[REF-2764] dep update 0.5.0 (#3245)

* upgrade to latest pip for in_docker_test_script.sh

* Bump gunicorn to 22.0.0 (security)

Changelog: https://docs.gunicorn.org/en/stable/news.html#id1

use utime to notify workers liveness
migrate setup to pyproject.toml
fix numerous security vulnerabilities in HTTP parser (closing some request smuggling vectors)
parsing additional requests is no longer attempted past unsupported request framing
on HTTP versions < 1.1 support for chunked transfer is refused (only used in exploits)
requests conflicting configured or passed SCRIPT_NAME now produce a verbose error
Trailer fields are no longer inspected for headers indicating secure scheme
support Python 3.12

** Breaking changes **
minimum version is Python 3.7
the limitations on valid characters in the HTTP method have been bounded to Internet Standards
requests specifying unsupported transfer coding (order) are refused by default (rare)
HTTP methods are no longer casefolded by default (IANA method registry contains none affected)
HTTP methods containing the number sign (#) are no longer accepted by default (rare)
HTTP versions < 1.0 or >= 2.0 are no longer accepted by default (rare, only HTTP/1.1 is supported)
HTTP versions consisting of multiple digits or containing a prefix/suffix are no longer accepted
HTTP header field names Gunicorn cannot safely map to variables are silently dropped, as in other software
HTTP headers with empty field name are refused by default (no legitimate use cases, used in exploits)
requests with both Transfer-Encoding and Content-Length are refused by default (such a message might indicate an attempt to perform request smuggling)
empty transfer codings are no longer permitted (reportedly seen with really old & broken proxies)

** SECURITY **
fix CVE-2024-1135

* Remove TYPE_CHECKING guard for pydantic v1 imports

Retain TYPE_CHECKING guard in v1 fallback to force pyright into pydantic.v1 namespace

* Run unit tests with pydantic v1 now that v2 is installed via poetry

.github/workflows/unit_tests.yml

@@ -77,9 +77,9 @@ jobs:
           export REDIS_URL=redis://localhost:6379
           poetry run pytest tests --cov --no-cov-on-fail --cov-report=
       # Change to explicitly install v1 when reflex-hosting-cli is compatible with v2
-      - name: Run unit tests w/ pydantic v2
+      - name: Run unit tests w/ pydantic v1
         run: |
           export PYTHONUNBUFFERED=1
-          poetry run pip install "pydantic>2"
+          poetry run pip install "pydantic~=1.10"
           poetry run pytest tests --cov --no-cov-on-fail --cov-report=
       - run: poetry run coverage html

integration/init-test/in_docker_test_script.sh

@@ -26,6 +26,7 @@ function do_export () {
 echo "Preparing test project dir"
 python3 -m venv ~/venv
 source ~/venv/bin/activate
+pip install -U pip
 
 echo "Installing reflex from local repo code"
 pip install /reflex-repo

pyproject.toml

@@ -29,7 +29,7 @@ packages = [
 python = "^3.8"
 dill = ">=0.3.8,<0.4"
 fastapi = ">=0.96.0,<1.0"
-gunicorn = ">=20.1.0,<22.0"
+gunicorn = ">=20.1.0,<23.0"
 jinja2 = ">=3.1.2,<4.0"
 psutil = ">=5.9.4,<6.0"
 pydantic = ">=1.10.2,<3.0"

reflex/base.py

@@ -5,19 +5,14 @@ import os
 from typing import TYPE_CHECKING, Any, List, Type
 
 try:
-    # TODO The type checking guard can be removed once
+    import pydantic.v1 as pydantic
-    # reflex-hosting-cli tools are compatible with pydantic v2
+    from pydantic.v1 import BaseModel
-
+    from pydantic.v1.fields import ModelField
-    if not TYPE_CHECKING:
-        import pydantic.v1 as pydantic
-        from pydantic.v1 import BaseModel
-        from pydantic.v1.fields import ModelField
-    else:
-        raise ModuleNotFoundError
 except ModuleNotFoundError:
-    import pydantic
+    if not TYPE_CHECKING:
-    from pydantic import BaseModel
+        import pydantic
-    from pydantic.fields import ModelField
+        from pydantic import BaseModel
+        from pydantic.fields import ModelField  # type: ignore
 
 
 from reflex import constants
@@ -50,7 +45,7 @@ def validate_field_name(bases: List[Type["BaseModel"]], field_name: str) -> None
 pydantic.main.validate_field_name = validate_field_name  # type: ignore
 
 
-class Base(pydantic.BaseModel):
+class Base(pydantic.BaseModel):  # pyright: ignore [reportUnboundVariable]
     """The base class subclassed by all Reflex classes.
 
