Migrate to HTTP.jl 2.x (require 2.4)#3565
Open
dependabot[bot] wants to merge 3 commits into
Open
Conversation
dependabot
Bot
added
dependencies
dependabot
Bot
changed the title
dependabot
Bot
force-pushed
the
dependabot/julia/all-julia-packages-069b06cd98
branch
from
c4bf32e to
35008a3
Compare
pankgeorg
force-pushed
the
dependabot/julia/all-julia-packages-069b06cd98
branch
from
4c7b25a to
642fa14
Compare
pankgeorg
changed the title
Updates the requirements on [HTTP](https://github.com/JuliaWeb/HTTP.jl) to permit the latest version. Updates `HTTP` to 2.1.0 - [Release notes](https://github.com/JuliaWeb/HTTP.jl/releases) - [Changelog](https://github.com/JuliaWeb/HTTP.jl/blob/master/CHANGELOG.md) - [Commits](JuliaWeb/HTTP.jl@v1.10.17...v2.1.0) --- updated-dependencies: - dependency-name: HTTP dependency-version: 2.0.0 dependency-type: direct:production dependency-group: all-julia-packages ... Signed-off-by: dependabot[bot] <support@github.com>
HTTP.jl 2.0 is a breaking rewrite on the Reseau transport layer. This adapts Pluto's web server to the new API and drops pre-2.0 compatibility. - Require `HTTP = "2.1"`. The mixed HTTP+WebSocket server helper `HTTP.WebSockets.upgrade(f, stream)` is not in 2.0.0 (added in 2.1.0), and Pluto serves HTTP and WebSockets on one port, so 2.0.0 cannot be supported. - WebServer.jl: `listen!` no longer takes `server=`/`on_shutdown`/`stream`/ `verbose`, so bind the `TCP.Listener` ourselves (keeping the port-hint search) and pass it to `listen!`. The graceful `close(::HTTP.Server)` waits for active WebSocket connections, so client shutdown now runs from `RunningPlutoServer` before the server is closed. - The server `Stream` exposes request metadata via `http.message`; rebuild the request with its body for the handlers, then assign `http.response` and write the body bytes (mirrors HTTP's own stream handler). A client disconnect now surfaces as `SystemError` (Reseau), so it is swallowed alongside `IOError`. - `HTTP.WebSocket`/`HTTP.send` move under `HTTP.WebSockets`. Keep 1.x behavior of not checking the WebSocket `Origin` (it breaks proxied setups; the secret is the real auth). - `auth_middleware`: `Headers` is no longer a plain vector, so replace the `filter!` with `setheader`, which already de-duplicates. - `readtimeout` -> `read_idle_timeout`. - test/Configuration.jl: the cookie jar keyword is `cookiejar`, not `jar`. - test/compiletimes.jl: the HTTP-get warmup used `http://github.com`, whose redirect to https is now followed into Reseau's TLS stack; keep it a plain request with `redirect=false`. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
pankgeorg
force-pushed
the
dependabot/julia/all-julia-packages-069b06cd98
branch
from
642fa14 to
ca563db
Compare
Member
|
So, there is a concern in that |
HTTP.jl 2.0–2.3 are affected by 14 security advisories (JLSEC-2026-611 through JLSEC-2026-624: HTTP/2 stream-cap DoS, fileserver path traversal, redirect/cookie/ origin handling, request smuggling, SSE injection, weak WebSocket masking RNG, HPACK desync, ...), all fixed in HTTP.jl v2.4.0. Raise the floor from 2.1 to 2.4. The 2.4 API surface Pluto uses is unchanged from 2.1 (`HTTP.WebSockets.upgrade` still accepts a `check_origin` callback, etc.). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
pankgeorg
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Migrates Pluto's web server to the HTTP.jl 2.x API. HTTP.jl 2.0 is a breaking rewrite built on the Reseau transport layer, so this adapts the server code and drops pre-2.0 compatibility.
(This branch started as the Dependabot compat bump; the commits on top implement the actual migration.)
Version requirement:
HTTP = "2.4"HTTP.WebSockets.upgrade(f, stream)(Pluto serves HTTP and WebSockets on one port) is not in2.0.0— it was added in2.1.0(JuliaWeb/HTTP.jl#1255).2.0–2.3are affected by 14 security advisories, JLSEC-2026-611 … JLSEC-2026-624 (HTTP/2 stream-cap DoS, fileserver path traversal, redirect/cookie/origin handling, request smuggling, SSE injection, weak WebSocket masking RNG, HPACK desync, …), all fixed in v2.4.0 (SecurityAdvisories.jl#549).So the floor is
2.4. The 2.4 API surface Pluto uses is identical to 2.1 (verified:WebSockets.upgradestill takescheck_origin).Changes
WebServer.jl—listen!no longer acceptsserver=/on_shutdown/stream/verbose, so Pluto binds theTCP.Listeneritself (keeping the port-hint search) and passes it tolisten!. The gracefulclose(::HTTP.Server)now waits for active WebSocket connections, so client shutdown runs fromRunningPlutoServerbefore the server is closed.Streamonly exposes request metadata viahttp.message; the handler now rebuilds the request with its body, assignshttp.response, and writes the body bytes (mirroring HTTP's own stream handler). A client disconnect surfaces asSystemErrorunder Reseau, so it's swallowed alongsideIOError.HTTP.WebSocket/HTTP.sendmove underHTTP.WebSockets. WebSocketOriginchecking is left off (as in 1.x) because it breaks proxied setups like Binder/JuliaHub; the server secret is the real auth.auth_middleware—Headersis no longer a plain vector, so thefilter!is replaced withsetheader(which de-duplicates).readtimeout→read_idle_timeout.test/Configuration.jl: the cookie-jar keyword iscookiejar, notjar(the old name was silently ignored).test/compiletimes.jl: the HTTP-get warmup hithttp://github.com, whose redirect tohttpsis now followed into Reseau's TLS stack; kept it a plain request withredirect=false.Verification
Backend tests pass on CI for the supported Julia versions, and a local smoke test (boot server → HTTP routes → WebSocket upgrade) passes against HTTP 2.4.0:
Configurations: 182/182Web server: 25/25Notes
~1.13.0-0is expected to fail (unrelated to HTTP).MoreAnalysistest failure onmain(which the suite hits after the HTTP tests) is fixed separately in Fix MoreAnalysis tests after deprecation removal #3577.