* upgrade to latest pip for in_docker_test_script.sh
* Bump gunicorn to 22.0.0 (security)
Changelog: https://docs.gunicorn.org/en/stable/news.html#id1
use utime to notify workers liveness
migrate setup to pyproject.toml
fix numerous security vulnerabilities in HTTP parser (closing some request smuggling vectors)
parsing additional requests is no longer attempted past unsupported request framing
on HTTP versions < 1.1 support for chunked transfer is refused (only used in exploits)
requests conflicting configured or passed SCRIPT_NAME now produce a verbose error
Trailer fields are no longer inspected for headers indicating secure scheme
support Python 3.12
** Breaking changes **
minimum version is Python 3.7
the limitations on valid characters in the HTTP method have been bounded to Internet Standards
requests specifying unsupported transfer coding (order) are refused by default (rare)
HTTP methods are no longer casefolded by default (IANA method registry contains none affected)
HTTP methods containing the number sign (#) are no longer accepted by default (rare)
HTTP versions < 1.0 or >= 2.0 are no longer accepted by default (rare, only HTTP/1.1 is supported)
HTTP versions consisting of multiple digits or containing a prefix/suffix are no longer accepted
HTTP header field names Gunicorn cannot safely map to variables are silently dropped, as in other software
HTTP headers with empty field name are refused by default (no legitimate use cases, used in exploits)
requests with both Transfer-Encoding and Content-Length are refused by default (such a message might indicate an attempt to perform request smuggling)
empty transfer codings are no longer permitted (reportedly seen with really old & broken proxies)
** SECURITY **
fix CVE-2024-1135
* Remove TYPE_CHECKING guard for pydantic v1 imports
Retain TYPE_CHECKING guard in v1 fallback to force pyright into pydantic.v1 namespace
* Run unit tests with pydantic v1 now that v2 is installed via poetry
* Remove upper bounds of most dependencies.
Also adds a import try except block for pydantic.v1 and relocks.
Keep black and ruff to not mess to much with current formatting
Make pyright see the right import as long as constraint still lock pydantiv v1
Down pin pytest-asyncio again due to known issue
Fix upload handler with latest versions of fastapi
Change comment
* Add changed lockfile
* Set max versions for deps
* Revert app.pyi
---------
Co-authored-by: Malte Klemm <malte.klemm@blueyonder.com>
Co-authored-by: Nikhil Rao <nikhil@reflex.dev>
* add command to share custom component info for gallery
* cleanup
* tested
* Update custom_components.py
Co-authored-by: Masen Furer <m_github@0x26.net>
* reorder the questions
* ask user to verify info before publishing
* remove questions already captured in pyproject.toml
* no need to cache form inputs since not many questions
* tested
* cleanup
* delete test
---------
Co-authored-by: Masen Furer <m_github@0x26.net>
* Use dill instead of cloudpickle for serialization
* smaller size pickles
* support dynamically defined states
* avoid issues with unpickleable globals
* pyproject: add dill, remove cloudpickle
* poetry.lock: relock dependencies
* Dynamically convert EventHandler to functools.partial
Instead of converting the functions up front and assigning them to the
instance, unbox the function from the EventHandler when it is requested via
__getattribute__. This reduces the size of the per-instance pickle, because
event handler bodies do not need to be included.
* Improve checking for cython_function_or_method
Because pydantic can be installed without cython, only use the workaround in
the case where the BaseModel.validate function is NOT a FunctionType,
indicating it's a cython function.
* Serialize all State subclasses by reference
