Update dependency uvicorn to v0.34.0

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
uvicorn (changelog)	==0.23.2 -> ==0.34.0

---

Release Notes

encode/uvicorn (uvicorn)

v0.34.0

Compare Source

Added

• Add content-length to 500 response in wsproto implementation (#​2542)

Removed

• Drop support for Python 3.8 (#​2543)

v0.33.0

Compare Source

Removed

• Remove WatchGod support for --reload (#​2536)

v0.32.1

Compare Source

Fixed

• Drop ASGI spec version to 2.3 on HTTP scope #​2513
• Enable httptools lenient data on httptools >= 0.6.3 #​2488

v0.32.0

Compare Source

Added

• Officially support Python 3.13 (#​2482)
• Warn when max_request_limit is exceeded (#​2430)

v0.31.1

Compare Source

Fixed

• Support WebSockets 0.13.1 (#​2471)
• Restore support for [*] in trusted hosts (#​2480)
• Add PathLike[str] type hint for ssl_keyfile (#​2481)

v0.31.0

Compare Source

Added

Improve ProxyHeadersMiddleware (#​2468) and (#​2231):

• Fix the host for requests from clients running on the proxy server itself.
• Fallback to host that was already set for empty x-forwarded-for headers.
• Also allow to specify IP Networks as trusted hosts. This greatly simplifies deployments
  on docker swarm/kubernetes, where the reverse proxy might have a dynamic IP.
  • This includes support for IPv6 Address/Networks.

v0.30.6

Compare Source

Fixed

• Don't warn when upgrade is not WebSocket and depedencies are installed (#​2360)

v0.30.5

Compare Source

Fixed

• Don't close connection before receiving body on H11 (#​2408)

v0.30.4

Compare Source

Fixed

• Close connection when h11 sets client state to MUST_CLOSE (#​2375)

v0.30.3

Compare Source

Fixed

• Suppress KeyboardInterrupt from CLI and programmatic usage (#​2384)
• ClientDisconnect inherits from OSError instead of IOError (#​2393)

v0.30.2

Compare Source

Added

• Add reason support to websocket.disconnect event (#​2324)

Fixed

• Iterate subprocesses in-place on the process manager (#​2373)

v0.30.1

Compare Source

Fixed

• Allow horizontal tabs \t in response header values (#​2345)

v0.30.0

Compare Source

Added

• New multiprocess manager (#​2183)
• Allow ConfigParser or a io.IO[Any] on log_config (#​1976)

Fixed

• Suppress side-effects of signal propagation (#​2317)
• Send content-length header on 5xx (#​2304)

Deprecated

• Deprecate the uvicorn.workers module (#​2302)

v0.29.0

Compare Source

Added

• Cooperative signal handling (#​1600) 19/03/24

v0.28.1

Compare Source

Fixed

• Revert raise ClientDisconnected on HTTP (#​2276) 19/03/24

v0.28.0

Compare Source

Added

• Raise ClientDisconnected on send() when client disconnected (#​2220) 12/02/24

Fixed

• Except AttributeError on sys.stdin.fileno() for Windows IIS10 (#​1947) 29/02/24
• Use X-Forwarded-Proto for WebSockets scheme when the proxy provides it (#​2258) 01/03/24

v0.27.1

Compare Source

• Fix spurious LocalProtocolError errors when processing pipelined requests (#​2243) 10/02/24

v0.27.0.post1

Compare Source

Fixed

• Fix nav overrides for newer version of Mkdocs Material (#​2233) 26/01/24

v0.27.0

Compare Source

Fixed

• Fix nav overrides for newer version of Mkdocs Material (#​2233) 26/01/24

v0.26.0

Compare Source

Changed

• Update --root-path to include the root path prefix in the full ASGI path as per the ASGI spec (#​2213) 16/01/24
• Use __future__.annotations on some internal modules (#​2199) 16/01/24

v0.25.0

Compare Source

Added

• Support the WebSocket Denial Response ASGI extension (#​1916) 17/12/23

Fixed

• Allow explicit hidden file paths on --reload-include (#​2176) 08/12/23
• Properly annotate uvicorn.run() (#​2158) 22/11/23

v0.24.0.post1

Compare Source

Fixed

• Revert mkdocs-material from 9.1.21 to 9.2.6 (#​2148) 05/11/23

v0.24.0

Compare Source

Fixed

• Revert mkdocs-material from 9.1.21 to 9.2.6 (#​2148)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[dryrunsecurity]

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security	Status	Findings
Configured Codepaths Analyzer	✅	0 findings
Sensitive Files Analyzer	❕	1 finding
Authn/Authz Analyzer	✅	0 findings
AppSec Analyzer	✅	0 findings
Secrets Analyzer	✅	0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The changes in this pull request primarily focus on updating the dependency versions in the requirements.txt file, with the most notable change being the update of the uvicorn package from version 0.23.2 to 0.30.1. As an application security engineer, this update is the most relevant from a security perspective, as uvicorn is a critical component of the application's infrastructure, serving as the ASGI server for the FastAPI application.

Keeping dependencies up-to-date is a good security practice, as it helps address known vulnerabilities in the dependencies. However, it's important to review the release notes and change logs for the uvicorn package update to ensure that the new version does not introduce any new security risks or vulnerabilities. Additionally, it's recommended to review the entire requirements.txt file to ensure that all other dependencies are also up-to-date and that there are no other potential security concerns.

Files Changed:

• requirements.txt: This file has been updated to change the version of the uvicorn package from 0.23.2 to 0.30.1. No other changes are present in the patch. It's important to review the release notes and change logs for the uvicorn package update to ensure that the new version does not introduce any new security risks or vulnerabilities.

Powered by DryRun Security

[dryrunsecurity]

DryRun Security Summary

The GitHub Pull Request updates the uvicorn library version in requirements.txt from 0.23.2 to 0.33.0, necessitating careful review of release notes and thorough testing to ensure no security implications or regressions are introduced.

Expand for full summary

Summary:

The changes in this GitHub Pull Request focus on updating the version of the uvicorn library in the requirements.txt file. uvicorn is a critical component used to run the FastAPI application, and as such, it's essential to review the changes carefully to ensure that there are no security-related implications.

While the version update itself does not immediately raise any security concerns, it's important to review the release notes and changelog of the new uvicorn version to understand if there are any security-related fixes or improvements. Additionally, thorough testing of the application after the dependency update is crucial to ensure that the changes do not introduce any regressions or security vulnerabilities.

Files Changed:

• requirements.txt: This file has been updated to change the version of the uvicorn library from 0.23.2 to 0.33.0. uvicorn is a popular ASGI (Asynchronous Server Gateway Interface) server used to run FastAPI applications, and as such, it's a security-critical component that requires careful review.

Code Analysis

We ran 9 analyzers against 1 file and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer	Findings
Sensitive Files Analyzer	1 finding

View PR in the DryRun Dashboard.