chore(deps): update dependency gunicorn to v25

[renovate-bot]

This PR contains the following updates:

Package	Change	Age	Confidence
gunicorn (changelog)	==23.0.0 → ==25.0.0

---

Release Notes

benoitc/gunicorn (gunicorn)

v25.0.0: Gunicorn 25.0.0

Compare Source

New Features

• Dirty Arbiters: Separate process pool for executing long-running, blocking
  operations (AI model loading, heavy computation) without blocking HTTP workers
  (PR #​3460)

  • Inspired by Erlang's dirty schedulers
  • Asyncio-based with Unix socket IPC
  • Stateful workers that persist loaded resources
  • New settings: --dirty-app, --dirty-workers, --dirty-timeout,
    --dirty-threads, --dirty-graceful-timeout
  • Lifecycle hooks: on_dirty_starting, dirty_post_fork,
    dirty_worker_init, dirty_worker_exit

• Per-App Worker Allocation for Dirty Arbiters: Control how many dirty workers
  load each app for memory optimization with heavy models
  (PR #​3473)

  • Set workers class attribute on DirtyApp (e.g., workers = 2)
  • Or use config format module:class:N (e.g., myapp:HeavyModel:2)
  • Requests automatically routed to workers with the target app
  • New exception DirtyNoWorkersAvailableError for graceful error handling
  • Example: 8 workers × 10GB model = 80GB → with workers=2: 20GB (75% savings)

• HTTP/2 Support (Beta): Native HTTP/2 (RFC 7540) support for improved performance
  with modern clients (PR #​3468)

  • Multiplexed streams over a single connection
  • Header compression (HPACK)
  • Flow control and stream prioritization
  • Works with gthread, gevent, and ASGI workers
  • New settings: --http-protocols, --http2-max-concurrent-streams,
    --http2-initial-window-size, --http2-max-frame-size, --http2-max-header-list-size
  • Requires SSL/TLS and h2 library: pip install gunicorn[http2]
  • New example: examples/http2_gevent/ with Docker and tests

• HTTP 103 Early Hints: Support for RFC 8297 Early Hints to enable browsers to
  preload resources before the final response
  (PR #​3468)

  • WSGI: environ['wsgi.early_hints'](headers) callback
  • ASGI: http.response.informational message type
  • Works with both HTTP/1.1 and HTTP/2

• uWSGI Protocol for ASGI Worker: The ASGI worker now supports receiving requests
  via the uWSGI binary protocol from nginx
  (PR #​3467)

Bug Fixes

• Fix HTTP/2 ALPN negotiation for gevent and eventlet workers when
  do_handshake_on_connect is False (the default). The TLS handshake is now
  explicitly performed before checking selected_alpn_protocol().

• Fix setproctitle initialization with systemd socket activation
  (#​3465)

• Fix Expect: 100-continue handling: ignore the header for HTTP/1.0 requests
  since 100-continue is only valid for HTTP/1.1+
  (PR #​3463)

• Fix missing _expected_100_continue attribute in UWSGIRequest

• Disable setproctitle on macOS to prevent segfaults during process title updates

• Publish full exception traceback when the application fails to load
  (#​3462)

• Fix ASGI: quick shutdown on SIGINT/SIGQUIT, graceful on SIGTERM

Deprecations

• Eventlet Worker: The eventlet worker is deprecated and will be removed in
  Gunicorn 26.0. Eventlet itself is no longer actively maintained.
  Please migrate to gevent, gthread, or another supported worker type.

Changes

• Remove obsolete Makefile targets
  (PR #​3471)
• Replace RST with markdown documentation format

v24.1.1

Compare Source

Bug Fixes

• Fix forwarded_allow_ips and proxy_allow_ips to remain as strings for backward
  compatibility with external tools like uvicorn. Network validation now uses strict
  mode to detect invalid CIDR notation (e.g., 192.168.1.1/24 where host bits are set)
  (#​3458,
  PR #​3459)

---

Full Changelog: benoitc/gunicorn@24.1.0...24.1.1

v24.1.0: Gunicorn 24.1.0

Compare Source

New Features

• Official Docker Image: Gunicorn now publishes official Docker images to GitHub Container Registry (PR #​3454)

  • Available at ghcr.io/benoitc/gunicorn
  • Based on Python 3.12 slim image
  • Uses recommended worker formula (2 × CPU + 1)
  • Configurable via environment variables

• PROXY Protocol v2 Support: Extended PROXY protocol implementation to support the binary v2 format in addition to the existing text-based v1 format (PR #​3451)

  • New --proxy-protocol modes: off, v1, v2, auto
  • auto mode (default when enabled) detects v1 or v2 automatically
  • v2 binary format is more efficient and supports additional metadata
  • Works with HAProxy, AWS NLB/ALB, and other PROXY protocol v2 sources

• CIDR Network Support: --forwarded-allow-ips and --proxy-allow-from now accept CIDR notation (e.g., 192.168.0.0/16) for specifying trusted networks (PR #​3449)

• Socket Backlog Metric: New gunicorn.socket.backlog gauge metric reports the current socket backlog size on Linux systems (PR #​3450)

• InotifyReloader Enhancement: The inotify-based reloader now watches newly imported modules, not just those loaded at startup (PR #​3447)

Bug Fixes

• Fix signal handling regression where SIGCLD alias caused "Unhandled signal: cld" errors on Linux when workers fail during boot (#​3453)
• Fix socket blocking mode on keepalive connections preventing SSL handshake failures with async workers (PR #​3452)
• Use smaller buffer size in finish_body() for faster timeout detection on slow or abandoned connections (PR #​3453)
• Handle SSLWantReadError in finish_body() to prevent worker hangs during SSL renegotiation (PR #​3448)
• Log SIGTERM as info level instead of warning to reduce noise in orchestrated environments (PR #​3446)
• Print exception details to stderr when worker fails to boot (PR #​3443)
• Fix unreader.unread() to prepend data to buffer instead of appending (PR #​3442)
• Prevent RecursionError when pickling Config objects (PR #​3441)
• Use proper exception chaining with raise from in glogging.py (PR #​3440)

Installation

pip install gunicorn==24.1.0

Or use the official Docker image:

docker pull ghcr.io/benoitc/gunicorn:24.1.0

v24.0.0

Compare Source

New Features

• ASGI Worker (Beta): Native asyncio-based ASGI support for running async Python frameworks like FastAPI, Starlette, and Quart without external dependencies

  • HTTP/1.1 with keepalive connections
  • WebSocket support
  • Lifespan protocol for startup/shutdown hooks
  • Optional uvloop for improved performance

• uWSGI Binary Protocol: Support for receiving requests from nginx via uwsgi_pass directive

• Documentation Migration: Migrated to MkDocs with Material theme

Security

• eventlet: Require eventlet >= 0.40.3 (CVE-2021-21419, CVE-2025-58068)
• gevent: Require gevent >= 24.10.1 (CVE-2023-41419, CVE-2024-3219)
• tornado: Require tornado >= 6.5.0 (CVE-2025-47287)

Install

pip install gunicorn==24.0.0

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[gemini-code-assist]

Summary of Changes

Hello @renovate-bot, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request performs a significant upgrade of the Gunicorn web server dependency from version 23.0.0 to 25.0.0 across various Python application configurations. This update integrates several major new features, such as 'Dirty Arbiters' for efficient handling of intensive tasks, beta support for HTTP/2, and enhanced ASGI capabilities. It also includes important security patches, numerous bug fixes, and the deprecation of the 'eventlet' worker, ensuring the applications benefit from the latest performance, stability, and security improvements offered by Gunicorn.

Highlights

• Gunicorn Version Upgrade: The Gunicorn dependency has been updated from version "23.0.0" to "25.0.0" across all affected "requirements.txt" files.
• New 'Dirty Arbiters' Feature: Version 25.0.0 introduces 'Dirty Arbiters', a separate process pool designed to execute long-running, blocking operations (like AI model loading) without blocking the main HTTP workers, inspired by Erlang's dirty schedulers.
• Beta HTTP/2 Support: Native HTTP/2 (RFC 7540) support has been added in beta, offering improved performance through multiplexed streams, header compression, and flow control, compatible with gthread, gevent, and ASGI workers.
• HTTP 103 Early Hints: Support for RFC 8297 Early Hints is now available, allowing browsers to preload resources before the final response, applicable to both HTTP/1.1 and HTTP/2.
• ASGI Worker Enhancements: The ASGI worker now supports the uWSGI binary protocol for receiving requests from nginx, building upon the initial beta ASGI support introduced in v24.0.0.
• Eventlet Worker Deprecation: The "eventlet" worker has been deprecated in Gunicorn 25.0.0 and is slated for removal in Gunicorn 26.0, with a recommendation to migrate to "gevent" or "gthread" due to Eventlet's lack of active maintenance.
• Official Docker Image and PROXY Protocol v2: Version 24.1.0 introduced official Docker images for Gunicorn and extended PROXY protocol support to include the more efficient binary v2 format.
• Security and Bug Fixes: Multiple security updates for underlying dependencies (eventlet, gevent, tornado) and numerous bug fixes have been incorporated across versions 24.0.0, 24.1.0, 24.1.1, and 25.0.0, improving stability and reliability.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request updates the gunicorn dependency from version 23.0.0 to 25.0.0 across numerous requirements.txt files. This is a significant update, and my review focused on the compatibility implications, particularly concerning Python versions, as gunicorn v25 requires Python 3.8 or newer. I've identified a couple of areas where the Python version specifications in the requirements files are inconsistent with this new requirement. I've provided specific suggestions to address these inconsistencies, which should improve the correctness of the dependency files and prevent potential installation problems. Otherwise, the dependency update is straightforward.

[gemini-code-assist]

Gunicorn v25 requires Python 3.8+. The python_version < '3.0' marker is for Python 2 and will cause installation to fail. The python_version > '3.0' marker is also inaccurate as it includes unsupported Python 3 versions. Since other dependencies in this file imply support for Python 3.8+, these two lines can be simplified to a single one.

gunicorn==25.0.0

[gemini-code-assist]

The update to gunicorn==25.0.0 raises the required Python version to 3.8+. However, gunicorn lacks a Python version marker, while other dependencies in this file are pinned for older Python versions (e.g., < '3.7'). This will cause installation failures on unsupported Python versions. To prevent this, a version marker should be added.

gunicorn==25.0.0; python_version >= '3.8'