(no Git tag matched)

  • #565: Cheroot requires Python 3.8 or later.


20 May 2023

  • #504 via PR #505: Cheroot now accepts a reuse_port parameter on the HTTPServer object. Subclasses overriding prepare_socket will no longer work and will need to adapt to the new interface.


(no Git tag matched)

  • #252 via PR #339: Cheroot now requires Python 3.6 or later. Python 3.5 and Python 2.7 are still supported by the maint/8.x branch and stabilizing bugfixes will be accepted to that branch.


(no Git tag matched)

Significant improvements:

  • #384 via PR #385, PR #406: Exposed type stubs with annotations for public API – by @kasium.

  • PR #401 (related to the PR #352 effort): Started reusing the the expriration_interval setting as timeout in the low-level select() invocation, effectively reducing the system load when idle, that is noticeable on low-end hardware systems. On Windows OS, due to different select() behavior, the effect is less significant and comes with a theoretically decreased performance on quickly repeating requests, which has however found to be not significant in real world scenarios. – by @MichaIng.

Internal changes:

  • Implemented a manual-trigger-based release workflow.

  • Integrated publishing GitHub Releases into the workflow.

  • Migrated the docs theme to Furo (created by @pradyunsg).

  • Attempted to improve the stability of testing.

  • Configured the CI to test the same distribution as will be shipped.

  • Improved the linting setup and contributor checklists.

  • Stopped running tests under Ubuntu 16.04.

  • Tweaked the distribution packages metadata to satisfy strict checks.

  • Implemented distribution build reproducibility using a pip constraints lock-file.

  • Added per-environment lock-files into the tox test environments.


(no Git tag matched)

  • #358 via PR #359: Fixed a regression from PR #199 that made the worker threads exit on invalid connection attempts and could make the whole server unresponsive once there was no workers left. – by @cameronbrunner.


(no Git tag matched)


(no Git tag matched)


(no Git tag matched)

  • #317 via PR #337: Fixed a regression in 8.4.5 where the connections dictionary would change size during iteration, leading to a RuntimeError raised in the logs – by @liamstask.


(no Git tag matched)

  • PR #334: Started filtering out TLS/SSL errors when the version requested by the client is unsupported – by @sanderjo and @Safihre.


(no Git tag matched)


(no Git tag matched)

  • #312 via PR #313: Fixed a regression introduced in the earlier refactoring in v8.4.4 via PR #309 that caused the connection manager to modify the selector map while looping over it – by @liamstask.

  • #312 via PR #316: Added a regression test for the error handling in get_conn() to ensure more stability – by @cyraxjoe.


(no Git tag matched)


(no Git tag matched)

  • PR #282: Fixed a race condition happening when an HTTP client attempts to reuse a persistent HTTP connection after it’s been discarded on the server in HTTPRequest but no TCP FIN packet has been received yet over the wire – by @meaksh.

    This change populates the Keep-Alive header exposing the timeout value for persistent HTTP/1.1 connections which helps mitigate such race conditions by letting the client know not to reuse the connection after that time interval.


(no Git tag matched)

  • Fixed a significant performance regression introduced in v8.1.0 (#305 via PR #308) - by @mar10.

    The issue turned out to add 0.1s delay on new incoming connection processing. We’ve lowered that delay to mitigate the problem short-term, better fix is yet to come.


(no Git tag matched)


(no Git tag matched)

  • Converted management from low-level select() to high-level selectors (#249 via PR #301) - by @tommilligan.

    This change also introduces a conditional dependency on selectors2 as a fall-back for legacy Python interpreters.


(no Git tag matched)

  • Fixed TLS socket related unclosed resource warnings (PR #291 and PR #298).

  • Made terminating keep-alive connections more graceful (#263 via PR #277).


(no Git tag matched)

  • CherryPy #910 via PR #243: Provide TLS-related details via WSGI environment interface.

  • PR #248: Fix parsing of the --bind CLI option for abstract UNIX sockets.


(no Git tag matched)

  • CherryPy #1818: Restore support for None default argument to WebCase.getPage().


(no Git tag matched)

  • Deprecated use of negative timeouts as alias for infinite timeouts in ThreadPool.stop.

  • CherryPy #1662 via PR #74: For OPTION requests, bypass URI as path if it does not appear absolute.


(no Git tag matched)

  • Workers are now request-based, addressing the long-standing issue with keep-alive connections (#91 via PR #199).


(no Git tag matched)

  • #231 via PR #232: Remove custom setup.cfg parser handling, allowing the project (including sdist) to build/run on setuptools 41.4. Now building cheroot requires setuptools 30.3 or later (for declarative config support) and preferably 34.4 or later (as indicated in pyproject.toml).


