From 3b3a8db2910b4ebfa0d9f6445d0673a0f3477ebd Mon Sep 17 00:00:00 2001 From: uvjustin <46082645+uvjustin@users.noreply.github.com> Date: Mon, 24 Jan 2022 17:43:39 +0800 Subject: [PATCH] Bump httpx to 0.21.3 and pin requirements for httpcore, anyio, and h11 (#64822) --- homeassistant/package_constraints.txt | 18 ++++++++---------- requirements.txt | 2 +- script/gen_requirements_all.py | 16 +++++++--------- setup.py | 4 +++- 4 files changed, 19 insertions(+), 21 deletions(-) diff --git a/homeassistant/package_constraints.txt b/homeassistant/package_constraints.txt index 2deba3f4d1d..3b3351674f3 100644 --- a/homeassistant/package_constraints.txt +++ b/homeassistant/package_constraints.txt @@ -17,7 +17,7 @@ cryptography==35.0.0 emoji==1.6.3 hass-nabucasa==0.52.0 home-assistant-frontend==20220118.0 -httpx==0.21.0 +httpx==0.21.3 ifaddr==0.1.7 jinja2==3.0.3 paho-mqtt==1.6.1 @@ -43,9 +43,6 @@ pycryptodome>=3.6.6 # Constrain urllib3 to ensure we deal with CVE-2020-26137 and CVE-2021-33503 urllib3>=1.26.5 -# Constrain H11 to ensure we get a new enough version to support non-rfc line endings -h11>=0.12.0 - # Constrain httplib2 to protect against GHSA-93xj-8mrv-444m # https://github.com/advisories/GHSA-93xj-8mrv-444m httplib2>=0.19.0 @@ -80,12 +77,13 @@ pandas==1.3.0 # This is fixed in 2021.8.28 regex==2021.8.28 -# httpx requires httpcore, and httpcore requires anyio, but the version constraints on -# these requirements are quite loose. As these requirements have some outstanding issues -# which may be addressed by version updates, we can tighten their minimum version -# requirements here. -httpcore>=0.14.5 -anyio>=3.5.0 +# httpx requires httpcore, and httpcore requires anyio and h11, but the version constraints on +# these requirements are quite loose. As the entire stack has some outstanding issues, and +# even newer versions seem to introduce new issues, it's useful for us to pin all these +# requirements so we can directly link HA versions to these library versions. +anyio==3.5.0 +h11==0.12.0 +httpcore==0.14.5 # pytest_asyncio breaks our test suite. We rely on pytest-aiohttp instead pytest_asyncio==1000000000.0.0 diff --git a/requirements.txt b/requirements.txt index b0319897a48..54d4d1b1d19 100644 --- a/requirements.txt +++ b/requirements.txt @@ -11,7 +11,7 @@ backports.zoneinfo;python_version<"3.9" bcrypt==3.1.7 certifi>=2021.5.30 ciso8601==2.2.0 -httpx==0.21.0 +httpx==0.21.3 ifaddr==0.1.7 jinja2==3.0.3 PyJWT==2.1.0 diff --git a/script/gen_requirements_all.py b/script/gen_requirements_all.py index bfba8bddd43..ce2178288a0 100755 --- a/script/gen_requirements_all.py +++ b/script/gen_requirements_all.py @@ -68,9 +68,6 @@ pycryptodome>=3.6.6 # Constrain urllib3 to ensure we deal with CVE-2020-26137 and CVE-2021-33503 urllib3>=1.26.5 -# Constrain H11 to ensure we get a new enough version to support non-rfc line endings -h11>=0.12.0 - # Constrain httplib2 to protect against GHSA-93xj-8mrv-444m # https://github.com/advisories/GHSA-93xj-8mrv-444m httplib2>=0.19.0 @@ -105,12 +102,13 @@ pandas==1.3.0 # This is fixed in 2021.8.28 regex==2021.8.28 -# httpx requires httpcore, and httpcore requires anyio, but the version constraints on -# these requirements are quite loose. As these requirements have some outstanding issues -# which may be addressed by version updates, we can tighten their minimum version -# requirements here. -httpcore>=0.14.5 -anyio>=3.5.0 +# httpx requires httpcore, and httpcore requires anyio and h11, but the version constraints on +# these requirements are quite loose. As the entire stack has some outstanding issues, and +# even newer versions seem to introduce new issues, it's useful for us to pin all these +# requirements so we can directly link HA versions to these library versions. +anyio==3.5.0 +h11==0.12.0 +httpcore==0.14.5 # pytest_asyncio breaks our test suite. We rely on pytest-aiohttp instead pytest_asyncio==1000000000.0.0 diff --git a/setup.py b/setup.py index 62729ab898c..26ad28428fa 100755 --- a/setup.py +++ b/setup.py @@ -42,7 +42,9 @@ REQUIRES = [ "bcrypt==3.1.7", "certifi>=2021.5.30", "ciso8601==2.2.0", - "httpx==0.21.0", + # When bumping httpx, please check the version pins of + # httpcore, anyio, and h11 in gen_requirements_all + "httpx==0.21.3", "ifaddr==0.1.7", "jinja2==3.0.3", "PyJWT==2.1.0",