Tags: br3ndonland/inboard
Tags
0.68.0 ### Changes **Update to Uvicorn 0.28.1** (6166a66) This release will update/upgrade to Uvicorn 0.28.1. [Changes](encode/uvicorn@0.25.0...0.28.1) to Uvicorn between 0.25.0 and 0.28.1 include updates to `root_path`/ `--root-path` to comply with the ASGI spec, and fixes to `Keep-Alive` behavior to avoid timeouts and `h11.LocalProtocolError` exceptions that occur when processing pipelined requests. **Update to Gunicorn 22.0.0** (#108, bf4661e) This release will update/upgrade to [Gunicorn 22.0.0](https://docs.gunicorn.org/en/stable/news.html). Gunicorn 22.0.0 resolves a high-severity security vulnerability ([CVE-2024-1135](https://nvd.nist.gov/vuln/detail/CVE-2024-1135), [GHSA-w3h3-4rj7-4ph4](GHSA-w3h3-4rj7-4ph4)): > Gunicorn fails to properly validate Transfer-Encoding headers, leading > to HTTP Request Smuggling (HRS) vulnerabilities. By crafting requests > with conflicting Transfer-Encoding headers, attackers can bypass > security restrictions and access restricted endpoints. This issue is > due to Gunicorn's handling of Transfer-Encoding headers, where it > incorrectly processes requests with multiple, conflicting > Transfer-Encoding headers, treating them as chunked regardless of the > final encoding specified. This vulnerability has been shown to allow > access to endpoints restricted by gunicorn. This issue has been > addressed in version 22.0.0. > > To be affected users must have a network path which does not filter > out invalid requests. These users are advised to block access to > restricted endpoints via a firewall or other mechanism if they are > unable to update. ### Commits - Bump version from 0.67.1 to 0.68.0 (3fc1f79) - Quote `&` in GitHub Actions workflow YAML (0043237) - Update to Uvicorn 0.28.1 (6166a66) - Bump gunicorn from 21.2.0 to 22.0.0 (#108) (bf4661e) - Update changelog for version 0.67.1 (#107) (9579bba)
0.67.1 ### Changes **Fix Docker tags for specific Debian version** (e84fc8b) PR #105 and commit 6a99cd0 introduced support for specifying the Debian version when building Docker images, ensuring that the version does not change unexpectedly. This change altered Docker tag syntax by adding the Debian version release name (currently "bookworm") to all Debian Docker images. For example, `ghcr.io/br3ndonland/inboard:latest` became `ghcr.io/br3ndonland/inboard:latest-bookworm`. inboard is not planning to support multiple Debian versions simultaneously. inboard will update to the next Debian version, Debian 13 ("trixie") when it is stable and will provide a new release after the update. This means there is no need to add the Debian version release name to the Docker tags. This commit will update the code in the GitHub Actions workflow job and Dockerfile to match the previous tag syntax. The latest Debian image will return to `ghcr.io/br3ndonland/inboard:latest` and the latest Debian slim image to `ghcr.io/br3ndonland/inboard:latest-slim`. Syntax for Alpine Docker images remains unaltered, so tags like `ghcr.io/br3ndonland/inboard:latest-alpine` are still valid. ### Commits - Bump version from 0.67.0 to 0.67.1 (2bfe218) - Fix Docker tags for specific Debian version (#105) (e84fc8b) - Update changelog for version 0.67.0 (#106) (1d20b7d)
0.67.0 ### Changes **Specify Debian version** (#105, 6a99cd0) On 2023-06-14, Docker updated the default Debian Linux version in its Python official images from Debian bullseye to Debian bookworm ([docker-library/official-images#14854](docker-library/official-images#14854)). As inboard uses the default Debian Linux version from the Docker Python official images, this meant that the next release of inboard (0.50.0 - 2023-06-22) automatically updated to bookworm. There were some [issues](https://github.com/docker-library/python/issues?q=bookworm) noted by the community after this update. This was noted in inboard [0.51.0 - 2023-07-09](https://inboard.bws.bio/changelog#0510-2023-07-09). Thanks to @bodograumann for pointing this out in the related discussion ([#80](#80)). inboard will now specify the Debian version when building Docker images, ensuring that the version does not change unexpectedly. The current Debian version is still Debian 12 ("bookworm"). The next Debian version, Debian 13 ("trixie") does not have a release date yet, but inboard will update to trixie when it is stable and will provide a new release after the update. **Add support for Python 3.12** (#104, ba83a67) This release will add [Python 3.12](https://docs.python.org/3/whatsnew/3.12.html) support to inboard. - inboard will now run tests with Python 3.12, in addition to 3.8-3.11 - inboard will now build and publish its PyPI package using Python 3.12 - inboard will now include a Python 3.12 classifier in its PyPI package - inboard will now ship Docker images running Python 3.12, in addition to 3.8-3.11, and Docker images tagged with `latest` will now use 3.12 Related projects that have released support for Python 3.12 include: - AnyIO ([4.0.0 - 2023-08-30](https://github.com/agronholm/anyio/releases/tag/4.0.0)) - FastAPI ([0.109.0 - 2024-01-11](https://github.com/tiangolo/fastapi/releases/tag/0.109.0)) - Hatch ([1.8.0 - 2023-12-11](https://github.com/pypa/hatch/releases/tag/hatch-v1.8.0)) - `pipx` ([1.3.0 - 2023-12-02](https://github.com/pypa/pipx/releases/tag/1.3.0)) - Starlette ([0.31.0 - 2023-07-24](https://github.com/encode/starlette/releases/tag/0.31.0)) - Uvicorn ([0.24.0 - 2023-11-04](https://github.com/encode/uvicorn/releases/tag/0.24.0)) Related projects that have not released support for Python 3.12 include: - [Gunicorn](https://github.com/benoitc/gunicorn) (has not released Python 3.12 support, but is testing with Python 3.12 in development) - [Pydantic](https://github.com/pydantic/pydantic) (extent of Python 3.12 support unclear, see [pydantic/pydantic#6704](pydantic/pydantic#6704)) ### Commits - Bump version from 0.66.1 to 0.67.0 (325ed9b) - Update to pytest 8 (c462c90) - Specify Debian version (#105) (6a99cd0) - Add support for Python 3.12 (#104) (ba83a67) - Fix GitHub Actions badge in README (145313e) - Update changelog for version 0.66.1 (#103) (552ebaa)
0.66.1 ### Changes **Publish to PyPI with OIDC trusted publisher** (59ec546) This release will update Python package publishing to the newest format recommended by PyPI. This project previously published packages with the `hatch publish` command and a project-scoped PyPI API token (token only valid for this project) stored in GitHub Secrets. The project will now publish packages using a [PyPI OIDC](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-pypi) (OpenID Connect) [trusted publisher](https://docs.pypi.org/trusted-publishers/) with the [pypa/gh-action-pypi-publish](https://github.com/pypa/gh-action-pypi-publish) action. This is the method that Hatch itself uses (pypa/hatch#891) (Hatch does not "dogfood" its own `hatch publish` feature). The advantage to OIDC is that authentication is performed with temporary API tokens (only valid for 15 minutes) instead of persistent tokens that must be manually generated on PyPI and pasted into GitHub Secrets. The disadvantage is that authentication is more complicated. To use PyPI OIDC, a [trusted publisher](https://docs.pypi.org/trusted-publishers/) was set up for the PyPI project. Next, a dedicated [GitHub Actions deployment environment](https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment) was created for PyPI with protection rules that only allow use of the environment with Git tags. The environment protection rules combine with tag protection rules in the existing [GitHub rulesets](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets) to ensure PyPI packages can only be published if a maintainer triggers a workflow run with a Git tag ref. The GitHub Actions workflow will be updated to use the deployment environment. Deployment environments must be selected at the job level before the job begins, so a setup job will be added that selects the appropriate deployment environment and passes it to the PyPI job. Each use of a deployment environment creates a deployment that can be either active or inactive. GitHub Actions auto-inactivates deployments, and although this behavior is not configurable or documented, there are some possible workarounds/hacks suggested by a community discussion [comment](https://github.com/orgs/community/discussions/67982#discussioncomment-7086962). The workaround used here will be to provide each deployment with its own unique URL. To publish the Python package to PyPI, `hatch build` will output package build files to the `dist/` directory, then pypa/gh-action-pypi-publish will authenticate and upload the files. pypa/gh-action-pypi-publish provides exact version tags like pypa/[email protected] and branches for major and minor version numbers like pypa/gh-action-pypi-publish@release/v1.8. **Update to FastAPI 0.110.1 and Starlette 0.37.2** (73eaadd) This release will update/upgrade to [FastAPI 0.110.1](https://fastapi.tiangolo.com/release-notes/) and [Starlette 0.37.2](https://www.starlette.io/release-notes/). FastAPI 0.110 makes a change to dependencies with `yield` and `except`. Dependencies must now raise exceptions after `except`. This change is intended to address memory leak issues and may be a breaking change in some projects if dependencies with `yield` and `except` used `pass` instead of `raise`. See the [FastAPI docs](https://fastapi.tiangolo.com/tutorial/dependencies/dependencies-with-yield/) for further info. FastAPI 0.110.1 makes a small type annotation change to the `Depends` dependency class. Starlette 0.37 modifies the exception handling behavior of the `Config` class used for application settings. The `Config` class accepts an `env_file` arg that can be used to load environment variables from a "dotenv" (`.env`) file. Previously, if the file was not found, the `Config` class would silently pass without any exception. In 0.36, the `Config` class was updated to raise a `FileNotFoundError` exception if `env_file` was not not found. This was a breaking change but was not documented as such (encode/starlette#2422, encode/starlette#2446). In 0.37, the exception handling behavior has been changed again to raise a warning instead of an exception (encode/starlette#2485), which could also be a breaking change if users had rewritten their code to catch the `FileNotFoundError`. See the [fastenv docs](https://fastenv.bws.bio/comparisons#starlette) for a detailed description of the Starlette `Config` class. Note that FastAPI updated the Starlette minor version from 0.36 to 0.37 in the 0.110.1 patch release. ### Commits - Bump version from 0.66.0 to 0.66.1 (474c722) - Publish to PyPI with OIDC trusted publisher (59ec546) - Update to `peter-evans/create-pull-request@v6` (5b499a3) - Update to Ruff 0.3 (e42213c) - Update to `mypy==1.9.0` (1cd64a7) - Update to `hatch==1.9.4` (38a4e58) - Update to `pipx==1.5.0` (8dfb90b) - Update to FastAPI 0.110.1 and Starlette 0.37.2 (73eaadd) - Disable CodeQL `setup-python-dependencies` (507c68c) - Update to Node.js 20 actions (6972c7b) - Update changelog for version 0.66.0 (#102) (7f4ff4e)
0.66.0 ### Changes **Update to FastAPI 0.110 and Starlette 0.36** (dfa4822) This release will update/upgrade to [FastAPI 0.110](https://fastapi.tiangolo.com/release-notes/) and [Starlette 0.36](https://www.starlette.io/release-notes/). This is a minor release to align with FastAPI and Starlette versioning. FastAPI 0.110 makes a change to dependencies with `yield` and `except`. Dependencies must now raise exceptions after `except`, like this: ```py def my_dep(): try: yield except SomeException: raise ``` This change addresses memory leak issues and may be a breaking change in some projects if dependencies with `yield` and `except` used `pass` instead of `raise`. See the [FastAPI docs](https://fastapi.tiangolo.com/tutorial/dependencies/dependencies-with-yield/) for further info. Changes to Starlette between 0.35 and 0.36 include exception handling updates and AnyIO compatibility updates. Note that FastAPI updated the Starlette minor version from 0.35 to 0.36 in the 0.109.2 patch release. ### Commits - Bump version from 0.65.0 to 0.66.0 (ae160a0) - Update to FastAPI 0.110 and Starlette 0.36 (dfa4822) - Update to `peter-evans/create-pull-request@v5` (2f9b88f) - Update to `actions/checkout@v4` (8d888d0) - Update changelog for version 0.65.0 (#100) (8725661)