     This class wraps Pydantic and provides common methods such as
@@ -75,7 +70,10 @@ class Base(pydantic.BaseModel):
         """
         from reflex.utils.serializers import serialize
 
-        return self.__config__.json_dumps(self.dict(), default=serialize)
+        return self.__config__.json_dumps(  # type: ignore
+            self.dict(),
+            default=serialize,
+        )
 
     def set(self, **kwargs):
         """Set multiple fields and return the object.
@@ -114,7 +112,7 @@ class Base(pydantic.BaseModel):
             value=default_value,
             annotation=var._var_type,
             class_validators=None,
-            config=cls.__config__,
+            config=cls.__config__,  # type: ignore
         )
         cls.__fields__.update({var._var_name: new_field})
 

reflex/compiler/utils.py

@@ -3,19 +3,13 @@
 from __future__ import annotations
 
 import os
-from typing import TYPE_CHECKING, Any, Callable, Dict, Optional, Type, Union
+from typing import Any, Callable, Dict, Optional, Type, Union
 from urllib.parse import urlparse
 
 try:
-    # TODO The type checking guard can be removed once
+    from pydantic.v1.fields import ModelField
-    # reflex-hosting-cli tools are compatible with pydantic v2
-
-    if not TYPE_CHECKING:
-        from pydantic.v1.fields import ModelField
-    else:
-        raise ModuleNotFoundError
 except ModuleNotFoundError:
-    from pydantic.fields import ModelField
+    from pydantic.fields import ModelField  # type: ignore
 
 from reflex import constants
 from reflex.components.base import (

reflex/config.py

@@ -6,16 +6,10 @@ import importlib
 import os
 import sys
 import urllib.parse
-from typing import TYPE_CHECKING, Any, Dict, List, Optional, Set
+from typing import Any, Dict, List, Optional, Set
 
 try:
-    # TODO The type checking guard can be removed once
+    import pydantic.v1 as pydantic
-    # reflex-hosting-cli tools are compatible with pydantic v2
-
-    if not TYPE_CHECKING:
-        import pydantic.v1 as pydantic
-    else:
-        raise ModuleNotFoundError
 except ModuleNotFoundError:
     import pydantic
 

reflex/model.py

@@ -133,7 +133,7 @@ class ModelRegistry:
         return metadata
 
 
-class Model(Base, sqlmodel.SQLModel):
+class Model(Base, sqlmodel.SQLModel):  # pyright: ignore [reportGeneralTypeIssues]
     """Base class to define a table in the database."""
 
     # The primary key for the table.

reflex/state.py

@@ -29,13 +29,7 @@ from typing import (
 import dill
 
 try:
-    # TODO The type checking guard can be removed once
+    import pydantic.v1 as pydantic
-    # reflex-hosting-cli tools are compatible with pydantic v2
-
-    if not TYPE_CHECKING:
-        import pydantic.v1 as pydantic
-    else:
-        raise ModuleNotFoundError
 except ModuleNotFoundError:
     import pydantic
 

reflex/utils/types.py

@@ -8,7 +8,6 @@ import sys
 import types
 from functools import wraps
 from typing import (
-    TYPE_CHECKING,
     Any,
     Callable,
     Dict,
@@ -28,15 +27,9 @@ from typing import (
 import sqlalchemy
 
 try:
-    # TODO The type checking guard can be removed once
+    from pydantic.v1.fields import ModelField
-    # reflex-hosting-cli tools are compatible with pydantic v2
-
-    if not TYPE_CHECKING:
-        from pydantic.v1.fields import ModelField
-    else:
-        raise ModuleNotFoundError
 except ModuleNotFoundError:
-    from pydantic.fields import ModelField
+    from pydantic.fields import ModelField  # type: ignore
 
 from sqlalchemy.ext.associationproxy import AssociationProxyInstance
 from sqlalchemy.ext.hybrid import hybrid_property