Skip to content

fix(deps): update all major updates (major)#386

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/major-all-major-updates
Open

fix(deps): update all major updates (major)#386
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/major-all-major-updates

Conversation

@renovate

@renovate renovate Bot commented Apr 17, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Type Update Change Age Confidence
codecov/codecov-action action major v6v7 age confidence
commander dependencies major ^14.0.2^15.0.0 age confidence
dotenv-expand dependencies major ^12.0.3^13.0.0 age confidence
gunicorn (changelog) project.dependencies major ==25.3.0==26.0.0 age confidence
structlog (changelog) project.dependencies major ==25.5.0==26.1.0 age confidence

Release Notes

codecov/codecov-action (codecov/codecov-action)

v7.0.0

Compare Source

v7

Compare Source

tj/commander.js (commander)

v15.0.0

Compare Source

Commander 15 is ESM only. This is expected to be seamless for ESM consumers, but some CommonJS consumers may hit issues with tooling requiring configuration for ESM-only dependencies. See Migration Tips below.

The release of Commander 15 moves Commander 14 into maintenance. Commander 14 will get security updates for
12 months (to May 2027). For more info see Release Policy.

Added
  • show excess command-arguments in error message ([#​2384])
Fixed
  • Breaking: only lone --no-* option sets default option value to true, default not implicitly set when define both positive and negative option in either order ([#​2405])
  • update example to use compatible character for MINGW64 ([#​2475])
Changed
  • Breaking: migrated Commander implementation from CommonJS to ESM ([#​2464])
  • Breaking: Commander 15 requires Node.js v22.12.0 or higher (for require(esm)).
  • dev: switch tests from Jest to node:test test runner ([#​2463])
Deleted
  • Breaking: removed deprecated export of commander/esm.mjs ([#​2464])
Migration Tips

Commander 15 is ESM only, but this does not mean you need to migrate to ESM to use it. Importing ESM from CommonJS is
supported by Node.js, and Bun, and Deno. Hopefully it Just Works for you! However, you may be using a different runtime or
some other part of your setup that may not yet natively support importing ESM from CommonJS, such as your testing framework
or bundler.

If you have problems using Commander 15 in your environment, one option is stay on Commander 14 for now. Commander 14 will
get security updates until May 2027 and things will hopefully improve for your setup in the meantime.

motdotla/dotenv-expand (dotenv-expand)

v13.0.0

Compare Source

Changed
  • bump dotenv to v17
benoitc/gunicorn (gunicorn)

v26.0.0

Compare Source

Breaking Changes

  • Eventlet worker removed: The eventlet worker class has been dropped. Migrate to gevent, gthread, or tornado.

New Features

  • ASGI Framework Compatibility Suite: New end-to-end compatibility test harness covering Starlette, FastAPI, Litestar, Quart, Sanic, and BlackSheep. Current grid passes 438/444 tests (98%).
  • ASGI Test Suite Expansion: 134 additional ASGI unit tests covering protocol semantics, lifespan, websockets, and chunked framing.

Security

  • HTTP/1.1 Request-Target Validation (RFC 9112 sections 3.2.3, 3.2.4):
    • Reject authority-form request-target outside CONNECT
    • Reject asterisk-form request-target outside OPTIONS
    • Reject relative-reference request-targets
  • Header Field Hardening (RFC 9110):
    • Reject control characters in header field-value (section 5.5)
    • Reject forbidden trailer field-names (section 6.5.1)
    • Reject Content-Length list form (RFC 9112 section 6.3)
  • Request Smuggling Hardening:
    • Tighten keepalive gate and scope finish_body byte cap
    • Keep _body_receiver alive across the keepalive smuggling gate so pipelined requests cannot re-enter a closed body
    • Address parser/protocol findings from a six-point WSGI/ASGI audit
  • PROXY Protocol (ASGI): Enforce proxy_allow_ips and tighten v1/v2 parsing in the ASGI callback parser.
  • Connection Draining: Drain the connection on close per RFC 9112 section 9.6 to prevent reset-on-close truncation.

Bug Fixes

  • Body Framing on HEAD/204/304:
    • Keep Content-Length on HEAD and 304 responses (#​3621)
    • Drop body framing on HEAD/204/304 even when the framework set it
    • Warn once when an ASGI app emits a body for a no-body response
  • HTTP/2 ASGI:
    • Fix _handle_stream_ended to set _body_complete in the async HTTP/2 handler so request bodies finalize correctly on stream end
    • Add InvalidChunkExtension mapping and fast-parser support in ASGI tests (#​3565)
  • HTTP/1.1 100-Continue: Stop adding Transfer-Encoding: chunked to 100-Continue interim responses.
  • WebSocket Close Handshake (RFC 6455):
    • Comply with the close handshake state machine
    • Close the transport after the close handshake completes
    • Fix binary send when the text key is None
  • Early Hints: Validate headers in the early_hints callback to match process_headers; pass only the header name to InvalidHeader (#​3588).
  • ASGI Framework Fixes:
    • Fix ASGI disconnect handling for Django-style apps
    • Fix Litestar request handling (use raw ASGI receive for body/headers)
    • Fix Litestar HTTP endpoints for compatibility tests
    • Fix Quart headers endpoint to normalize keys to lowercase
    • Fix Quart WebSocket close test app (missing accept())
    • Fix duplicate Transfer-Encoding header for BlackSheep streaming

Refactoring

  • Split BodyReceiver._closed into separate transport and body-wait flags for clearer keepalive/EOF semantics.

Changes

  • Fast HTTP Parser: Require gunicorn_h1c >= 0.6.5. Drop the last python_only test markers; the C extension is now used wherever available (CPython only; PyPy continues to use the Python parser).
  • Test Dependencies: Add h2 and uvloop to the testing extra; remove eventlet.
  • Docker Build: Bump GitHub Actions docker/setup-qemu-action, docker/setup-buildx-action, docker/login-action, docker/build-push-action, and docker/metadata-action to current major versions.

Full changelog: benoitc/gunicorn@25.3.0...26.0.0

hynek/structlog (structlog)

v26.1.0

Compare Source

Removed
  • Python 3.8 and 3.9 support.
Deprecated
Added

  • Python 3.15 support.
    #​813

  • structlog.dev.rich_monochrome_traceback for Rich-based monochrome exception rendering and add support for it throughout structlog.dev.ConsoleRenderer when the user asks for no colors.
    #​794

  • structlog.BytesLogger now has a name attribute which allows you to use it with the structlog.stdlib.add_logger_name() processor without using the standard library integration.
    #​786

  • structlog.processors.CallsiteParameterAdder now supports CallsiteParameter.QUAL_MODULE that adds the qualified import name of the module of the callsite, or __main__ if the module is the entry point.
    This is only available for structlog-originated events since the standard library has no equivalent (except for the convention of setting the logger's name to __name__).
    #​812

  • structlog.stdlib.BoundLogger now has is_enabled_for() and get_effective_level() methods that are snake_case aliases for its isEnabledFor() and getEffectiveLevel() methods.
    This makes it more compatible with the native structlog.typing.FilteringBoundLogger, so you can swap configurations without changing your call sites.
    #​818

Changed
  • structlog.dev.ConsoleRenderer does not warn anymore when the exception key has a rendered value despite having a fancy formatter configured.
    #​790
Fixed

  • structlog.BytesLogger, structlog.PrintLogger, and structlog.WriteLogger now hold weak references to the files they use for output.
    This prevents their leakage in long-running processes that open many logfiles, such as task executors that create a per-task BytesLogger or WriteLogger.
    #​807

  • structlog.WriteLogger is usable after unpickling.
    #​787

  • structlog.processors.CallsiteParameterAdder now reports the calling thread's id and name for async log methods, instead of the thread from the executor pool that runs the underlying sync logger.
    #​710
    #​805

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot changed the title fix(deps): update dependency dotenv-expand to v13 fix(deps): update all major updates (major) May 5, 2026
@renovate renovate Bot force-pushed the renovate/major-all-major-updates branch from 6d9d945 to cb67ffd Compare May 5, 2026 10:51
@renovate renovate Bot force-pushed the renovate/major-all-major-updates branch from cb67ffd to d01e404 Compare May 29, 2026 09:48
@renovate renovate Bot force-pushed the renovate/major-all-major-updates branch from d01e404 to 951e142 Compare June 6, 2026 09:36
@renovate renovate Bot force-pushed the renovate/major-all-major-updates branch from 951e142 to aa0ecd2 Compare June 7, 2026 06:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants