Bump h11 from 0.14.0 to 0.16.0

[dependabot]

Bumps h11 from 0.14.0 to 0.16.0.

Commits

• 1c5b075 this time for surer
• d9c3699 this time for sure...
• d91b9dd blacken
• 5a4683c Soothe mypy
• 9c9567f Bump version to 0.16.0
• 114803a Merge commit from fork
• 9462006 Bump version to 0.15.0
• 70a96be Merge pull request #181 from Julien00859/Julien00859/get_int_max_str_digits
• 60782ad Reject Content-Length longer 1 billion TB
• dff7cc3 Validate Chunked-Encoding chunk footer
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[chadfurman]

@fossabot summarize

[fossabot]

45 of ~45 steps completed

• ✅ Starting dependency impact analysis... completed successfully (5 steps)

✓ Safe to upgrade

Unable to generate recommendation due to error. Please review the breaking changes manually before proceeding.

N/A

---

Change Details

✓ Safe Breaking Changes (3)

✓ h11: Security fix rejects certain malformed Transfer-Encoding: chunked bodies that were previously accepted

Status: ✓ Safe - No impact detected

The codebase uses Flask for HTTP handling and only processes JSON requests via request.get_json(). There is no direct handling of Transfer-Encoding headers or chunked body processing in the application code. The security fix in h11 will only affect malformed requests at the HTTP protocol level, which Flask/uvicorn handle transparently.

Validations (2)

1. No code found that directly handles Transfer-Encoding headers or chunked bodies

2. Code only uses Flask's request.get_json() method for JSON payloads, no direct HTTP header manipulation

Citations (2)

agnai/model/app.py

Line 21 in 5a7b576

payload = request.get_json(silent=True)

Application only uses Flask's high-level JSON request parsing, not direct HTTP header processing

agnai/model/memory.py

Line 31 in 5a7b576

payload = request.get_json(silent=True)

Memory module also uses Flask's JSON parsing without direct Transfer-Encoding handling

---

✓ h11: Content-Length values >= 1 zettabyte (1 billion terabytes) are now rejected early

Status: ✓ Safe - No impact detected

The application processes JSON payloads for AI/ML operations which are typically small (text-based). Content-Length values of 1 zettabyte (1 billion terabytes) are astronomically large and would never occur in normal operation. This security fix protects against malicious requests but won't affect legitimate usage.

Validations (2)

1. No direct Content-Length header processing found in the codebase

2. Application processes text-based JSON payloads for AI/ML operations, typical sizes are small (KB to MB range)

Citations (2)

agnai/model/app.py

Line 25 in 5a7b576

prompt = payload.get("prompt", False) or "None"

Application processes text prompts which are small compared to the 1 zettabyte limit

agnai/model/memory.py

Line 37 in 5a7b576

documents = [msg["msg"] for msg in messages]

Memory operations handle text messages, not large binary data that could approach zettabyte sizes

---

✓ h11: Python 3.7 support removed - h11 now requires Python>=3.8

Status: ✓ Safe - No impact detected

The project specifies Python ^3.10 in pyproject.toml, which is well above h11's new minimum requirement of Python>=3.8. Additionally, h11 is only used as a transitive dependency through uvicorn and is not directly imported or used in the codebase.

Validations (2)

1. Project requires Python ^3.10 (Python 3.10 or higher), which is well above h11's new minimum of Python 3.8

2. No direct imports of h11 found in any Python files. It's only used as a transitive dependency through uvicorn

Citations (1)

agnai/pyproject.toml

Line 11 in 5a7b576

python = "^3.10"

Project already requires Python 3.10 or higher, which is compatible with h11's new Python>=3.8 requirement

---

_{Was this helpful? 👍 👎}