fix(proxy): bump gunicorn to >=26.0.0 for HTTP request smuggling fix#33416
fix(proxy): bump gunicorn to >=26.0.0 for HTTP request smuggling fix#33416devin-ai-integration[bot] wants to merge 1 commit into
Conversation
🤖 Devin AI EngineerI'll be helping with this pull request! Here's what you should know: ✅ I will automatically:
Note: I can only respond to comments from users who have write access to this repository. ⚙️ Control Options:
|
Greptile SummaryThis PR performs a targeted security hardening of the proxy by bumping the gunicorn version constraint in
Confidence Score: 5/5Safe to merge — the change is a minimal, surgical version bump of a single optional proxy dependency with no functional regressions The diff touches exactly two lines in No files require special attention. Note that
|
| Filename | Overview |
|---|---|
| pyproject.toml | Bumps gunicorn proxy extra constraint from >=23.0.0,<24.0 to >=26.0.0,<27.0; change is correctly scoped to the proxy optional dependency group |
| uv.lock | Updates gunicorn from 23.0.0 to 26.0.0 in the lock file; sdist/wheel URLs, hashes, and the requires-dist specifier are all updated consistently; sole runtime dependency (packaging) is unchanged |
Reviews (1): Last reviewed commit: "fix(proxy): bump gunicorn to >=26.0.0 fo..." | Re-trigger Greptile
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
Relevant issues
Fixes #33405
Linear ticket
Pre-Submission checklist
Screenshots / Proof of Fix
Captured at commit
ca4b1812dbBefore, the proxy extra allowed
gunicorn>=23.0.0,<24.0and the lockfile resolvedgunicorn==23.0.0, which falls in the affected0.1through25.3.0range reported by Aikido advisoryAIKIDO-2026-10742(HTTP request smuggling / framing). After the change the proxy install resolves the fixed26.0.0releaseThe existing gunicorn CLI tests still pass on
26.0.0Type
🐛 Bug Fix
Changes
Moved the proxy extra's gunicorn constraint from
>=23.0.0,<24.0to>=26.0.0,<27.0inpyproject.toml, and updateduv.lockso the proxy install resolvesgunicorn==26.0.0(the release Aikido lists as fixed) instead of the vulnerable23.0.0.26.0.0was published 2026-05-05, so it is well past the 7-day aging window for supply-chain safety, and its only runtime dependency is stillpackaging, so nothing else in the lock changesThe lock edit is surgical: only gunicorn's package block and its requires-dist specifier move, leaving the rest of the resolution untouched
Final Attestation
Link to Devin session: https://app.devin.ai/sessions/8356f189c70b445b8e15eeca7309063f