From 715ba9a4a8075eed73d78c28209763a7eb67f01f Mon Sep 17 00:00:00 2001 From: Daniel Lee Date: Wed, 17 Jun 2026 10:57:21 -0700 Subject: [PATCH 1/3] fix(ci): update allowed endpoints for harden-runner (#427) --- .github/workflows/dependency-review.yml | 2 ++ .github/workflows/unit.yml | 1 + 2 files changed, 3 insertions(+) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 5dbfda76..bcf29c0b 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -22,7 +22,9 @@ jobs: disable-sudo: true egress-policy: block allowed-endpoints: > + api.deps.dev:443 api.github.com:443 + api.securityscorecards.dev:443 github.com:443 - name: 'Checkout Repository' uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 diff --git a/.github/workflows/unit.yml b/.github/workflows/unit.yml index adab381d..2901f5f3 100644 --- a/.github/workflows/unit.yml +++ b/.github/workflows/unit.yml @@ -42,6 +42,7 @@ jobs: github.com:443 objects.githubusercontent.com:443 production.cloudflare.docker.com:443 + production.cloudfront.docker.com:443 pypi.org:443 registry-1.docker.io:443 release-assets.githubusercontent.com:443 From c6501715bb57348ead817ee90c18622b3c1c31ab Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christopher=20M=C3=BCller?= <63948181+SpielerNogard@users.noreply.github.com> Date: Wed, 17 Jun 2026 20:13:27 +0200 Subject: [PATCH 2/3] fix(deps): bump starlette to >=1.0.1 on Python 3.10+ to fix PYSEC-2026-161 (#423) Starlette <=1.0.0 is vulnerable to a missing Host header validation that poisons request.url.path and bypasses path-based security checks (GHSA-86qp-5c8j-p5mr / PYSEC-2026-161). The fix only landed in 1.0.1, which requires Python >=3.10. Constraint is split by interpreter version so Python 3.8/3.9 users keep the existing 0.x line (no upstream fix available) while Python 3.10+ pulls the patched 1.x line. Co-authored-by: Daniel Lee --- pyproject.toml | 3 ++- setup.py | 5 ++++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index 972e7e52..04baad0e 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -29,7 +29,8 @@ dependencies = [ "gunicorn>=22.0.0; platform_system!='Windows'", "cloudevents>=1.11.0,<=1.12.0", # Must support python 3.8 "Werkzeug>=0.14,<4.0.0", - "starlette>=0.37.0,<1.0.0; python_version>='3.8'", + "starlette>=0.37.0,<1.0.0; python_version>='3.8' and python_version<'3.10'", + "starlette>=1.0.1,<2.0.0; python_version>='3.10'", "uvicorn>=0.18.0,<1.0.0; python_version>='3.8'", "uvicorn-worker>=0.2.0,<1.0.0; python_version>='3.8'", ] diff --git a/setup.py b/setup.py index db6479ea..41244a6c 100644 --- a/setup.py +++ b/setup.py @@ -58,7 +58,10 @@ "Werkzeug>=0.14,<4.0.0", ], extras_require={ - "async": ["starlette>=0.37.0,<1.0.0"], + "async": [ + "starlette>=0.37.0,<1.0.0; python_version<'3.10'", + "starlette>=1.0.1,<2.0.0; python_version>='3.10'", + ], }, entry_points={ "console_scripts": [ From d13d9aa4666b553e0e435813ab799c6f43e96bd8 Mon Sep 17 00:00:00 2001 From: "release-please[bot]" <55107282+release-please[bot]@users.noreply.github.com> Date: Wed, 17 Jun 2026 11:17:02 -0700 Subject: [PATCH 3/3] chore(main): release 3.10.2 (#417) Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> --- CHANGELOG.md | 9 +++++++++ pyproject.toml | 2 +- setup.py | 2 +- 3 files changed, 11 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 14e609c4..20d13326 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,15 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [3.10.2](https://github.com/GoogleCloudPlatform/functions-framework-python/compare/v3.10.1...v3.10.2) (2026-06-17) + + +### Bug Fixes + +* **ci:** update allowed endpoints for harden-runner ([#427](https://github.com/GoogleCloudPlatform/functions-framework-python/issues/427)) ([715ba9a](https://github.com/GoogleCloudPlatform/functions-framework-python/commit/715ba9a4a8075eed73d78c28209763a7eb67f01f)) +* **deps:** bump starlette to >=1.0.1 on Python 3.10+ to fix PYSEC-2026-161 ([#423](https://github.com/GoogleCloudPlatform/functions-framework-python/issues/423)) ([c650171](https://github.com/GoogleCloudPlatform/functions-framework-python/commit/c6501715bb57348ead817ee90c18622b3c1c31ab)) +* remove macos-13 from test matrix (runner retired) ([#414](https://github.com/GoogleCloudPlatform/functions-framework-python/issues/414)) ([b41ee77](https://github.com/GoogleCloudPlatform/functions-framework-python/commit/b41ee77d6fb61a9e0a76f17d561a221e50fe788a)) + ## [3.10.1](https://github.com/GoogleCloudPlatform/functions-framework-python/compare/v3.10.0...v3.10.1) (2026-02-17) diff --git a/pyproject.toml b/pyproject.toml index 04baad0e..cb6549fd 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "functions-framework" -version = "3.10.1" +version = "3.10.2" description = "An open source FaaS (Function as a service) framework for writing portable Python functions -- brought to you by the Google Cloud Functions team." readme = "README.md" requires-python = ">=3.7, <4" diff --git a/setup.py b/setup.py index 41244a6c..10dfee0d 100644 --- a/setup.py +++ b/setup.py @@ -25,7 +25,7 @@ setup( name="functions-framework", - version="3.10.1", + version="3.10.2", description="An open source FaaS (Function as a service) framework for writing portable Python functions -- brought to you by the Google Cloud Functions team.", long_description=long_description, long_description_content_type="text/markdown",