update h11 to fix the CVE #2626
-
|
h11 v0.16.0 fixed the CVE already |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 7 replies
-
|
trivy scan the uv.lock file reported that h11 CVE-2025-43859 CRITICAL 0.14.0 0.16.0 |
Beta Was this translation helpful? Give feedback.
-
|
You can bump your lockfile. Uvicorn doesn't restrict you from bumping it... |
Beta Was this translation helpful? Give feedback.
-
|
Do you know if specifying the dependency as h11 >=0.8 is enough to ensure that the package is updated to version 0.16 or later? |
Beta Was this translation helpful? Give feedback.
-
|
On uvicorn's side (as a project), it's okay to be >= 0.8 and not >= 0.16. On your end, you need to make sure you have >= 0.16. As a maintainer of Uvicorn, I can force all users to move to >= 0.16. Given the score this CVE got, it may be a good idea... |
Beta Was this translation helpful? Give feedback.
-
|
okay I accept it |
Beta Was this translation helpful? Give feedback.
-
|
if you can make sure >=0.16 is usable and the security problems can be fixed as well,I am happy for your improvements |
Beta Was this translation helpful? Give feedback.
-
|
It is supported. |
Beta Was this translation helpful? Give feedback.
-
|
When will you plan to output a new release for this suggestion? |
Beta Was this translation helpful? Give feedback.
On uvicorn's side (as a project), it's okay to be >= 0.8 and not >= 0.16.
On your end, you need to make sure you have >= 0.16.
As a maintainer of Uvicorn, I can force all users to move to >= 0.16. Given the score this CVE got, it may be a good idea...