Skip to content

fix(deps): bump h11 to 0.16.0 to resolve GHSA-vqfr-h8mv-ghfj#81367

Open
Aaron ("AJ") Steers (aaronsteers) wants to merge 1 commit into
masterfrom
devin/1782943734-security-h11
Open

fix(deps): bump h11 to 0.16.0 to resolve GHSA-vqfr-h8mv-ghfj#81367
Aaron ("AJ") Steers (aaronsteers) wants to merge 1 commit into
masterfrom
devin/1782943734-security-h11

Conversation

@aaronsteers

Copy link
Copy Markdown
Member

What

Resolves https://github.com/airbytehq/airbyte-internal-issues/issues/16677

Bumps h11 from 0.14.0 to 0.16.0 (via httpcore 1.0.7 → 1.0.9) across 12 connector poetry.lock files to fix GHSA-vqfr-h8mv-ghfj — a request-smuggling vulnerability in malformed Transfer-Encoding: chunked body handling.

How

  • Ran poetry update httpcore h11 in each affected connector workspace
  • httpcore 1.0.9 was released specifically to address this CVE by updating its h11 constraint from >=0.13,<0.15 to >=0.16
  • No code changes required — this is a lockfile-only regeneration

Release notes review

  • h11 0.15.0: Reject oversized Content-Length values early (bugfix only)
  • h11 0.16.0: Security fix rejecting malformed chunked bodies that could enable request smuggling
  • httpcore 1.0.9: Updated h11 dependency constraint to require the security fix
  • No breaking changes — h11 has been API-stable for years

Affected manifests updated (12)

  • airbyte-integrations/connectors/destination-astra/poetry.lock
  • airbyte-integrations/connectors/destination-vectara/poetry.lock
  • airbyte-integrations/connectors/source-adjust/poetry.lock
  • airbyte-integrations/connectors/source-alpha-vantage/unit_tests/poetry.lock
  • airbyte-integrations/connectors/source-amplitude/integration_tests/poetry.lock
  • airbyte-integrations/connectors/source-amplitude/unit_tests/poetry.lock
  • airbyte-integrations/connectors/source-braze/unit_tests/poetry.lock
  • airbyte-integrations/connectors/source-freshdesk/unit_tests/poetry.lock
  • airbyte-integrations/connectors/source-google-search-console/unit_tests/poetry.lock
  • airbyte-integrations/connectors/source-instatus/unit_tests/poetry.lock
  • airbyte-integrations/connectors/source-microsoft-lists/integration_tests/poetry.lock
  • airbyte-integrations/connectors/source-mixpanel/poetry.lock

Manifests no longer present in repo (15)

The remaining 15 manifests from the original alert list no longer exist on master (connectors were migrated or removed).

Review guide

All changes are in poetry.lock files only. The diff shows h11 0.14.0 → 0.16.0 and httpcore 1.0.7 → 1.0.9 hash/version updates.

User Impact

No user-facing impact. This resolves a transitive dependency vulnerability without changing connector behavior.

Can this PR be safely reverted and rolled back?

  • YES 💚

Devin session

Requested by: Aaron ("AJ") Steers (@aaronsteers)

…-h8mv-ghfj

Regenerate poetry.lock files across 12 connectors to update h11
from 0.14.0 to 0.16.0 (via httpcore 1.0.7 -> 1.0.9) to fix a
request-smuggling vulnerability in chunked Transfer-Encoding handling.

Co-Authored-By: AJ Steers <aj@airbyte.io>
@devin-ai-integration

Copy link
Copy Markdown
Contributor

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment, CI, and merge conflict monitoring

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

👋 Greetings, Airbyte Team Member!

Here are some helpful tips and reminders for your convenience.

💡 Show Tips and Tricks

PR Slash Commands

Airbyte Maintainers (that's you!) can execute the following slash commands on your PR:

