Drop Python 3.8 and add Python 3.13#445
Merged
digitalresistor merged 2 commits intomainfrom Oct 26, 2024
Merged
Conversation
kgaughan added a commit to kgaughan/waitress that referenced this pull request Oct 27, 2024
With Pylons#445, it no longer makes sense not to use `pkgutil.resolve_name` to handle the importing of WSGI applications in the runner. There is one very minor behavioural change in that `pkgutil.resolve_name` allows a broader syntax for the imports, but supports the same syntax as the existing code being removed, so this is a minor concern. It has the pleasant side effect of removing some legacy code only present for Python 2.6 that was missed when Python 2 support was removed.
Member
| @digitalresistor Thanks for your maintenance efforts. It would have been nice to have the drop of support for Python 3.8 noted with a major version bump and a mention in the release notes. I know Python 3.8 is no longer supported even by the Python community and don't have any objection to dropping support for it, but this caught at least one member of the Plone community who has an old site on Python 3.8 and tried to upgrade to waitress 3.0.1. |
Member
| @davisagli I think it can always be debated what constitutes a major version number and in strict semver (which waitress and most other pylons projects don’t follow too strictly) I probably agree with you but to be honest the python-requires metadata was correctly updated which is the main thing here. Anyone not respecting that metadata needs to get on board regardless of version numbers. |
Member
| https://docs.pylonsproject.org/projects/waitress/en/stable/ has no mention of this change and needs to be updated. Can you confirm in which version this change was released, so I can put it under the proper heading? Sorry, I haven't been tracking this closely. |
Member
| You’re right it was missed in the changelog. Good eye. They were part of 3.0.1. |
stevepiercy added a commit that referenced this pull request Oct 31, 2024
digitalresistor added a commit that referenced this pull request Nov 16, 2024
Add change log entry for #445 and update supported Python versions
hswong3i pushed a commit to alvistack/Pylons-waitress that referenced this pull request Nov 17, 2024
netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this pull request Feb 5, 2025
3.0.2 (2024-11-16) Security - When using Waitress to process trusted proxy headers, Waitress will now update the headers to drop any untrusted values, thereby making sure that WSGI apps only get trusted and validated values that Waitress itself used to update the environ. See Pylons/waitress#452 and Pylons/waitress#451 3.0.1 (2024-10-28) Backward Incompatibilities - Python 3.8 is no longer supported. See Pylons/waitress#445. Features - Added support for Python 3.13. See Pylons/waitress#445. Security - Fix a bug that would lead to Waitress busy looping on select() on a half-open socket due to a race condition that existed when creating a new HTTPChannel. See Pylons/waitress#435, Pylons/waitress#418 and GHSA-3f84-rpwh-47g6 With thanks to Dylan Jay and Dieter Maurer for their extensive debugging and helping track this down. - No longer strip the header values before passing them to the WSGI environ. See Pylons/waitress#434 and Pylons/waitress#432 - Fix a race condition in Waitress when `channel_request_lookahead` is enabled that could lead to HTTP request smuggling.
qws941 pushed a commit to qws941/blacklist that referenced this pull request Feb 18, 2026
Bumps [waitress](https://github.com/Pylons/waitress) from 2.1.2 to 3.0.2. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/Pylons/waitress/releases">waitress's releases</a>.</em></p> <blockquote> <h2>v3.0.2</h2> <h1>3.0.2 (2024-11-16)</h1> <h2>Security</h2> <ul> <li>When using Waitress to process trusted proxy headers, Waitress will now update the headers to drop any untrusted values, thereby making sure that WSGI apps only get trusted and validated values that Waitress itself used to update the environ. See <a href="https://redirect.github.com/Pylons/waitress/pull/452">Pylons/waitress#452</a> and <a href="https://redirect.github.com/Pylons/waitress/issues/451">Pylons/waitress#451</a></li> </ul> <h2>v3.0.1</h2> <h1>3.0.1 (2024-10-28)</h1> <h2>Backward Incompatibilities</h2> <ul> <li>Python 3.8 is no longer supported. See <a href="https://redirect.github.com/Pylons/waitress/pull/445">Pylons/waitress#445</a>.</li> </ul> <h2>Features</h2> <ul> <li>Added support for Python 3.13. See <a href="https://redirect.github.com/Pylons/waitress/pull/445">Pylons/waitress#445</a>.</li> </ul> <h2>Security</h2> <ul> <li> <p>Fix a bug that would lead to Waitress busy looping on select() on a half-open socket due to a race condition that existed when creating a new HTTPChannel. See <a href="https://redirect.github.com/Pylons/waitress/pull/435">Pylons/waitress#435</a>, <a href="https://redirect.github.com/Pylons/waitress/issues/418">Pylons/waitress#418</a> and <a href="https://github.com/Pylons/waitress/security/advisories/GHSA-3f84-rpwh-47g6">https://github.com/Pylons/waitress/security/advisories/GHSA-3f84-rpwh-47g6</a></p> <p>With thanks to Dylan Jay and Dieter Maurer for their extensive debugging and helping track this down.