Skip to content

chore(deps): update httpx version#755

Merged
camilamaia merged 1 commit intomainfrom
dependabot-31
Jul 1, 2025
Merged

chore(deps): update httpx version#755
camilamaia merged 1 commit intomainfrom
dependabot-31

Conversation

@camilamaia
Copy link
Member

@camilamaia camilamaia commented Jun 30, 2025
edited
Loading

Description

This PR updates the httpx dependency to ^0.27.0, which brings in httpcore >=1.0.0 and h11 >=0.16.0. This resolves a known vulnerability in older versions of h11 related to lenient parsing of chunked encoding that could lead to request smuggling under certain conditions.

Motivation behind this PR?

Older versions of h11 (used indirectly via httpx) allowed invalid chunked encoding bodies to be parsed without error, potentially opening up request smuggling vulnerabilities in edge cases involving misconfigured reverse proxies.
This update ensures the project no longer includes a vulnerable version of h11 and improves overall security compliance.

https://github.com/scanapi/scanapi/security/dependabot/31

What type of change is this?

Security Fix

Checklist

  • A changelog entry was added, or this PR does not require one. Instructions
  • Unit tests were added or updated as needed, or not required for this change. Instructions
  • All unit tests pass locally. Instructions
  • Docstrings or comments were added or updated as needed, or no documentation changes were required. Instructions
  • This PR does not significantly reduce code or docstring coverage.
  • Code follows the project’s style guidelines.
  • ScanAPI was run locally and the changes were manually verified, or this was not necessary. Instructions
  • Commits were squashed, or squashing was not necessary (e.g., only one commit). Instructions

Issue

There is no issue because it is a security vulnerability.

@codecov
Copy link

codecov bot commented Jun 30, 2025

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 97.96%. Comparing base (422c79c) to head (1975c72).
Report is 21 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #755   +/-   ##
=======================================
  Coverage   97.96%   97.96%           
=======================================
  Files          24       24           
  Lines         787      787           
=======================================
  Hits          771      771           
  Misses         16       16

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@camilamaia camilamaia marked this pull request as ready for review June 30, 2025 18:41
@camilamaia camilamaia requested review from a team as code owners June 30, 2025 18:41
@camilamaia camilamaia added the Security Affects security of the project. label Jun 30, 2025
@camilamaia camilamaia merged commit 8e82676 into main Jul 1, 2025
14 checks passed
@camilamaia camilamaia deleted the dependabot-31 branch July 1, 2025 12:10
@camilamaia camilamaia mentioned this pull request Jul 1, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dinalivia dinalivia dinalivia approved these changes

Assignees

No one assigned

Labels

Security Affects security of the project.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@camilamaia @dinalivia