René's URL Explorer Experiment

Title: Update dependency h2 to v4.3.0 [SECURITY] by renovate[bot] · Pull Request #40 · protoconf/client-python · GitHub

Open Graph Title: Update dependency h2 to v4.3.0 [SECURITY] by renovate[bot] · Pull Request #40 · protoconf/client-python

X Title: Update dependency h2 to v4.3.0 [SECURITY] by renovate[bot] · Pull Request #40 · protoconf/client-python

Description: This PR contains the following updates: Package Change Age Confidence h2 ==4.1.0 → ==4.3.0 GitHub Vulnerability Alerts CVE-2025-57804 Summary HTTP/2 request splitting vulnerability allows attackers to perform request smuggling attacks by injecting CRLF characters into headers. This occurs when servers downgrade HTTP/2 requests to HTTP/1.1 without properly validating header names/values, enabling attackers to manipulate request boundaries and bypass security controls. Release Notes python-hyper/h2 (h2) v4.3.0 Compare Source API Changes (Backward Incompatible) Reject header names and values containing illegal characters, based on RFC 9113, section 8.2.1. The main Python API is compatible, but some previously valid requests/response headers might now be blocked. Use the validate_inbound_headers config option if needed. Thanks to Sebastiano Sartor (sebsrt) for the report. Convert emitted events into Python dataclass, which introduces new constructors with required arguments. Instantiating these events without arguments, as previously commonly used API pattern, will no longer work. API Changes (Backward Compatible) h2 events now have tighter type bounds, e.g. stream_id is guaranteed to not be None for most events now. This simplifies downstream type checking. Various typing-related improvements. Bugfixes Fix error value when opening a new stream on too many open streams. v4.2.0 Compare Source API Changes (Backward Incompatible) Support for Python 3.6 has been removed. Support for Python 3.7 has been removed. Support for Python 3.8 has been removed. Remove mistakenly set max_inbound_frame_size attribute on H2Stream. API Changes (Backward Compatible) Support for Python 3.11 has been added. Support for Python 3.12 has been added. Support for Python 3.13 has been added. Add an ability to send outbound cookies separately to improve headers compression. Updated packaging and testing infrastructure. Bugfixes Fix repr() checks for Python 3.11 Fix asyncio / wsgi examples. Clarify docs on using curl with http2. Configuration 📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied. ♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. If you want to rebase/retry this PR, check this box This PR was generated by Mend Renovate. View the repository job log.

Open Graph Description: This PR contains the following updates: Package Change Age Confidence h2 ==4.1.0 → ==4.3.0 GitHub Vulnerability Alerts CVE-2025-57804 Summary HTTP/2 request splitting vulnerability allo...

X Description: This PR contains the following updates: Package Change Age Confidence h2 ==4.1.0 → ==4.3.0 GitHub Vulnerability Alerts CVE-2025-57804 Summary HTTP/2 request splitting vulnerability allo...

Opengraph URL: https://github.com/protoconf/client-python/pull/40

X: @github

direct link

Domain: patch-diff.githubusercontent.com

Links:

Viewport: width=device-width