Skip to content

Update daphne requirement from >=4.2.1 to >=4.2.2#64

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/daphne-gte-4.2.2
Open

Update daphne requirement from >=4.2.1 to >=4.2.2#64
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/daphne-gte-4.2.2

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 8, 2026

Copy link
Copy Markdown
Contributor

Updates the requirements on daphne to permit the latest version.

Changelog

Sourced from daphne's changelog.

4.2.2 (2026-06-03)

  • Fixed a denial of service vulnerability via unbounded WebSocket message sizes. Daphne previously passed no message or frame size limits to autobahn, whose defaults are unbounded. This allowed an unauthenticated client to exhaust server memory by sending a very large WebSocket messages/frames (CVE-2026-44545).

    Both limits now default to 1 MiB and can be configured via the new --websocket-max-message-size and --websocket-max-frame-size CLI flags (or the matching Server constructor arguments). Pass 0 to restore the previous unlimited behaviour.

    Thanks to ParkHyunWoo for the report.

  • Fixed a header injection vulnerability on the WebSocket upgrade path (CVE-2026-44546).

    Header values containing \x0b, \x0c, \x1c, \x1d, \x1e, or \x85 were parsed as a single header by Twisted but split into multiple headers by autobahn during the WebSocket handshake. An attacker could exploit this parser differential to smuggle additional headers (e.g. authentication tokens, X-Forwarded-For, Origin, Daphne-Root-Path) into the ASGI scope passed to the application.

    Daphne now rejects requests carrying these bytes in any header value with a 400 Bad Request response, as required by RFC 9110 §5.5.

    Thanks to Rene Henningsen for the report.

4.2.1 (2025-07-02)

  • Fixed a packaging error in 4.2.0.

  • Removed --nostatic and --insecure args to runserver command when staticfiles app is not installed.

4.2.0 (2025-05-16)

Daphne 4.2 is a maintenance release in the 4.x series.

  • Added support for Python 3.13.

  • Dropped support for EOL Python 3.8.

  • Updated pyupgrade configuration to target Python 3.9.

... (truncated)

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Updates the requirements on [daphne](https://github.com/django/daphne) to permit the latest version.
- [Changelog](https://github.com/django/daphne/blob/main/CHANGELOG.txt)
- [Commits](django/daphne@4.2.1...4.2.2)

---
updated-dependencies:
- dependency-name: daphne
  dependency-version: 4.2.2
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update python code labels Jun 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file python Pull requests that update python code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants