From 7053b2daec88c1b4d61c82334ca6c38b407a237f Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 3 Feb 2026 06:40:40 +0000
Subject: [PATCH] Bump gunicorn from 24.1.1 to 25.0.1 in /backend (#1548)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Bumps [gunicorn](https://github.com/benoitc/gunicorn) from 24.1.1 to
25.0.1.
Release notes
Sourced from gunicorn's
releases.
25.0.1
Bug Fixes
- Fix ASGI streaming responses (SSE) hanging: add chunked transfer
encoding for
HTTP/1.1 responses without Content-Length header. Without chunked
encoding,
clients wait for connection close to determine end-of-response.
Changes
- Update celery_alternative example to use FastAPI with native ASGI
worker and
uvloop for async task execution
Testing
- Add ASGI compliance test suite with Docker-based integration tests
covering HTTP,
WebSocket, streaming, lifespan, framework integration (Starlette,
FastAPI),
HTTP/2, and concurrency scenarios
Gunicorn 25.0.0
New Features
-
Dirty Arbiters: Separate process pool for executing
long-running, blocking
operations (AI model loading, heavy computation) without blocking HTTP
workers
([PR #3460](benoitc/gunicorn#3460))
- Inspired by Erlang's dirty schedulers
- Asyncio-based with Unix socket IPC
- Stateful workers that persist loaded resources
- New settings:
--dirty-app,
--dirty-workers, --dirty-timeout,
--dirty-threads, --dirty-graceful-timeout
- Lifecycle hooks:
on_dirty_starting,
dirty_post_fork,
dirty_worker_init, dirty_worker_exit
-
Per-App Worker Allocation for Dirty Arbiters:
Control how many dirty workers
load each app for memory optimization with heavy models
([PR #3473](benoitc/gunicorn#3473))
- Set
workers class attribute on DirtyApp (e.g.,
workers = 2)
- Or use config format
module:class:N (e.g.,
myapp:HeavyModel:2)
- Requests automatically routed to workers with the target app
- New exception
DirtyNoWorkersAvailableError for graceful
error handling
- Example: 8 workers × 10GB model = 80GB → with
workers=2: 20GB (75% savings)
-
HTTP/2 Support (Beta): Native HTTP/2 (RFC 7540)
support for improved performance
with modern clients ([PR #3468](benoitc/gunicorn#3468))
- Multiplexed streams over a single connection
- Header compression (HPACK)
- Flow control and stream prioritization
- Works with gthread, gevent, and ASGI workers
- New settings:
--http-protocols,
--http2-max-concurrent-streams,
--http2-initial-window-size,
--http2-max-frame-size,
--http2-max-header-list-size
- Requires SSL/TLS and h2 library:
pip install
gunicorn[http2]
... (truncated)
Commits
3bf529f
docs: sync news.md with 2026-news.md1f4f245
Merge pull request #3478
from benoitc/feature/asgi-compliance-testbede1519c0
docs: add ASGI compliance test suite to changelog0885005
fix(tests): correct assertions in ASGI compliance tests658924c
docs: update changelog for 25.0.1c5b6e82
chore: bump version to 25.0.1ce352dc
fix(asgi): add chunked transfer encoding for streaming responses29b8a3a
Merge pull request #3476
from benoitc/dependabot/github_actions/actions/check...791ab46
chore(deps): bump actions/checkout from 4 to 69235b72
Merge pull request #3475
from benoitc/dependabot/github_actions/actions/uploa...- Additional commits viewable in compare
view
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
Signed-off-by: dependabot[bot]
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
backend/pyproject.toml | 2 +-
backend/uv.lock | 8 ++++----
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/backend/pyproject.toml b/backend/pyproject.toml
index dca50bf3..7be836b0 100644
--- a/backend/pyproject.toml
+++ b/backend/pyproject.toml
@@ -13,7 +13,7 @@ dependencies = [
"databases[asyncpg]==0.9.0",
"fastapi==0.128.0",
"fastapi-sso==0.19.0",
- "gunicorn==24.1.1",
+ "gunicorn==25.0.1",
"heliclockter==3.0.1",
"parameterized==0.9.0",
"passlib==1.7.4",
diff --git a/backend/uv.lock b/backend/uv.lock
index d5101cb8..47f1137b 100644
--- a/backend/uv.lock
+++ b/backend/uv.lock
@@ -383,7 +383,7 @@ requires-dist = [
{ name = "databases", extras = ["asyncpg"], specifier = "==0.9.0" },
{ name = "fastapi", specifier = "==0.128.0" },
{ name = "fastapi-sso", specifier = "==0.19.0" },
- { name = "gunicorn", specifier = "==24.1.1" },
+ { name = "gunicorn", specifier = "==25.0.1" },
{ name = "heliclockter", specifier = "==3.0.1" },
{ name = "parameterized", specifier = "==0.9.0" },
{ name = "passlib", specifier = "==1.7.4" },
@@ -739,14 +739,14 @@ wheels = [
[[package]]
name = "gunicorn"
-version = "24.1.1"
+version = "25.0.1"
source = { registry = "https://pypi.org/simple" }
dependencies = [
{ name = "packaging" },
]
-sdist = { url = "https://files.pythonhosted.org/packages/78/0a/10739c03537ec5b131a867bf94df2e412b437696c7e5d26970e2198a80d2/gunicorn-24.1.1.tar.gz", hash = "sha256:f006d110e5cb3102859b4f5cd48335dbd9cc28d0d27cd24ddbdafa6c60929408", size = 287567, upload-time = "2026-01-24T01:15:31.359Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/9e/83/e8327358129ca4dffd4fa6b6004aa5085dc80e913dec9b253401d6bd23ad/gunicorn-25.0.1.tar.gz", hash = "sha256:573e053aa950246e307ea908bd7ddce1870d41a40aec0c935938c586f0b9b946", size = 9693127, upload-time = "2026-02-02T13:34:05.767Z" }
wheels = [
- { url = "https://files.pythonhosted.org/packages/96/90/cfe637677916fc6f53cd2b05d5746e249f683e1fa14c9e745a88c66f7290/gunicorn-24.1.1-py3-none-any.whl", hash = "sha256:757f6b621fc4f7581a90600b2cd9df593461f06a41d7259cb9b94499dc4095a8", size = 114920, upload-time = "2026-01-24T01:15:29.656Z" },
+ { url = "https://files.pythonhosted.org/packages/e0/dc/f1da097b7e0de5cd7552c10667305879093125cd62ff7372ad07d184ed8f/gunicorn-25.0.1-py3-none-any.whl", hash = "sha256:23cbe968c6ae3c8efc3d118c8353fa0763efc2102d89d0d3cea696cede7ff6b1", size = 169961, upload-time = "2026-02-02T13:34:02.744Z" },
]
[[package]]