Bump gunicorn to the latest version #5351
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The version of Gunicorn we are using is more than 18 months out of date[1] and has a high severity security vulnerabilites[2]. We have not updated the version on the API (and therefore the minimum version in utils[3]) because last time we tried (while still on PaaS) it had some performance issues, documented here[4]: > We originally pinned this due to eventlet v0.33 compatibility issues. > That was supposedly fixed in version v21.0.0 and we merged v21.2.0 for > a while. Until we ran a load test again, and identified that the > bumped version of gunicorn led to a 33%+ drop-off in > performance/requests per second that the API was able to handle. If a > version greater than 21.2.0 is released, and it either gives us > something we need or we think it addresses said performance issues, > make sure to run a load test in staging before releasing to > production. But the admin app does not serve anywhere near the same number of requests per second as the API, so we have already upgraded to version 21.2.0. This pull request just updates from 21.2.0 to 23.0.0 (the latest version), which resolves the security vulnerability. *** 1. https://github.com/benoitc/gunicorn/tree/21.2.0 2. GHSA-w3h3-4rj7-4ph4 3. https://github.com/alphagov/notifications-utils/blob/main/setup.py#L31 4. https://github.com/alphagov/notifications-api/blob/aff08653d951d6f60dec8d701ae7cf1681b78a27/requirements.in#L10
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The version of Gunicorn we are using is more than 18 months out of date1 and has a high severity security vulnerability2.
We have not updated the version on the API (and therefore the minimum version in utils3) because last time we tried (while still on PaaS) it had some performance issues, documented here4:
But the admin app does not serve anywhere near the same number of requests per second as the API, so we have already upgraded to version 21.2.0.
This pull request just updates from 21.2.0 to 23.0.0 (the latest version), which resolves the new security vulnerability.