Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update pyproject.toml to update gevent #15

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Update pyproject.toml to update gevent #15

wants to merge 2 commits into from

Conversation

skykistler
Copy link

Pin [email protected] to [email protected] to fix
✗ Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') (new) [High Severity][https://security.snyk.io/vuln/SNYK-PYTHON-GEVENT-5906371] in [email protected]

@skykistler
Update pyproject.toml
8bb7c55 
Pin [email protected] to [email protected] to fix
  ✗ Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') (new) [High Severity][https://security.snyk.io/vuln/SNYK-PYTHON-GEVENT-5906371] in [email protected]
gfmio
gfmio previously approved these changes Sep 22, 2023
View reviewed changes
@spumer
Copy link

spumer commented Nov 27, 2023

Merge? :)

@spumer
Copy link

spumer commented Dec 8, 2023
edited
Loading

May be we can use latest gevent for all pythons? Not only 3.11

https://www.gevent.org/changelog.html

23.9.1 (2023-09-12)
Bugfixes

    Require greenlet 3.0 on Python 3.11 and Python 3.12; greenlet 3.0 is recommended for all platforms. This fixes a number of obscure crashes on all versions of Python, as well as fixing a fairly common problem on Python 3.11+ that could manifest as either a crash or as a SystemError. See [issue #1985](https://github.com/gevent/gevent/issues/1985).

@gfmio
Copy link
Owner

gfmio commented Dec 15, 2023

@skykistler The 3.11 test is still failing. Can you fix that some time soon?

@spumer I'm generally in favour of using the latest versions, but the version specified in the dependencies is just the minimum version required, so you can use any later version as well, but some legacy projects might nevertheless be slow to upgrade.

@skykistler
Copy link
Author

skykistler commented Dec 15, 2023
edited
Loading

I think the CI failed initially because of an issue with the 23.9.0 gevent build, they made a patch release for it. But yeah there is also 23.9.1 now which we've been using. Ended up forking and rolling forward due to the CVE, up to you whether you'd like to merge. Maybe a minor release is warranted for the greenlet upgrade and leave v0.2.3 working for legacy folks @gfmio lmk your opinion!

@SimonHarrisonSH
Copy link

SimonHarrisonSH commented Feb 21, 2024
edited
Loading

Any chance we can get this merged? @gfmio
(Although, I note that 23.9.1 is now available) (Sorry already mentioned several times)

@ndon55555
Copy link

Just curious if someone in this thread knows: gevent uses calver instead of semver, which I think means the Poetry caret constraint limits the upper bound of gevent versions to releases within the same month. Would it maybe make sense to make the upper limit several months out at a time? Or within the same year? Not sure what the best practices around calver version constraints are

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sam-hansen sam-hansen sam-hansen approved these changes

@gfmio gfmio gfmio left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@skykistler @spumer @gfmio @SimonHarrisonSH @ndon55555 @sam-hansen