Bump the pip-all group with 2 updates by dependabot[bot] · Pull Request #374 · rodlukas/UP-admin

dependabot · 2026-05-06T02:23:44Z

Bumps the pip-all group with 2 updates: django and gunicorn.

Updates django from 6.0.4 to 6.0.5

Commits

8f8ad09 [6.0.x] Bumped version for 6.0.5 release.
44ad76e [6.0.x] Fixed CVE-2026-6907 -- Prevented caching of requests when Vary header...
1b0184a [6.0.x] Fixed CVE-2026-35192 -- Ensured Vary header is sent when setting sess...
ad8f9e1 [6.0.x] Fixed CVE-2026-5766 -- Enforced DATA_UPLOAD_MAX_MEMORY_SIZE in Memory...
990ab01 [6.0.x] Fixed #37039 -- Removed outdated note from QuerySet.iterator() docs.
f0c269f [6.0.x] Fixed typo in stub release notes for 5.2.14.
8bcd15b [6.0.x] Fixed #37067 -- Added trailing slash in django_file_prefixes().
3cdec64 [6.0.x] Refs CVE-2026-25674 -- Clarified role of umask in upload permissions.
5dd5c70 [6.0.x] Added stub release notes and release date for 6.0.5 and 5.2.14.
8ee7341 [6.0.x] Refs #373, #34122 -- Removed warning that ForeignObject is an interna...
Additional commits viewable in compare view

Updates gunicorn from 25.3.0 to 26.0.0

Release notes

26.0.0

Breaking Changes

Eventlet worker removed: The eventlet worker class has been dropped. Migrate to gevent, gthread, or tornado.

New Features

ASGI Framework Compatibility Suite: New end-to-end compatibility test harness covering Starlette, FastAPI, Litestar, Quart, Sanic, and BlackSheep. Current grid passes 438/444 tests (98%).

ASGI Test Suite Expansion: 134 additional ASGI unit tests covering protocol semantics, lifespan, websockets, and chunked framing.

Security

HTTP/1.1 Request-Target Validation (RFC 9112 sections 3.2.3, 3.2.4):

Reject authority-form request-target outside CONNECT

Reject asterisk-form request-target outside OPTIONS

Reject relative-reference request-targets

Header Field Hardening (RFC 9110):

Reject control characters in header field-value (section 5.5)

Reject forbidden trailer field-names (section 6.5.1)

Reject Content-Length list form (RFC 9112 section 6.3)

Request Smuggling Hardening:

Tighten keepalive gate and scope finish_body byte cap

Keep _body_receiver alive across the keepalive smuggling gate so pipelined requests cannot re-enter a closed body

Address parser/protocol findings from a six-point WSGI/ASGI audit

PROXY Protocol (ASGI): Enforce proxy_allow_ips and tighten v1/v2 parsing in the ASGI callback parser.

Connection Draining: Drain the connection on close per RFC 9112 section 9.6 to prevent reset-on-close truncation.

Bug Fixes

Body Framing on HEAD/204/304:

Keep Content-Length on HEAD and 304 responses (#3621)

Drop body framing on HEAD/204/304 even when the framework set it

Warn once when an ASGI app emits a body for a no-body response

HTTP/2 ASGI:

Fix _handle_stream_ended to set _body_complete in the async HTTP/2 handler so request bodies finalize correctly on stream end

Add InvalidChunkExtension mapping and fast-parser support in ASGI tests (#3565)

HTTP/1.1 100-Continue: Stop adding Transfer-Encoding: chunked to 100-Continue interim responses.

WebSocket Close Handshake (RFC 6455):

Comply with the close handshake state machine

Close the transport after the close handshake completes

Fix binary send when the text key is None

Early Hints: Validate headers in the early_hints callback to match process_headers; pass only the header name to InvalidHeader (#3588).

ASGI Framework Fixes:

Fix ASGI disconnect handling for Django-style apps

Fix Litestar request handling (use raw ASGI receive for body/headers)

Fix Litestar HTTP endpoints for compatibility tests

Fix Quart headers endpoint to normalize keys to lowercase

Fix Quart WebSocket close test app (missing accept())

Fix duplicate Transfer-Encoding header for BlackSheep streaming

... (truncated)

Commits

5d819cf release: 26.0.0
b45c70d Merge pull request #3611 from zc-mattcen/docs-typo
99c8d48 Merge pull request #3623 from benoitc/chore/drop-eventlet-add-h2-uvloop-test-...
5a655af Merge pull request #3622 from benoitc/test/docker-port-and-ipv4-fixes
201df19 chore: remove eventlet worker; add h2 and uvloop to test deps
f4ac8e1 test: pass action name to dirty client and stabilize after TTOU spam
54d38af test: unblock docker fixtures on macOS hosts
68843c8 Merge pull request #3621 from benoitc/fix/asgi-preserve-content-length-on-hea...
31f2618 Merge pull request #3620 from benoitc/fix/asgi-proxy-protocol-trust-and-parsing
41ec752 fix: keep Content-Length on HEAD and 304 responses
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the pip-all group with 2 updates: [django](https://github.com/django/django) and [gunicorn](https://github.com/benoitc/gunicorn). Updates `django` from 6.0.4 to 6.0.5 - [Commits](django/django@6.0.4...6.0.5) Updates `gunicorn` from 25.3.0 to 26.0.0 - [Release notes](https://github.com/benoitc/gunicorn/releases) - [Commits](benoitc/gunicorn@25.3.0...26.0.0) --- updated-dependencies: - dependency-name: django dependency-version: 6.0.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: pip-all - dependency-name: gunicorn dependency-version: 26.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: pip-all ... Signed-off-by: dependabot[bot] <support@github.com>

sonarqubecloud · 2026-05-06T02:24:27Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update Python code labels May 6, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump the pip-all group with 2 updates#374

Bump the pip-all group with 2 updates#374
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/pip/pip-all-e14405f669

dependabot Bot commented on behalf of github May 6, 2026

Uh oh!

sonarqubecloud Bot commented May 6, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github May 6, 2026

26.0.0

Breaking Changes

New Features

Security

Bug Fixes

Uh oh!

sonarqubecloud Bot commented May 6, 2026

Quality Gate passed

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants