pin gunicorn to git commit; bump eventlet

gunicorn doesn't pin eventlet, but functionally, gunicorn==20.1.0 depends on eventlet<=0.30.2 due to a change in eventlet. Gunicorn have fixed this compat issue, however, haven't released it. By pinning to a git commit, we're able to bump eventlet up to 0.33, thus solving a security advisory. (Note that the security advisory didn't actually impact us as it only affects websockets, however, it was noisy and distracting). Note - pip may have cached the old version of gunicorn. You may need to run `pip install -r requirements.txt --no-cache-dir` to get the updated version of gunicorn locally.
2026-02-03 18:01:08 -05:00 · 2022-02-23 15:41:32 +00:00
parent 4b4122a773
commit ba2479b6e4
2 changed files with 6 additions and 6 deletions
--- a/requirements.in
+++ b/requirements.in
@@ -9,8 +9,8 @@ Flask-Migrate==2.7.0
 git+https://github.com/mitsuhiko/flask-sqlalchemy.git@500e732dd1b975a56ab06a46bd1a20a21e682262#egg=Flask-SQLAlchemy==2.3.2.dev20190108
 Flask==1.1.2
 click-datetime==0.2
-eventlet==0.30.2 # pyup: ignore # 0.31 breaks Gunicorn
-gunicorn==20.1.0
+# Should be pinned until a new gunicorn release greater than 20.1.0 comes out. (Due to eventlet v0.33 compatibility issues)
+git+https://github.com/benoitc/gunicorn.git@1299ea9e967a61ae2edebe191082fd169b864c64#egg=gunicorn[eventlet]==20.1.0
 iso8601==0.1.14
 itsdangerous==1.1.0
 jsonschema==3.2.0