Bump httpx to 0.21.3 and pin requirements for httpcore, anyio, and h11 (#64822)

2025-07-21 04:07:08 +00:00 · 2022-01-24 17:43:39 +08:00 · 2022-01-24 17:43:39 +08:00 · 3b3a8db291
commit 3b3a8db291
parent d33e2609b9
4 changed files with 19 additions and 21 deletions
--- a/homeassistant/package_constraints.txt
+++ b/homeassistant/package_constraints.txt
@ -17,7 +17,7 @@ cryptography==35.0.0
 emoji==1.6.3
 hass-nabucasa==0.52.0
 home-assistant-frontend==20220118.0
-httpx==0.21.0
+httpx==0.21.3
 ifaddr==0.1.7
 jinja2==3.0.3
 paho-mqtt==1.6.1
@ -43,9 +43,6 @@ pycryptodome>=3.6.6
 # Constrain urllib3 to ensure we deal with CVE-2020-26137 and CVE-2021-33503
 urllib3>=1.26.5
 # Constrain H11 to ensure we get a new enough version to support non-rfc line endings
 h11>=0.12.0
 # Constrain httplib2 to protect against GHSA-93xj-8mrv-444m
 # https://github.com/advisories/GHSA-93xj-8mrv-444m
 httplib2>=0.19.0
@ -80,12 +77,13 @@ pandas==1.3.0
 # This is fixed in 2021.8.28
 regex==2021.8.28
-# httpx requires httpcore, and httpcore requires anyio, but the version constraints on
+# httpx requires httpcore, and httpcore requires anyio and h11, but the version constraints on
-# these requirements are quite loose. As these requirements have some outstanding issues
+# these requirements are quite loose. As the entire stack has some outstanding issues, and
-# which may be addressed by version updates, we can tighten their minimum version
+# even newer versions seem to introduce new issues, it's useful for us to pin all these
-# requirements here.
+# requirements so we can directly link HA versions to these library versions.
-httpcore>=0.14.5
+anyio==3.5.0
-anyio>=3.5.0
+h11==0.12.0
 httpcore==0.14.5
 # pytest_asyncio breaks our test suite. We rely on pytest-aiohttp instead
 pytest_asyncio==1000000000.0.0
--- a/requirements.txt
+++ b/requirements.txt
@ -11,7 +11,7 @@ backports.zoneinfo;python_version<"3.9"
 bcrypt==3.1.7
 certifi>=2021.5.30
 ciso8601==2.2.0
-httpx==0.21.0
+httpx==0.21.3
 ifaddr==0.1.7
 jinja2==3.0.3
 PyJWT==2.1.0
--- a/script/gen_requirements_all.py
+++ b/script/gen_requirements_all.py
@ -68,9 +68,6 @@ pycryptodome>=3.6.6
 # Constrain urllib3 to ensure we deal with CVE-2020-26137 and CVE-2021-33503
 urllib3>=1.26.5
 # Constrain H11 to ensure we get a new enough version to support non-rfc line endings
 h11>=0.12.0
 # Constrain httplib2 to protect against GHSA-93xj-8mrv-444m
 # https://github.com/advisories/GHSA-93xj-8mrv-444m
 httplib2>=0.19.0
@ -105,12 +102,13 @@ pandas==1.3.0
 # This is fixed in 2021.8.28
 regex==2021.8.28
-# httpx requires httpcore, and httpcore requires anyio, but the version constraints on
+# httpx requires httpcore, and httpcore requires anyio and h11, but the version constraints on
-# these requirements are quite loose. As these requirements have some outstanding issues
+# these requirements are quite loose. As the entire stack has some outstanding issues, and
-# which may be addressed by version updates, we can tighten their minimum version
+# even newer versions seem to introduce new issues, it's useful for us to pin all these
-# requirements here.
+# requirements so we can directly link HA versions to these library versions.
-httpcore>=0.14.5
+anyio==3.5.0
-anyio>=3.5.0
+h11==0.12.0
 httpcore==0.14.5
 # pytest_asyncio breaks our test suite. We rely on pytest-aiohttp instead
 pytest_asyncio==1000000000.0.0
--- a/setup.py
+++ b/setup.py
@ -42,7 +42,9 @@ REQUIRES = [
    "bcrypt==3.1.7",
    "certifi>=2021.5.30",
    "ciso8601==2.2.0",
-    "httpx==0.21.0",
+    # When bumping httpx, please check the version pins of
    # httpcore, anyio, and h11 in gen_requirements_all
    "httpx==0.21.3",
    "ifaddr==0.1.7",
    "jinja2==3.0.3",
    "PyJWT==2.1.0",