chore: bump bandit from 1.3.0 to 1.4.0

[dependabot]

Bumps bandit from 1.3.0 to 1.4.0.

Changelog

Sourced from bandit's changelog.

1.4.0 (26 Mar 2024)

Enhancements

• Complete refactor of HTTP/2. Improved process model is MUCH easier to understand and yields about a 10% performance boost to HTTP/2 requests (#286 / #307)
• Substantial refactor of the HTTP/1 and HTTP/2 stacks to share a common code path for much of their implementations, with the protocol-specific parts being factored out to a minimal Bandit.HTTPTransport protocol internally, which allows each protocol to define its own implementation for the minimal set of things that are different between the two stacks (#297 / #329)

Changes

• BREAKING CHANGE Move configuration options that are common between HTTP/1 and HTTP/2 stacks into a shared http_options top-level config
• BREAKING CHANGE The HTTP/2 header size limit options have been deprecated, and have been replaced with a single max_header_block_size option. The setting defaults to 50k bytes, and refers to the size of the compressed header block as sent on the wire (including any continuation frames)
• BREAKING CHANGE Remove req_line_bytes, req_header_bytes, resp_line_bytes and resp_header_bytes from HTTP/1 request telemetry measurements
• BREAKING CHANGE Remove status, method and request_target from telemetry metadata. All of this information can be obtained from the conn struct attached to most telemetry events
• BREAKING CHANGE Re-reading a body that has already been read returns {:ok, "", conn} instead of raising a Bandit.BodyAlreadyReadError
• BREAKING CHANGE Remove Bandit.BodyAlreadyReadError
• BREAKING CHANGE Remove h2c support via Upgrade header. This was deprecated in RFC9113 and never in widespread use. We continue to support h2c via prior knowledge, which remains the only supported mechanism for h2c in RFC9113
• Treat trailing bytes beyond the indicated content-length on HTTP/1 requests as an error
• Surface request body read timeouts on HTTP/1 requests as {:more...} tuples and not errors
• Socket sending errors are no longer surfaced on chunk sends in HTTP/1
• We no longer log if processes that are linked to an HTTP/2 stream process terminate unexpectedly. This has always been unspecified behaviour so is not considered a breaking change
• Calls of Plug.Conn functions for an HTTP/2 connection must now come from the stream process; any other process will raise an error. Again, this has always been unspecified behaviour
• We now send an empty DATA frame for explicitly zero byte bodies instead of optimizing to a HEADERS frame with end_stream set (we still do so for cases such as 204/304 and HEAD requests)
• We now send RST_STREAM frames if we complete a stream and the remote end is still open. This optimizes cases where the client may still be sending a body that we never consumed and don't care about
• We no longer explicitly close the connection when we receive a GOAWAY frame

Commits

• e5d4262 Version bump to 1.4.0
• 63265f0 Share HTTP semantics between HTTP/1 and 2 (#329)
• a77b96f Coalesce header and body calls together in the common 'plain' body send case ...
• 6b88014 Fix typo in http1 README (#332)
• 0a5c83d Bump req from 0.4.13 to 0.4.14 (#328)
• 903e209 Refactor HTTP/1 (#297)
• fff06ef Reintroduce h2 work originally done in #286 (#307)
• 26dc5e1 Bump mix_test_watch from 1.1.2 to 1.2.0 (#325)
• c6a1f84 Bump req from 0.4.11 to 0.4.13 (#324)
• 76f7a5f Bump ex_doc from 0.31.1 to 0.31.2 (#323)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[github-actions]

Coverage of commit 09c9dd5

Summary coverage rate:
  lines......: 87.6% (905 of 1033 lines)
  functions..: 78.8% (282 of 358 functions)
  branches...: no data found

Files changed coverage rate: n/a

Download coverage report