</p> </li> <li> <p>No longer strip the header values before passing them to the WSGI environ. See <a href="https://redirect.github.com/Pylons/waitress/pull/434">Pylons/waitress#434</a> and <a href="https://redirect.github.com/Pylons/waitress/issues/432">Pylons/waitress#432</a></p> </li> <li> <p>Fix a race condition in Waitress when <code>channel_request_lookahead</code> is enabled that could lead to HTTP request smuggling.</p> <p>See <a href="https://github.com/Pylons/waitress/security/advisories/GHSA-9298-4cf8-g4wj">https://github.com/Pylons/waitress/security/advisories/GHSA-9298-4cf8-g4wj</a></p> </li> </ul> <h2>v3.0.0</h2> <h1>3.0.0 (2024-02-04)</h1> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/Pylons/waitress/blob/main/CHANGES.txt">waitress's changelog</a>.</em></p> <blockquote> <h2>3.0.2 (2024-11-16)</h2> <p>Security</p> <pre><code> - When using Waitress to process trusted proxy headers, Waitress will now update the headers to drop any untrusted values, thereby making sure that WSGI apps only get trusted and validated values that Waitress itself used to update the environ. See Pylons/waitress#452 and Pylons/waitress#451 <h2>3.0.1 (2024-10-28)</h2> <p>Backward Incompatibilities<br /> </code></pre></p> <ul> <li>Python 3.8 is no longer supported. See <a href="https://redirect.github.com/Pylons/waitress/pull/445">Pylons/waitress#445</a>.</li> </ul> <p>Features</p> <pre><code> - Added support for Python 3.13. See Pylons/waitress#445. <p>Security<br /> </code></pre></p> <ul> <li> <p>Fix a bug that would lead to Waitress busy looping on select() on a half-open socket due to a race condition that existed when creating a new HTTPChannel. See <a href="https://redirect.github.com/Pylons/waitress/pull/435">Pylons/waitress#435</a>, <a href="https://redirect.github.com/Pylons/waitress/issues/418">Pylons/waitress#418</a> and <a href="https://github.com/Pylons/waitress/security/advisories/GHSA-3f84-rpwh-47g6">https://github.com/Pylons/waitress/security/advisories/GHSA-3f84-rpwh-47g6</a></p> <p>With thanks to Dylan Jay and Dieter Maurer for their extensive debugging and helping track this down.</p> </li> <li> <p>No longer strip the header values before passing them to the WSGI environ. See <a href="https://redirect.github.com/Pylons/waitress/pull/434">Pylons/waitress#434</a> and <a href="https://redirect.github.com/Pylons/waitress/issues/432">Pylons/waitress#432</a></p> </li> <li> <p>Fix a race condition in Waitress when <code>channel_request_lookahead</code> is enabled that could lead to HTTP request smuggling.</p> <p>See <a href="https://github.com/Pylons/waitress/security/advisories/GHSA-9298-4cf8-g4wj">https://github.com/Pylons/waitress/security/advisories/GHSA-9298-4cf8-g4wj</a></p> </li> </ul> <p>3.0.0 (2024-02-04)</p> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/Pylons/waitress/commit/b11ae729cc51ca2998a1ad9b4992b34f34ac95e7"><code>b11ae72</code></a> Prep for 3.0.2</li> <li><a href="https://github.com/Pylons/waitress/commit/38ffad094b785168aba197f6b6d8df5de713cc2b"><code>38ffad0</code></a> Merge pull request <a href="https://redirect.github.com/Pylons/waitress/issues/450">#450</a> from Pylons/445-amend-drop-py38</li> <li><a href="https://github.com/Pylons/waitress/commit/0e7bf65174d142bf48010226e51407d59791cbd9"><code>0e7bf65</code></a> Remove hack to register atexit handler</li> <li><a href="https://github.com/Pylons/waitress/commit/0e82766124501551a2480db228c37d03eb8634b9"><code>0e82766</code></a> Add concurrency grouping to cancel in progress runs upon push</li> <li><a href="https://github.com/Pylons/waitress/commit/135c4bfb2045b60c487f91a5ed490c9f2c30c002"><code>135c4bf</code></a> Split Python versions note into two under separate headings</li> <li><a href="https://github.com/Pylons/waitress/commit/23ac524459cf9bad48faabdd0bd5be43434d4af6"><code>23ac524</code></a> Merge pull request <a href="https://redirect.github.com/Pylons/waitress/issues/446">#446</a> from kgaughan/resolve-name</li> <li><a href="https://github.com/Pylons/waitress/commit/a20fe86d90a69b68098abca6e3959e6df99ade71"><code>a20fe86</code></a> Merge pull request <a href="https://redirect.github.com/Pylons/waitress/issues/447">#447</a> from kgaughan/modern-assertions</li> <li><a href="https://github.com/Pylons/waitress/commit/d005ec24a40e3381018ec22145d67f2a3728824a"><code>d005ec2</code></a> Merge pull request <a href="https://redirect.github.com/Pylons/waitress/issues/448">#448</a> from kgaughan/trivial-cleanup</li> <li><a href="https://github.com/Pylons/waitress/commit/291d9cb01ab1608be4dc969ce176b68fc45c256e"><code>291d9cb</code></a> Merge pull request <a href="https://redirect.github.com/Pylons/waitress/issues/452">#452</a> from simonk52/drop-untrusted-proxy-values</li> <li><a href="https://github.com/Pylons/waitress/commit/da38a2093cc90afb51dfe6599bea7cdefd0024eb"><code>da38a20</code></a> Sign CONTRIBUTORS.txt</li> <li>Additional commits viewable in <a href="https://github.com/Pylons/waitress/compare/v2.1.2...v3.0.2">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
As it says on the tin. Drop Python 3.8 and add Python 3.13