## Summary
Both HTTP protocol implementations (`h11_impl.py` and
`httptools_impl.py`) use
`contextvars.Context().run(loop.create_task, ...)` to start ASGI tasks
with a
fresh context. Python 3.11 added a `context=` parameter to
`create_task()`,
which avoids the extra indirection through `Context.run()`.
This has been a known TODO in the codebase for a while. Under
high-concurrency
workloads, the `Context().run()` wrapper adds a small but measurable
overhead
per request compared to the native kwarg, since it has to set up and
tear down
the context activation around the call.
The change uses `sys.version_info` to branch at runtime — 3.11+ gets the
native
kwarg, older versions keep the existing behavior. Coverage pragmas
follow the
existing convention in `_types.py` (`py-lt-311` / `py-gte-311` on the
branch
lines).
---------
Co-authored-by: Marcelo Trylesinski <marcelotryle@gmail.com>
Bumps [cryptography](https://github.com/pyca/cryptography) from 46.0.5
to 46.0.6.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst">cryptography's
changelog</a>.</em></p>
<blockquote>
<p>46.0.6 - 2026-03-25</p>
<pre><code>
* **SECURITY ISSUE**: Fixed a bug where name constraints were not
applied
to peer names during verification when the leaf certificate contains a
wildcard DNS SAN. Ordinary X.509 topologies are not affected by this
bug,
including those used by the Web PKI. Credit to **Oleh Konko (1seal)**
for
reporting the issue. **CVE-2026-34073**
<p>.. _v46-0-5:<br />
</code></pre></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="91d728897b"><code>91d7288</code></a>
Cherry-pick <a
href="https://redirect.github.com/pyca/cryptography/issues/14542">#14542</a>
(<a
href="https://redirect.github.com/pyca/cryptography/issues/14543">#14543</a>)</li>
<li>See full diff in <a
href="https://github.com/pyca/cryptography/compare/46.0.5...46.0.6">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/Kludex/uvicorn/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Config.__init__ calls dictConfig() on every construction, which
dominated benchmark time (~70% for httptools). Pre-creating configs
at module level removes this setup noise so CodSpeed measures the
actual protocol work.
Benchmark handshake and text frame sending using the same mock
transport approach as HTTP benchmarks. The legacy websockets
implementation is excluded as it manages its own internal tasks.
* Use bytearray for request body accumulation
Accumulating request body with bytes += creates a new bytes object on
every chunk, leading to O(n^2) allocation for fragmented bodies.
bytearray extends in-place (amortized O(1)), avoiding the quadratic cost.
* Add fragmented body benchmark for chunked body accumulation
Sends 100KB in 390 x 256-byte chunks to exercise the body += path
that triggers O(n^2) allocation with bytes concatenation.
* Revert "Add fragmented body benchmark for chunked body accumulation"
This reverts commit 47662509c1.
* Add CodSpeed benchmark suite for HTTP protocol hot paths
* Suppress mypy operator error on ASGI message body concatenation
* Use OIDC token and pin CodSpeed action to latest commit
* Fix broken HEADER_RE regex in httptools HTTP implementation
The character class in HEADER_RE has unescaped [ and ] which causes
the regex to be parsed incorrectly. The ] prematurely closes the
character class after ':', so the remaining characters '={} \t"'
are treated as a literal sequence rather than part of the class.
As a result the regex never matches any invalid header name character
and the validation at line 496 is completely non-functional.
This escapes the brackets and backslash properly inside the
character class so all RFC 7230 header name separators are caught.
* Add tests for invalid HTTP header name validation
* Add comment explaining why no 500 is sent on invalid header name
* Use backticks around response_started in comment
---------
Co-authored-by: Marcelo Trylesinski <marcelotryle@gmail.com>
* feat: max_requests_jitter
* format
* type check
* Fix test
* Add type annotation for `Server.limit_max_requests`
Mypy infers `int` from the first branch and errors on the `None`
assignment in the else branch.
* Use `cached_property` for `Server.limit_max_requests`
Keeps `__init__` clean by moving the jitter computation out.
* Document `--limit-max-requests-jitter` setting
---------
Co-authored-by: Marcelo Trylesinski <marcelotryle@gmail.com>
Pass `ignore_permission_denied=True` to `watchfiles.watch()` so
that directories the process cannot access are silently skipped
instead of crashing the reloader.
Bump the minimum watchfiles version to 0.20, which is the release
that introduced the `ignore_permission_denied` parameter.
Closes#1785
* Add socket path to scope["server"]
* fix lint
* Address review feedback and update sansio protocol
- Use `if` instead of `elif` after early returns in `get_local_addr`
- Update `server` type in `WebSocketsSansIOProtocol` to support UDS
- Add missing test case for full coverage
* Poll for readiness in `test_multiprocess_health_check` and `run_server`
Apply the same polling pattern to `test_multiprocess_health_check` — wait
for all processes to be alive instead of a fixed 1s sleep.
In `run_server`, wait for `server.started` instead of a fixed 0.1s sleep
to avoid connection races on slow setups (e.g. free-threaded Python 3.14).
* Avoid uncovered branch in health check polling loop
* Add pragma: no cover to health check polling loop body
Extended regular expressions (enabled via flag -E) don't support
non-capturing groups under POSIX. Get rid of them as they don't add any
value since we don't handle the captured groups in the first place.
