fix(deps): bump h11 to 0.16.0 to resolve GHSA-vqfr-h8mv-ghfj#81367
fix(deps): bump h11 to 0.16.0 to resolve GHSA-vqfr-h8mv-ghfj#81367Aaron ("AJ") Steers (aaronsteers) wants to merge 1 commit into
Conversation
…-h8mv-ghfj Regenerate poetry.lock files across 12 connectors to update h11 from 0.14.0 to 0.16.0 (via httpcore 1.0.7 -> 1.0.9) to fix a request-smuggling vulnerability in chunked Transfer-Encoding handling. Co-Authored-By: AJ Steers <aj@airbyte.io>
🤖 Devin AI EngineerI'll be helping with this pull request! Here's what you should know: ✅ I will automatically:
Note: I can only respond to comments from users who have write access to this repository. ⚙️ Control Options:
|
👋 Greetings, Airbyte Team Member!Here are some helpful tips and reminders for your convenience. 💡 Show Tips and TricksPR Slash CommandsAirbyte Maintainers (that's you!) can execute the following slash commands on your PR:
📚 Show Repo GuidanceHelpful Resources
|
|
|
|
|
|
|
|
|
|
|
|
What
Resolves https://github.com/airbytehq/airbyte-internal-issues/issues/16677
Bumps
h11from 0.14.0 to 0.16.0 (viahttpcore1.0.7 → 1.0.9) across 12 connector poetry.lock files to fix GHSA-vqfr-h8mv-ghfj — a request-smuggling vulnerability in malformedTransfer-Encoding: chunkedbody handling.How
poetry update httpcore h11in each affected connector workspacehttpcore1.0.9 was released specifically to address this CVE by updating its h11 constraint from>=0.13,<0.15to>=0.16Release notes review
Affected manifests updated (12)
airbyte-integrations/connectors/destination-astra/poetry.lockairbyte-integrations/connectors/destination-vectara/poetry.lockairbyte-integrations/connectors/source-adjust/poetry.lockairbyte-integrations/connectors/source-alpha-vantage/unit_tests/poetry.lockairbyte-integrations/connectors/source-amplitude/integration_tests/poetry.lockairbyte-integrations/connectors/source-amplitude/unit_tests/poetry.lockairbyte-integrations/connectors/source-braze/unit_tests/poetry.lockairbyte-integrations/connectors/source-freshdesk/unit_tests/poetry.lockairbyte-integrations/connectors/source-google-search-console/unit_tests/poetry.lockairbyte-integrations/connectors/source-instatus/unit_tests/poetry.lockairbyte-integrations/connectors/source-microsoft-lists/integration_tests/poetry.lockairbyte-integrations/connectors/source-mixpanel/poetry.lockManifests no longer present in repo (15)
The remaining 15 manifests from the original alert list no longer exist on
master(connectors were migrated or removed).Review guide
All changes are in
poetry.lockfiles only. The diff showsh110.14.0 → 0.16.0 andhttpcore1.0.7 → 1.0.9 hash/version updates.User Impact
No user-facing impact. This resolves a transitive dependency vulnerability without changing connector behavior.
Can this PR be safely reverted and rolled back?
Devin session
Requested by: Aaron ("AJ") Steers (@aaronsteers)