* upgrade to latest pip for in_docker_test_script.sh
* Bump gunicorn to 22.0.0 (security)
Changelog: https://docs.gunicorn.org/en/stable/news.html#id1
use utime to notify workers liveness
migrate setup to pyproject.toml
fix numerous security vulnerabilities in HTTP parser (closing some request smuggling vectors)
parsing additional requests is no longer attempted past unsupported request framing
on HTTP versions < 1.1 support for chunked transfer is refused (only used in exploits)
requests conflicting configured or passed SCRIPT_NAME now produce a verbose error
Trailer fields are no longer inspected for headers indicating secure scheme
support Python 3.12
** Breaking changes **
minimum version is Python 3.7
the limitations on valid characters in the HTTP method have been bounded to Internet Standards
requests specifying unsupported transfer coding (order) are refused by default (rare)
HTTP methods are no longer casefolded by default (IANA method registry contains none affected)
HTTP methods containing the number sign (#) are no longer accepted by default (rare)
HTTP versions < 1.0 or >= 2.0 are no longer accepted by default (rare, only HTTP/1.1 is supported)
HTTP versions consisting of multiple digits or containing a prefix/suffix are no longer accepted
HTTP header field names Gunicorn cannot safely map to variables are silently dropped, as in other software
HTTP headers with empty field name are refused by default (no legitimate use cases, used in exploits)
requests with both Transfer-Encoding and Content-Length are refused by default (such a message might indicate an attempt to perform request smuggling)
empty transfer codings are no longer permitted (reportedly seen with really old & broken proxies)
** SECURITY **
fix CVE-2024-1135
* Remove TYPE_CHECKING guard for pydantic v1 imports
Retain TYPE_CHECKING guard in v1 fallback to force pyright into pydantic.v1 namespace
* Run unit tests with pydantic v1 now that v2 is installed via poetry
* add more tests
* add tests to raise coverage
* more tests, bump coverage to 73
* fix up icon_button test
* fix darglint for app.py
* fix utcnow usage warning
* set threshold to 72
* fix timestamp
* fix unit tests for linux-redis
* removed commented code and put a TODO
* Remove upper bounds of most dependencies.
Also adds a import try except block for pydantic.v1 and relocks.
Keep black and ruff to not mess to much with current formatting
Make pyright see the right import as long as constraint still lock pydantiv v1
Down pin pytest-asyncio again due to known issue
Fix upload handler with latest versions of fastapi
Change comment
* Add changed lockfile
* Set max versions for deps
* Revert app.pyi
---------
Co-authored-by: Malte Klemm <malte.klemm@blueyonder.com>
Co-authored-by: Nikhil Rao <nikhil@reflex.dev>
* rebase
* pass include_children kwarg in radix FormRoot
* respect include_children
* ruff fixes
* readd statemanager init, run pyi gen
* minor performance imporovements, fix for state changes
* fix pyi and pyright
* pass include_children for chakra
* remove old state detection
* add test for unused states in stateless app
---------
Co-authored-by: Masen Furer <m_github@0x26.net>
* Support setting Next.js basePath in Reflex config. (#1633)
- Tests.
- And sorted config in next.config.js template.
* Display the correct running at url with basePath if it is set. (#1583)
* Formatting, fixed by black.
* Fix indenting in test data.
* Fixed that conflict resolution shouldnt have included console.debug line.
* Rmove use of :=. Add http:// to url. Use urljoin to build url.
