Skip to content

Update dependency h2 to v4.3.0 [SECURITY] #40

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update dependency h2 to v4.3.0 [SECURITY] #40

wants to merge 1 commit into from

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Aug 25, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
h2 ==4.1.0 -> ==4.3.0 age confidence

GitHub Vulnerability Alerts

CVE-2025-57804

Summary

HTTP/2 request splitting vulnerability allows attackers to perform request smuggling attacks by injecting CRLF characters into headers. This occurs when servers downgrade HTTP/2 requests to HTTP/1.1 without properly validating header names/values, enabling attackers to manipulate request boundaries and bypass security controls.

Release Notes

python-hyper/h2 (h2)

v4.3.0

Compare Source

API Changes (Backward Incompatible)

  • Reject header names and values containing illegal characters, based on RFC 9113, section 8.2.1.
    The main Python API is compatible, but some previously valid requests/response headers might now be blocked.
    Use the validate_inbound_headers config option if needed.
    Thanks to Sebastiano Sartor (sebsrt) for the report.
  • Convert emitted events into Python dataclass, which introduces new constructors with required arguments.
    Instantiating these events without arguments, as previously commonly used API pattern, will no longer work.

API Changes (Backward Compatible)

  • h2 events now have tighter type bounds, e.g. stream_id is guaranteed to not be None for most events now.
    This simplifies downstream type checking.
  • Various typing-related improvements.

Bugfixes

  • Fix error value when opening a new stream on too many open streams.

v4.2.0

Compare Source

API Changes (Backward Incompatible)

  • Support for Python 3.6 has been removed.
  • Support for Python 3.7 has been removed.
  • Support for Python 3.8 has been removed.
  • Remove mistakenly set max_inbound_frame_size attribute on H2Stream.

API Changes (Backward Compatible)

  • Support for Python 3.11 has been added.
  • Support for Python 3.12 has been added.
  • Support for Python 3.13 has been added.
  • Add an ability to send outbound cookies separately to improve headers compression.
  • Updated packaging and testing infrastructure.

Bugfixes

  • Fix repr() checks for Python 3.11
  • Fix asyncio / wsgi examples.
  • Clarify docs on using curl with http2.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant