Bump gunicorn from 25.2.0 to 25.3.0 (aio-libs#12289)

dependabot[bot] · web-flow · commit 993989c81413 · 2026-03-27T11:21:09.000Z
Bumps [gunicorn](https://github.com/benoitc/gunicorn) from 25.2.0 to 25.3.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/benoitc/gunicorn/releases">gunicorn's releases</a>.</em></p> <blockquote> <h2>Gunicorn 25.3.0</h2> <h2>Bug Fixes</h2> <ul> <li> <p><strong>HTTP/2 ASGI Body Duplication</strong>: Fix request body being received twice in HTTP/2 ASGI requests, causing JSON parsing errors with &quot;Extra data&quot; messages (<a href="https://redirect.github.com/benoitc/gunicorn/issues/3558">#3558</a>)</p> </li> <li> <p><strong>ASGI Chunked EOF Handling</strong>: Add <code>finish()</code> method to callback parser to handle chunked encoding edge case where connection closes before final CRLF after zero-chunk</p> </li> <li> <p><strong>HTTP/2 Documentation</strong>: Fix <code>http_protocols</code> examples to use comma-separated string instead of list syntax (<a href="https://redirect.github.com/benoitc/gunicorn/issues/3561">#3561</a>)</p> </li> <li> <p><strong>Chunked Encoding</strong>: Reject chunk extensions containing bare CR bytes per RFC 9112 (<a href="https://github.com/benoitc/gunicorn/discussions/3556">#3556</a>)</p> </li> <li> <p><strong>Request Line Limit</strong>: Fix <code>--limit-request-line 0</code> to mean unlimited as documented, instead of using default maximum. Works with both Python and fast C parser. (<a href="https://redirect.github.com/benoitc/gunicorn/issues/3563">#3563</a>)</p> </li> </ul> <h2>Security</h2> <ul> <li><strong>ASGI Parser Header Validation</strong>: Add security checks per RFC 9110/9112: <ul> <li>Reject duplicate Content-Length headers</li> <li>Reject requests with both Content-Length and Transfer-Encoding</li> <li>Reject chunked transfer encoding in HTTP/1.0</li> <li>Reject stacked chunked encoding</li> <li>Validate Transfer-Encoding values</li> <li>Strict chunk size validation</li> </ul> </li> </ul> <h2>Changes</h2> <ul> <li> <p><strong>Fast HTTP Parser</strong>: Update to gunicorn_h1c &gt;= 0.6.3 for <code>asgi_headers</code> property and <code>InvalidChunkExtension</code> validation for bare CR rejection</p> </li> <li> <p><strong>ASGI PROXY Protocol</strong>: Add PROXY protocol v1/v2 support to callback parser</p> </li> <li> <p><strong>Docker Images</strong>: Update to Python 3.14</p> </li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/benoitc/gunicorn/commit/9bce72cfc3985aba7e0c47bf3c00fa681b2847e4"><code>9bce72c</code></a> Update changelog with missing 25.3.0 changes</li> <li><a href="https://github.com/benoitc/gunicorn/commit/2a15fdb93ab136e5776692d620852f481c89d610"><code>2a15fdb</code></a> Fix pylint isinstance-second-argument-not-valid-type warning</li> <li><a href="https://github.com/benoitc/gunicorn/commit/8d08aaa2cbd38fdfa2ca6fb94094c47b9c16730a"><code>8d08aaa</code></a> Fix --limit-request-line 0 to mean unlimited</li> <li><a href="https://github.com/benoitc/gunicorn/commit/d40a37454736e40916eb51e35895f1c22c0cd34a"><code>d40a374</code></a> Fix pytest-asyncio configuration and treq_asgi hex escapes</li> <li><a href="https://github.com/benoitc/gunicorn/commit/da8bd4850ac0f2d0df215390dad88392eb538d74"><code>da8bd48</code></a> Remove unused AsyncRequest class</li> <li><a href="https://github.com/benoitc/gunicorn/commit/b00f125755ec3f509a3e82dc5568d9f2d8bddba7"><code>b00f125</code></a> Integrate gunicorn_h1c 0.6.3 with InvalidChunkExtension support</li> <li><a href="https://github.com/benoitc/gunicorn/commit/bdb2ebd5a4913fff1e92800f3763e4a879526d3e"><code>bdb2ebd</code></a> Reject chunk extensions with bare CR bytes (RFC 9112)</li> <li><a href="https://github.com/benoitc/gunicorn/commit/7057fc9f89f0ce4d9ac01a12ea2f39768fb32be6"><code>7057fc9</code></a> Fix http_protocols documentation to use string syntax</li> <li><a href="https://github.com/benoitc/gunicorn/commit/d43acb8fe0910b6669c163e2f4a439e464eab012"><code>d43acb8</code></a> Update to gunicorn_h1c &gt;= 0.6.2 for asgi_headers support</li> <li><a href="https://github.com/benoitc/gunicorn/commit/cbd27e82a238cb1326336c6aa4b8ae058e2c9ff9"><code>cbd27e8</code></a> Merge pull request <a href="https://redirect.github.com/benoitc/gunicorn/issues/3559">#3559</a> from benleembruggen/fix/http2-asgi-body-duplication</li> <li>Additional commits viewable in <a href="https://github.com/benoitc/gunicorn/compare/25.2.0...25.3.0">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=gunicorn&package-manager=pip&previous-version=25.2.0&new-version=25.3.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
diff --git a/requirements/base-ft.txt b/requirements/base-ft.txt
@@ -22,7 +22,7 @@ frozenlist==1.8.0
     # via
     #   -r requirements/runtime-deps.in
     #   aiosignal
-gunicorn==25.2.0
+gunicorn==25.3.0
     # via -r requirements/base-ft.in
 idna==3.11
     # via yarl
diff --git a/requirements/base.txt b/requirements/base.txt
@@ -22,7 +22,7 @@ frozenlist==1.8.0
     # via
     #   -r requirements/runtime-deps.in
     #   aiosignal
-gunicorn==25.2.0
+gunicorn==25.3.0
     # via -r requirements/base.in
 idna==3.11
     # via yarl
diff --git a/requirements/constraints.txt b/requirements/constraints.txt
@@ -83,7 +83,7 @@ frozenlist==1.8.0
     # via
     #   -r requirements/runtime-deps.in
     #   aiosignal
-gunicorn==25.2.0
+gunicorn==25.3.0
     # via -r requirements/base.in
 identify==2.6.18
     # via pre-commit
diff --git a/requirements/dev.txt b/requirements/dev.txt
@@ -81,7 +81,7 @@ frozenlist==1.8.0
     # via
     #   -r requirements/runtime-deps.in
     #   aiosignal
-gunicorn==25.2.0
+gunicorn==25.3.0
     # via -r requirements/base.in
 identify==2.6.18
     # via pre-commit
diff --git a/requirements/test-ft.txt b/requirements/test-ft.txt
@@ -45,7 +45,7 @@ frozenlist==1.8.0
     # via
     #   -r requirements/runtime-deps.in
     #   aiosignal
-gunicorn==25.2.0
+gunicorn==25.3.0
     # via -r requirements/base-ft.in
 idna==3.11
     # via
diff --git a/requirements/test.txt b/requirements/test.txt
@@ -45,7 +45,7 @@ frozenlist==1.8.0
     # via
     #   -r requirements/runtime-deps.in
     #   aiosignal
-gunicorn==25.2.0
+gunicorn==25.3.0
     # via -r requirements/base.in
 idna==3.11
     # via