  • 🛠️ Quick Fixes
    • /format-fix - Fixes most formatting issues.
    • /bump-version - Bumps connector versions, scraping changelog description from the PR title.
      • Bump types: patch (default), minor, major, major_rc, rc, promote.
      • The rc type is a smart default: applies minor_rc if stable, or bumps the RC number if already RC.
      • The promote type strips the RC suffix to finalize a release.
      • Example: /bump-version type=rc or /bump-version type=minor
    • /bump-progressive-rollout-version - Alias for /bump-version type=rc. Bumps with an RC suffix and enables progressive rollout.
  • ❇️ AI Testing and Review (internal link: AI-SDLC Docs):
    • /ai-prove-fix - Runs prerelease readiness checks, including testing against customer connections.
    • /ai-canary-prerelease - Rolls out prerelease to 5-10 connections for canary testing.
    • /ai-review - AI-powered PR review for connector safety and quality gates.
  • 📝 AI Documentation:
    • /ai-docs-review - AI-powered documentation review for PRs with connector changes.
    • /ai-create-docs-pr - Creates a documentation PR for connector changes, stacked on the current PR.
  • 🚀 Connector Releases:
    • /publish-connectors-prerelease - Publishes pre-release connector builds (tagged as {version}-preview.{git-sha}) for all modified connectors in the PR.
  • ☕️ JVM connectors:
    • /update-connector-cdk-version connector=<CONNECTOR_NAME> - Updates the specified connector to the latest CDK version.
      Example: /update-connector-cdk-version connector=destination-bigquery
  • 🐍 Python connectors:
    • /poe connector source-example lock - Run the Poe lock task on the source-example connector, committing the results back to the branch.
    • /poe source example lock - Alias for /poe connector source-example lock.
    • /poe source example use-cdk-branch my/branch - Pin the source-example CDK reference to the branch name specified.
    • /poe source example use-cdk-latest - Update the source-example CDK dependency to the latest available version.
  • ⚙️ Admin commands:
    • /force-merge reason="<REASON>" - Force merges the PR using admin privileges, bypassing CI checks. Requires a reason.
      Example: /force-merge reason="CI is flaky, tests pass locally"
📚 Show Repo Guidance

Helpful Resources

📝 Edit this welcome message.

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

source-alpha-vantage Connector Test Results

7 tests   6 ✅  0s ⏱️
2 suites  0 💤
2 files    0 ❌  1 🔥

For more details on these errors, see this check.

Results for commit 22be6f9.

♻️ This comment has been updated with latest results.

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

destination-vectara Connector Test Results

0 tests   0 ✅  0s ⏱️
1 suites  0 💤
1 files    0 ❌

Results for commit 22be6f9.

♻️ This comment has been updated with latest results.

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

source-adjust Connector Test Results

3 tests   0 ✅  1s ⏱️
1 suites  0 💤
1 files    0 ❌  3 🔥

For more details on these errors, see this check.

Results for commit 22be6f9.

♻️ This comment has been updated with latest results.

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

destination-astra Connector Test Results

15 tests   15 ✅  1s ⏱️
 1 suites   0 💤
 1 files     0 ❌

Results for commit 22be6f9.

♻️ This comment has been updated with latest results.

@devin-ai-integration devin-ai-integration Bot marked this pull request as ready for review July 1, 2026 22:14
@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

source-braze Connector Test Results

16 tests   4 ✅  34s ⏱️
 2 suites  4 💤
 2 files    8 ❌

For more details on these failures, see this check.

Results for commit 22be6f9.

♻️ This comment has been updated with latest results.

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

source-instatus Connector Test Results

0 tests   0 ✅  0s ⏱️
0 suites  0 💤
0 files    0 ❌

Results for commit 22be6f9.

♻️ This comment has been updated with latest results.

@devin-ai-integration devin-ai-integration Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no bugs or issues to report.

Open in Devin Review

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

source-freshdesk Connector Test Results

7 tests   4 ✅  16s ⏱️
2 suites  3 💤
2 files    0 ❌

Results for commit 22be6f9.

♻️ This comment has been updated with latest results.

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

source-microsoft-lists Connector Test Results

3 tests   2 ✅  7s ⏱️
1 suites  1 💤
1 files    0 ❌

Results for commit 22be6f9.

♻️ This comment has been updated with latest results.

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

source-mixpanel Connector Test Results

52 tests   48 ✅  31s ⏱️
 2 suites   4 💤
 2 files     0 ❌

Results for commit 22be6f9.

♻️ This comment has been updated with latest results.

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

source-amplitude Connector Test Results

13 tests   10 ✅  7s ⏱️
 2 suites   3 💤
 2 files     0 ❌

Results for commit 22be6f9.

♻️ This comment has been updated with latest results.

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

source-google-search-console Connector Test Results

116 tests   112 ✅  2m 43s ⏱️
  2 suites    4 💤
  2 files      0 ❌

Results for commit 22be6f9.

♻️ This comment has been updated with latest results.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants