Bump eventlet from 0.30.2 to 0.31.0

[dependabot[bot]]

Bumps eventlet from 0.30.2 to 0.31.0.

Changelog

Sourced from eventlet's changelog.

0.31.0

• IMPORTANT: websocket: Limit maximum uncompressed frame length to 8MiB https://github.com/eventlet/eventlet/security/advisories/GHSA-9p9m-jm8w-94p2

0.30.3

• wsgi: websocket ALREADY_HANDLED flag on corolocal
• green.ssl: Set suppress_ragged_eofs default based on SSLSocket defaults
• greenio: socket.connect_ex returned None instead of 0 on success
• Use _imp instead of deprecated imp

Commits

• f717f38 v0.31.0 release
• 1412f5e websocket: Limit maximum uncompressed frame length to 8MiB
• b0be94e v0.30.3 release
• df0bc00 wsgi: websocket ALREADY_HANDLED flag on corolocal
• 377b4fb green.ssl: Set suppress_ragged_eofs default based on SSLSocket defaults
• 71b76bf Security Policy
• 50441fc greenio: socket.connect_ex returned None instead of 0 on success
• e16fcab Use _imp instead of deprecated imp
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

[arm4b]

Based on history, we tried to update the eventlet before here: https://github.com/StackStorm/st2/pull/5255#issuecomment-835861160 by @Kami

However, because of the breaking change, it fails the build in guinicorn which relies on specific eventlet functionality.

• https://github.com/eventlet/eventlet/issues/702
• https://github.com/benoitc/gunicorn/pull/2581
• https://stackoverflow.com/a/67429430/4533625

Per https://github.com/eventlet/eventlet/issues/702#issuecomment-833432067, the proper fix in gunicorn was merged, but the new version wasn't released yet.

So the current status is that we're waiting for the guinicorn version to be released here: https://github.com/benoitc/gunicorn/releases (newer than 20.1.0) and so we can update both eventlent + gunicorn in this PR to merge it.

[CLAassistant]

All committers have signed the CLA.

[amanda11]

Update on gunicorn 7 days ago, saying new release would be out this week: https://github.com/benoitc/gunicorn/issues/2638

[arm4b]

Looks like https://github.com/benoitc/gunicorn/issues/2638 is still unreleased.

[amanda11]

@armab Shall we move this to 3.7.0?

[cognifloyd]

Yeah. 1 week has become 1 month, and they have only merged 1 PR in that time. That PR has nothing to do with the release (afaict), so who knows when it will happen. I moved this to 3.7.0

[amanda11]

No new release - latest is still 20.1.0 - but project still active. 6 open issues in the next release plan - https://github.com/benoitc/gunicorn/milestone/20.

[arm4b]

Thanks for checking! We have no choice, but to move the issue to the next v3.8.0 and keep track of it.

[nzlosh]

More than 1 year later and still no gunicorn 21 release. Eventlet is now at 0.33.0 which makes this PR obsolete.

[nzlosh]

What are peoples opinion on the idea of forking gunicorn and building v3.8 from our forked repo that includes that patch we need to move past eventlet 0.30.2?

[cognifloyd]

I think it is on their master branch, so let's try targeting a git commit and avoid actually forking it.

They keep saying something about some CI infrastructure change, but they have not expounded. And there's no movement on releasing. So I don't see what else we can do.

[nzlosh]

OK, we'll start without forking and see if we encounter other issues related to gunicron that require us to accumulate patches in a forked repo.

[cognifloyd]

gunicorn 21 was released in July

[jk464]

#6061 bumped eventlet to 0.33.3 - so I think this PR can be abandon as its been superseded now?

[arm4b]

Thanks @jk464 for bumping this thread. Closing.

[dependabot[bot]]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.