asyncio-gevent
asyncio-gevent copied to clipboard
gfmio
Update pyproject.toml to update gevent
Pin [email protected] to [email protected] to fix ✗ Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') (new) [High Severity][https://security.snyk.io/vuln/SNYK-PYTHON-GEVENT-5906371] in [email protected]
May be we can use latest gevent for all pythons? Not only 3.11
https://www.gevent.org/changelog.html
23.9.1 (2023-09-12)
Bugfixes
Require greenlet 3.0 on Python 3.11 and Python 3.12; greenlet 3.0 is recommended for all platforms. This fixes a number of obscure crashes on all versions of Python, as well as fixing a fairly common problem on Python 3.11+ that could manifest as either a crash or as a SystemError. See [issue #1985](https://github.com/gevent/gevent/issues/1985).
@skykistler The 3.11 test is still failing. Can you fix that some time soon?
@spumer I'm generally in favour of using the latest versions, but the version specified in the dependencies is just the minimum version required, so you can use any later version as well, but some legacy projects might nevertheless be slow to upgrade.
I think the CI failed initially because of an issue with the 23.9.0 gevent build, they made a patch release for it. But yeah there is also 23.9.1 now which we've been using. Ended up forking and rolling forward due to the CVE, up to you whether you'd like to merge. Maybe a minor release is warranted for the greenlet upgrade and leave v0.2.3 working for legacy folks @gfmio lmk your opinion!
Any chance we can get this merged? @gfmio ~(Although, I note that 23.9.1 is now available)~ (Sorry already mentioned several times)
Just curious if someone in this thread knows: gevent uses calver instead of semver, which I think means the Poetry caret constraint limits the upper bound of gevent versions to releases within the same month. Would it maybe make sense to make the upper limit several months out at a time? Or within the same year? Not sure what the best practices around calver version constraints are
