new security risks or vulnerabilities.
Powered by DryRun Security
This PR contains the following updates:
==0.23.2->==0.32.0Release Notes
encode/uvicorn (uvicorn)
### [`v0.32.0`](https://redirect.github.com/encode/uvicorn/blob/HEAD/CHANGELOG.md#0320-2024-10-15) [Compare Source](https://redirect.github.com/encode/uvicorn/compare/0.31.1...0.32.0) ##### Added - Officially support Python 3.13 ([#2482](https://redirect.github.com/encode/uvicorn/issues/2482)) - Warn when `max_request_limit` is exceeded ([#2430](https://redirect.github.com/encode/uvicorn/issues/2430)) ### [`v0.31.1`](https://redirect.github.com/encode/uvicorn/blob/HEAD/CHANGELOG.md#0311-2024-10-09) [Compare Source](https://redirect.github.com/encode/uvicorn/compare/0.31.0...0.31.1) ##### Fixed - Support WebSockets 0.13.1 ([#2471](https://redirect.github.com/encode/uvicorn/issues/2471)) - Restore support for `[*]` in trusted hosts ([#2480](https://redirect.github.com/encode/uvicorn/issues/2480)) - Add `PathLike[str]` type hint for `ssl_keyfile` ([#2481](https://redirect.github.com/encode/uvicorn/issues/2481)) ### [`v0.31.0`](https://redirect.github.com/encode/uvicorn/blob/HEAD/CHANGELOG.md#0310-2024-09-27) [Compare Source](https://redirect.github.com/encode/uvicorn/compare/0.30.6...0.31.0) ##### Added Improve `ProxyHeadersMiddleware` ([#2468](https://redirect.github.com/encode/uvicorn/issues/2468)) and ([#2231](https://redirect.github.com/encode/uvicorn/issues/2231)): - Fix the host for requests from clients running on the proxy server itself. - Fallback to host that was already set for empty x-forwarded-for headers. - Also allow to specify IP Networks as trusted hosts. This greatly simplifies deployments on docker swarm/kubernetes, where the reverse proxy might have a dynamic IP. - This includes support for IPv6 Address/Networks. ### [`v0.30.6`](https://redirect.github.com/encode/uvicorn/blob/HEAD/CHANGELOG.md#0306-2024-08-13) [Compare Source](https://redirect.github.com/encode/uvicorn/compare/0.30.5...0.30.6) ##### Fixed - Don't warn when upgrade is not WebSocket and depedencies are installed ([#2360](https://redirect.github.com/encode/uvicorn/issues/2360)) ### [`v0.30.5`](https://redirect.github.com/encode/uvicorn/blob/HEAD/CHANGELOG.md#0305-2024-08-02) [Compare Source](https://redirect.github.com/encode/uvicorn/compare/0.30.4...0.30.5) ##### Fixed - Don't close connection before receiving body on H11 ([#2408](https://redirect.github.com/encode/uvicorn/issues/2408)) ### [`v0.30.4`](https://redirect.github.com/encode/uvicorn/blob/HEAD/CHANGELOG.md#0304-2024-07-31) [Compare Source](https://redirect.github.com/encode/uvicorn/compare/0.30.3...0.30.4) ##### Fixed - Close connection when `h11` sets client state to `MUST_CLOSE` ([#2375](https://redirect.github.com/encode/uvicorn/issues/2375)) ### [`v0.30.3`](https://redirect.github.com/encode/uvicorn/blob/HEAD/CHANGELOG.md#0303-2024-07-20) [Compare Source](https://redirect.github.com/encode/uvicorn/compare/0.30.2...0.30.3) ##### Fixed - Suppress `KeyboardInterrupt` from CLI and programmatic usage ([#2384](https://redirect.github.com/encode/uvicorn/issues/2384)) - `ClientDisconnect` inherits from `OSError` instead of `IOError` ([#2393](https://redirect.github.com/encode/uvicorn/issues/2393)) ### [`v0.30.2`](https://redirect.github.com/encode/uvicorn/blob/HEAD/CHANGELOG.md#0302-2024-07-20) [Compare Source](https://redirect.github.com/encode/uvicorn/compare/0.30.1...0.30.2) ##### Added - Add `reason` support to [`websocket.disconnect`](https://asgi.readthedocs.io/en/latest/specs/www.html#disconnect-receive-event-ws) event ([#2324](https://redirect.github.com/encode/uvicorn/issues/2324)) ##### Fixed - Iterate subprocesses in-place on the process manager ([#2373](https://redirect.github.com/encode/uvicorn/issues/2373)) ### [`v0.30.1`](https://redirect.github.com/encode/uvicorn/blob/HEAD/CHANGELOG.md#0301-2024-06-02) [Compare Source](https://redirect.github.com/encode/uvicorn/compare/0.30.0...0.30.1) ##### Fixed - Allow horizontal tabs `\t` in response header values ([#2345](https://redirect.github.com/encode/uvicorn/issues/2345)) ### [`v0.30.0`](https://redirect.github.com/encode/uvicorn/blob/HEAD/CHANGELOG.md#0300-2024-05-28) [Compare Source](https://redirect.github.com/encode/uvicorn/compare/0.29.0...0.30.0) ##### Added - New multiprocess manager ([#2183](https://redirect.github.com/encode/uvicorn/issues/2183)) - Allow `ConfigParser` or a `io.IO[Any]` on `log_config` ([#1976](https://redirect.github.com/encode/uvicorn/issues/1976)) ##### Fixed - Suppress side-effects of signal propagation ([#2317](https://redirect.github.com/encode/uvicorn/issues/2317)) - Send `content-length` header on 5xx ([#2304](https://redirect.github.com/encode/uvicorn/issues/2304)) ##### Deprecated - Deprecate the `uvicorn.workers` module ([#2302](https://redirect.github.com/encode/uvicorn/issues/2302)) ### [`v0.29.0`](https://redirect.github.com/encode/uvicorn/blob/HEAD/CHANGELOG.md#0290---2024-03-19) [Compare Source](https://redirect.github.com/encode/uvicorn/compare/0.28.1...0.29.0) ##### Added - Cooperative signal handling ([#1600](https://redirect.github.com/encode/uvicorn/issues/1600)) 19/03/24 ### [`v0.28.1`](https://redirect.github.com/encode/uvicorn/blob/HEAD/CHANGELOG.md#0281---2024-03-19) [Compare Source](https://redirect.github.com/encode/uvicorn/compare/0.28.0...0.28.1) ##### Fixed - Revert raise `ClientDisconnected` on HTTP ([#2276](https://redirect.github.com/encode/uvicorn/issues/2276)) 19/03/24 ### [`v0.28.0`](https://redirect.github.com/encode/uvicorn/blob/HEAD/CHANGELOG.md#0280---2024-03-09) [Compare Source](https://redirect.github.com/encode/uvicorn/compare/0.27.1...0.28.0) ##### Added - Raise `ClientDisconnected` on `send()` when client disconnected ([#2220](https://redirect.github.com/encode/uvicorn/issues/2220)) 12/02/24 ##### Fixed - Except `AttributeError` on `sys.stdin.fileno()` for Windows IIS10 ([#1947](https://redirect.github.com/encode/uvicorn/issues/1947)) 29/02/24 - Use `X-Forwarded-Proto` for WebSockets scheme when the proxy provides it ([#2258](https://redirect.github.com/encode/uvicorn/issues/2258)) 01/03/24 ### [`v0.27.1`](https://redirect.github.com/encode/uvicorn/blob/HEAD/CHANGELOG.md#0271---2024-02-10) [Compare Source](https://redirect.github.com/encode/uvicorn/compare/0.27.0.post1...0.27.1) - Fix spurious LocalProtocolError errors when processing pipelined requests ([#2243](https://redirect.github.com/encode/uvicorn/issues/2243)) 10/02/24 ### [`v0.27.0.post1`](https://redirect.github.com/encode/uvicorn/blob/HEAD/CHANGELOG.md#0270post1---2024-01-29) [Compare Source](https://redirect.github.com/encode/uvicorn/compare/0.27.0...0.27.0.post1) ##### Fixed - Fix nav overrides for newer version of Mkdocs Material ([#2233](https://redirect.github.com/encode/uvicorn/issues/2233)) 26/01/24 ### [`v0.27.0`](https://redirect.github.com/encode/uvicorn/blob/HEAD/CHANGELOG.md#0270post1---2024-01-29) [Compare Source](https://redirect.github.com/encode/uvicorn/compare/0.26.0...0.27.0) ##### Fixed - Fix nav overrides for newer version of Mkdocs Material ([#2233](https://redirect.github.com/encode/uvicorn/issues/2233)) 26/01/24 ### [`v0.26.0`](https://redirect.github.com/encode/uvicorn/blob/HEAD/CHANGELOG.md#0260---2024-01-16) [Compare Source](https://redirect.github.com/encode/uvicorn/compare/0.25.0...0.26.0) ##### Changed - Update `--root-path` to include the root path prefix in the full ASGI `path` as per the ASGI spec ([#2213](https://redirect.github.com/encode/uvicorn/issues/2213)) 16/01/24 - Use `__future__.annotations` on some internal modules ([#2199](https://redirect.github.com/encode/uvicorn/issues/2199)) 16/01/24 ### [`v0.25.0`](https://redirect.github.com/encode/uvicorn/blob/HEAD/CHANGELOG.md#0250---2023-12-17) [Compare Source](https://redirect.github.com/encode/uvicorn/compare/0.24.0.post1...0.25.0) ##### Added - Support the WebSocket Denial Response ASGI extension ([#1916](https://redirect.github.com/encode/uvicorn/issues/1916)) 17/12/23 ##### Fixed - Allow explicit hidden file paths on `--reload-include` ([#2176](https://redirect.github.com/encode/uvicorn/issues/2176)) 08/12/23 - Properly annotate `uvicorn.run()` ([#2158](https://redirect.github.com/encode/uvicorn/issues/2158)) 22/11/23 ### [`v0.24.0.post1`](https://redirect.github.com/encode/uvicorn/blob/HEAD/CHANGELOG.md#0240post1---2023-11-06) [Compare Source](https://redirect.github.com/encode/uvicorn/compare/0.24.0...0.24.0.post1) ##### Fixed - Revert mkdocs-material from 9.1.21 to 9.2.6 ([#2148](https://redirect.github.com/encode/uvicorn/issues/2148)) 05/11/23 ### [`v0.24.0`](https://redirect.github.com/encode/uvicorn/blob/HEAD/CHANGELOG.md#0240post1---2023-11-06) [Compare Source](https://redirect.github.com/encode/uvicorn/compare/0.23.2...0.24.0) ##### Fixed - Revert mkdocs-material from 9.1.21 to 9.2.6 ([#2148](https://redirect.github.com/encode/uvicorn/issues/2148)) 05/11/23Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.