0.65.0 ### Changes **Update to FastAPI 0.109 and Starlette 0.35** (b68b991) This release will update/upgrade to [FastAPI 0.109](https://fastapi.tiangolo.com/release-notes/) and [Starlette 0.35](https://www.starlette.io/release-notes/). This is a minor release to align with FastAPI and Starlette versioning. FastAPI 0.109 adds Python 3.12 support. Changes to Starlette between 0.32 and 0.35 include support for middleware in `Router`, `Route`, and `WebSocketRoute`, and updates to `Middleware` args. **Use Ruff for linting and formatting** (#99, 35e37a7) [Ruff](https://docs.astral.sh/ruff/) is a Python linter and formatter that has gained popularity due to its high performance and numerous capabilities. Now that Ruff has released its [first minor version series](https://astral.sh/blog/ruff-v0.1.0) (0.1) and has a [versioning policy](https://docs.astral.sh/ruff/versioning/), it's a good time to consider adopting it. As of this release, the project's Python linting and formatting checks will be migrated from the previous tools (Black, Flake8, isort) to Ruff. See #99 for further details. ### Commits - Bump version from 0.64.0 to 0.65.0 (ca0a10b) - Update to FastAPI 0.109 and Starlette 0.35 (b68b991) - Use Ruff for linting and formatting (#99) (35e37a7) - Add "pypa" to CSpell words (696c43d) - Add references on syncing dependencies with Hatch (1e9512a) - Update Docker links in docs (e3ad60b) - Avoid `metadata-generation-failed` in Dockerfiles (a231b11) - Add wheel build target to avoid Hatch `ValueError` (c1328ee) - Update to `pipx==1.4.1` (f902387) - Update changelog for version 0.64.0 (#97) (78adc33)
0.64.0 ### Changes **Update to Gunicorn 21.2.0** (7993e61) This release will update/upgrade to Gunicorn 21.2.0. See the Gunicorn [docs](https://docs.gunicorn.org/en/stable/2023-news.html) and [GitHub repo](benoitc/gunicorn@20.1.0...21.2.0) for more details on the changes since 20.1.0. ### Commits - Bump version from 0.63.0 to 0.64.0 (384907b) - Update to Gunicorn 21.2.0 (7993e61) - Update changelog for version 0.63.0 (#96) (3bd8be1)
0.63.0 ### Changes **Update to Uvicorn 0.25.0** (4cc018b) This release will update/upgrade to [Uvicorn 0.25.0](https://github.com/encode/uvicorn/releases). This is a minor release to align with Uvicorn versioning. Uvicorn 0.25.0 adds support for the WebSocket Denial Response ASGI extension. This is used in certain cases in which a WebSocket app needs to reject a connection and return a custom response. Uvicorn 0.25.0 also includes some corrections to the type annotations on `uvicorn.run()`. `inboard.types.UvicornOptions` already included correct type annotations that match these corrections, so no changes are needed. ### Commits - Bump version from 0.62.0 to 0.63.0 (634d094) - Update to Uvicorn 0.25.0 (4cc018b) - Update changelog for version 0.62.0 (#95) (a1cfb84)
0.62.0 ### Changes **Update to Uvicorn 0.24.0** (65883a9, 0d5ec23) This release will update/upgrade to [Uvicorn 0.24.0](https://github.com/encode/uvicorn/releases). This is a minor release to align with Uvicorn versioning. Uvicorn 0.24.0 adds support for Python 3.12 and for setting the app instance with the environment variable `UVICORN_APP`. inboard already has an environment variable for this purpose, `APP_MODULE`. Either `APP_MODULE` or `UVICORN_APP` can be used to set the app module for inboard, with precedence given to `APP_MODULE` for backward compatibility. ### Commits - Bump version from 0.61.0 to 0.62.0 (2270900) - Support `UVICORN_APP` (0d5ec23) - Update to Uvicorn 0.24.0 (65883a9) - Update changelog for version 0.61.0 (#94) (665eaca)
0.61.0 ### Changes **Update to FastAPI 0.108 and Starlette 0.32** (738d54a) This release will update/upgrade to [FastAPI 0.108](https://fastapi.tiangolo.com/release-notes/) and [Starlette 0.32](https://www.starlette.io/release-notes/). This is a minor release to align with FastAPI versioning. Changes to Starlette between 0.29 and 0.32 include dropping support for Python 3.7, and adding support for Python 3.12 and AnyIO 4. ### Commits - Bump version from 0.60.0 to 0.61.0 (ccc7bf2) - Update to FastAPI 0.108 and Starlette 0.32 (738d54a) - Update changelog for version 0.60.0 (#93) (b0d4a4a)
PreviousNext