deps(deps): bump gunicorn from 23.0.0 to 25.3.0

[dependabot]

Bumps gunicorn from 23.0.0 to 25.3.0.

Release notes

Sourced from gunicorn's releases.

Gunicorn 25.3.0

Bug Fixes

• HTTP/2 ASGI Body Duplication: Fix request body being received twice in HTTP/2 ASGI requests, causing JSON parsing errors with "Extra data" messages (#3558)

• ASGI Chunked EOF Handling: Add finish() method to callback parser to handle chunked encoding edge case where connection closes before final CRLF after zero-chunk

• HTTP/2 Documentation: Fix http_protocols examples to use comma-separated string instead of list syntax (#3561)

• Chunked Encoding: Reject chunk extensions containing bare CR bytes per RFC 9112 (#3556)

• Request Line Limit: Fix --limit-request-line 0 to mean unlimited as documented, instead of using default maximum. Works with both Python and fast C parser. (#3563)

Security

• ASGI Parser Header Validation: Add security checks per RFC 9110/9112:
  • Reject duplicate Content-Length headers
  • Reject requests with both Content-Length and Transfer-Encoding
  • Reject chunked transfer encoding in HTTP/1.0
  • Reject stacked chunked encoding
  • Validate Transfer-Encoding values
  • Strict chunk size validation

Changes

• Fast HTTP Parser: Update to gunicorn_h1c >= 0.6.3 for asgi_headers property and InvalidChunkExtension validation for bare CR rejection

• ASGI PROXY Protocol: Add PROXY protocol v1/v2 support to callback parser

• Docker Images: Update to Python 3.14

Gunicorn 25.2.0

New Features

• Fast HTTP Parser (gunicorn_h1c 0.4.1): Integrate new exception types and limit parameters from gunicorn_h1c 0.4.1 for both WSGI and ASGI workers
  • Requires gunicorn_h1c >= 0.4.1 for http_parser='fast'
  • Falls back to Python parser in auto mode if version not met
  • Proper HTTP status codes for limit errors (414, 431)

Bug Fixes

• uWSGI Async Workers: Fix InvalidUWSGIHeader: incomplete header error when using gevent or gthread workers with uwsgi protocol behind nginx. (#3552, [PR #3554](benoitc/gunicorn#3554))

... (truncated)

Commits

• 9bce72c Update changelog with missing 25.3.0 changes
• 2a15fdb Fix pylint isinstance-second-argument-not-valid-type warning
• 8d08aaa Fix --limit-request-line 0 to mean unlimited
• d40a374 Fix pytest-asyncio configuration and treq_asgi hex escapes
• da8bd48 Remove unused AsyncRequest class
• b00f125 Integrate gunicorn_h1c 0.6.3 with InvalidChunkExtension support
• bdb2ebd Reject chunk extensions with bare CR bytes (RFC 9112)
• 7057fc9 Fix http_protocols documentation to use string syntax
• d43acb8 Update to gunicorn_h1c >= 0.6.2 for asgi_headers support
• cbd27e8 Merge pull request #3559 from benleembruggen/fix/http2-asgi-body-duplication
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Labels

The following labels could not be found: dependencies, python. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[harper-new-line]

HarperBot

The provided diff updates the gunicorn dependency from 23.0.0 to 25.3.0 across pyproject.toml, requirements.in, and several requirements-py*.txt files.

Here's an analysis focusing on code quality, best practices, performance, and correctness:

General Analysis of the gunicorn Update:

1. Code Quality & Maintainability: Updating dependencies regularly is a good practice. It helps reduce technical debt, ensures compatibility with newer Python versions and other libraries, and often includes bug fixes and performance improvements.
2. Best Practices:
   • Dependency Freshness: Keeping dependencies up-to-date is crucial for security (patching known vulnerabilities), stability (bug fixes), and leveraging new features or performance enhancements.
   • Release Notes Review: A major version jump (from 23.x to 25.x) for gunicorn implies potential breaking changes. It is a critical best practice to review the release notes for gunicorn versions 24.x and 25.x (e.g., on their GitHub releases page) to understand any changes that might impact the application's behavior or configuration.
   • Testing: After such a significant dependency update, thorough testing (unit, integration, end-to-end) is essential to ensure the application functions correctly and no regressions have been introduced.
   • Dependency Pinning Strategy:
     • For direct dependencies specified in pyproject.toml and requirements.in, using a compatible version range (e.g., ~=25.3 or >=25.3.0,<26.0.0) is generally a better practice than exact pinning (==25.3.0). This allows for automatic updates of patch and minor versions, which typically contain bug fixes and security patches, without requiring manual intervention, while still preventing major, potentially breaking, updates.
     • For locked dependency files (like requirements-py*.txt), exact pinning (==25.3.0) is the correct and best practice. These files are meant to ensure exact reproducibility across environments.
3. Performance: Newer gunicorn versions often include performance optimizations. This update is likely to bring minor performance benefits to the web server process itself.
4. Correctness: The primary correctness concern is ensuring the application functions as expected with gunicorn==25.3.0. This can only be verified through comprehensive testing.

Specific Code Suggestions for Improvements:

While the update to gunicorn==25.3.0 is generally positive, the pinning strategy for direct dependencies can be improved. It's a common best practice to use compatible version ranges for direct dependencies in pyproject.toml and requirements.in to allow for non-breaking updates, while keeping requirements.txt files strictly pinned for reproducibility.

1. pyproject.toml:
   Change the exact pin ==25.3.0 to a compatible release specifier ~=25.3. This allows pip or other package managers to install gunicorn versions 25.3.x, 25.4.x, etc., but not 26.0.0 or higher, ensuring bug fixes and minor improvements are picked up automatically without risking major breaking changes.

   pyproject.toml
   @@ -5,7 +5,7 @@ dependencies = [
        "flask==3.1.2",
        "python-dotenv==1.1.1",
        "requests==2.32.5",
   -    "gunicorn==23.0.0",
   +    "gunicorn~=25.3", # Allows
   
   

[harper-new-line]

HarperBot Analysis for d545810