Skip to content

build(deps): update uvicorn requirement from >=0.32.0 to >=0.46.0#86

Open
dependabot[bot] wants to merge 2 commits into
mainfrom
dependabot/pip/uvicorn-gte-0.46.0
Open

build(deps): update uvicorn requirement from >=0.32.0 to >=0.46.0#86
dependabot[bot] wants to merge 2 commits into
mainfrom
dependabot/pip/uvicorn-gte-0.46.0

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 8, 2026

Updates the requirements on uvicorn to permit the latest version.

Release notes

Sourced from uvicorn's releases.

Version 0.46.0

What's Changed

Full Changelog: Kludex/uvicorn@0.45.0...0.46.0

Changelog

Sourced from uvicorn's changelog.

0.46.0 (April 23, 2026)

Added

  • Support ws_max_size in wsproto implementation (#2915)
  • Support ws_ping_interval and ws_ping_timeout in wsproto implementation (#2916)

Changed

  • Use bytearray for incoming WebSocket message buffer in websockets-sansio (#2917)

0.45.0 (April 21, 2026)

Added

  • Add --reset-contextvars flag to isolate ASGI request context (#2912)
  • Accept os.PathLike for log_config (#2905)
  • Accept log_level strings case-insensitively (#2907)

Changed

  • Revert "Emit http.disconnect on server shutdown for streaming responses" (#2913)
  • Revert "Explicitly start ASGI run with empty context" (#2911)

Fixed

  • Preserve forwarded client ports in proxy headers middleware (#2903)
  • Raise helpful ImportError when PyYAML is missing for YAML log config (#2906)

0.44.0 (April 6, 2026)

Added

  • Implement websocket keepalive pings for websockets-sansio (#2888)

0.43.0 (April 3, 2026)

You can quit Uvicorn now. We heard you, @​pamelafox - all 47 of your Ctrl+C's (thanks for flagging it, and thanks to @​tiangolo for the fix 🙏). See the tweet.

Changed

  • Emit http.disconnect ASGI receive() event on server shutting down for streaming responses (#2829)
  • Use native context parameter for create_task on Python 3.11+ (#2859)
  • Drop cast in ASGI types (#2875)

0.42.0 (March 16, 2026)

Changed

  • Use bytearray for request body accumulation to avoid O(n^2) allocation on fragmented bodies (#2845)

... (truncated)

Commits
  • b224045 Version 0.46.0 (#2918)
  • 7375b5b Use bytearray for incoming WebSocket message buffer in websockets-sansio (#...
  • d438fb1 Support ws_ping_interval and ws_ping_timeout in wsproto implementation ...
  • 3e6b964 Support ws_max_size in wsproto implementation (#2915)
  • 2c423bd Version 0.45.0 (#2914)
  • 7f027f8 Revert "Emit http.disconnect on server shutdown for streaming responses" (#...
  • 73a80c3 Add --reset-contextvars flag to isolate ASGI request context (#2912)
  • 45c0b56 Revert empty context for ASGI runs (#2911)
  • 850d926 Raise helpful ImportError when PyYAML is missing for YAML log config (#2906)
  • fdcacb4 Accept log_level strings case-insensitively (#2907)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
build(deps): update uvicorn requirement from >=0.32.0 to >=0.46.0
bbf6306 
Updates the requirements on [uvicorn](https://github.com/Kludex/uvicorn) to permit the latest version.
- [Release notes](https://github.com/Kludex/uvicorn/releases)
- [Changelog](https://github.com/Kludex/uvicorn/blob/main/docs/release-notes.md)
- [Commits](Kludex/uvicorn@0.32.0...0.46.0)

---
updated-dependencies:
- dependency-name: uvicorn
  dependency-version: 0.46.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update python code labels May 8, 2026
@vercel
Copy link
Copy Markdown

vercel Bot commented May 8, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
tenet-ai.org Ready Ready Preview, Comment May 24, 2026 11:11am

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 24, 2026

🤖 TENET Agent Review

📋 Summary

This pull request updates the uvicorn dependency in requirements.txt from >=0.32.0 to >=0.46.0. This is an automated dependency update by Dependabot, incorporating several bug fixes, performance improvements, and security enhancements across multiple minor versions of Uvicorn. The approach is sound as it aims to keep the project's dependencies current, which is vital for security and stability.

🔐 Security Findings

  • [SEVERITY: MEDIUM] requirements.txt - The update to uvicorn>=0.46.0 includes a fix (introduced in Uvicorn 0.45.0, #2903) that correctly preserves forwarded client ports in proxy headers. Prior versions might have incorrectly handled client IP/port information when TENET AI is deployed behind a proxy, potentially impacting logging accuracy, rate limiting, or IP-based access controls. This update mitigates that risk by ensuring correct client identification.
  • [SEVERITY: LOW] requirements.txt - The update also incorporates a change (introduced in Uvicorn 0.42.0, #2845) to use bytearray for request body accumulation, preventing O(n^2) memory allocation on fragmented bodies. This is a resource exhaustion/Denial-of-Service (DoS) prevention measure, enhancing the application's resilience against attacks designed to consume excessive memory.

🧹 Code Quality

  • The update spans a significant range of uvicorn versions (from 0.32.0 to 0.46.0). While the direct code change is minimal, it is crucial to ensure comprehensive integration and regression testing is performed. This is to catch any subtle behavioral changes or potential breaking API changes that might affect TENET AI's functionality, especially considering the reverts related to ASGI context and disconnect events noted in the changelog.

✅ What's Done Well

  • Keeps a critical core dependency up-to-date, which is essential for maintaining the security posture and stability of the TENET AI middleware.
  • Incorporates important security and performance fixes from the upstream uvicorn project.
  • Automated by Dependabot, promoting consistent and timely dependency management.

📝 Overall Verdict

[APPROVE] - Updates a critical dependency with important security and performance fixes. Requires thorough integration and regression testing.

Review powered by TENET Agent 🛡️ | Triggered automatically on PR #86

@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github May 29, 2026

A newer version of uvicorn exists, but since this PR has been edited by someone other than Dependabot I haven't updated it. You'll get a PR for the updated version as normal once this PR is merged.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python Pull requests that update python code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@S3DFX-CYBER