(no Git tag matched)

  • PR #224: Refactored “open URL” behavior in webtest to rely on retry_call. Callers can no longer pass raise_subcls or ssl_context positionally, but must pass them as keyword arguments.


(no Git tag matched)

  • Revisit PR #85 under PR #221. Now backports.functools_lru_cache is only required on Python 3.2 and earlier.

  • CherryPy #1206 via PR #204: Fix race condition in threadpool shrink code.


(no Git tag matched)

  • #222 via 621f4ee: Fix socket.SO_PEERCRED constant fallback value under PowerPC.


(no Git tag matched)

  • #198 via 9f7affe: Fix race condition when toggling stats counting in the middle of request processing.

  • Improve post Python 3.9 compatibility checks.

  • Fix support of abstract namespace sockets.


(no Git tag matched)

  • #218 via PR #219: Fix HTTP parser to return 400 on invalid major-only HTTP version in Request-Line.


(no Git tag matched)

  • #99 via PR #186: Sockets now collect statistics (bytes read and written) on Python 3 same as Python 2.

  • CherryPy #1618 via PR #180: Ignore OpenSSL’s 1.1+ Error 0 under any Python while wrapping a socket.


(no Git tag matched)


(no Git tag matched)

  • PR #149: Make SCRIPT_NAME optional per PEP 333.


(no Git tag matched)


(no Git tag matched)


(no Git tag matched)


(no Git tag matched)


(no Git tag matched)


(no Git tag matched)

  • #100 via PR #101: Respond with HTTP 400 to malicious Content-Length in request headers.


(no Git tag matched)

  • CherryPy #1618: Ignore OpenSSL’s 1.1+ Error 0 under Python 2 while wrapping a socket.


(no Git tag matched)

  • PR #87: Add cheroot command and runpy launcher to launch a WSGI app from the command-line.


(no Git tag matched)

  • Fix missing resolve_peer_creds argument in cheroot.wsgi.Server being bypassed into cheroot.server.HTTPServer.

  • PR #85: Revert conditional dependencies. System packagers should honor the dependencies as declared by cheroot, which are defined intentionally.


(no Git tag matched)

  • PR #85: Skip installing dependencies from backports namespace under Python 3.


(no Git tag matched)


(no Git tag matched)

  • PR #83: Fix regression, caused by inverted check for Windows OS.

  • Add more URLs to distribution metadata


(no Git tag matched)

  • PR #37: Implement PEERCRED lookup over UNIX-socket HTTP connection.

    • Discover connected process’ PID/UID/GID

    • Respect server switches: peercreds_enabled and peercreds_resolve_enabled

    • get_peer_creds and resolve_peer_creds methods on connection

    • peer_pid, peer_uid, peer_gid, peer_user and peer_group properties on connection

    • X_REMOTE_PID, X_REMOTE_UID, X_REMOTE_GID, X_REMOTE_USER (REMOTE_USER) and X_REMOTE_GROUP WSGI environment variables when enabled and supported

    • Per-connection caching to reduce lookup cost


(no Git tag matched)


(no Git tag matched)


(no Git tag matched)

  • PR #67: Refactor test suite to completely rely on pytest.

    • Integrate pytest-testmon and pytest-watch

    • Stabilize testing

  • CherryPy #1664 via PR #66: Implement input termination flag support as suggested by @mitsuhiko in his wsgi.input_terminated Proposal.

  • #73: Fix SSL error bypassing.

  • #77 via PR #78: Fix WSGI documentation example to support Python 3.

  • PR #76: Send correct conditional HTTP error in helper function.

  • CherryPy #1404 via PR #75: Fix headers being unsent before request closed. Now we double check that they’ve been sent.

  • Minor docs improvements.

  • Minor refactoring.


(no Git tag matched)

  • Drop support for Python 2.6, 3.1, 3.2, and 3.3.

  • Also drop built-in SSL support for Python 2.7 earlier than 2.7.9.


(no Git tag matched)

  • CherryPy #1621: To support webtest applications that feed absolute URIs to getPage() but expect the scheme/host/port to be ignored (as cheroot 5.8 and earlier did), provide a strip_netloc helper and recipe for calling it in a subclass.


(no Git tag matched)

  • Minor refactorings of cheroot/server.py to reduce redundancy of behavior.

  • Delinting with fewer exceptions.

  • Restored license to BSD.


(no Git tag matched)

  • #61: Re-release without spurious files in the distribution.


(no Git tag matched)

  • #58: Reverted encoding behavior in wsgi module to correct regression in CherryPy tests.


(no Git tag matched)

  • CherryPy #1088 and PR #53: Avoid using SO_REUSEADDR on Windows where it has different semantics.

  • cheroot.tests.webtest adopts the one method that was unique in CherryPy, now superseding the implementation there.

  • Substantial cleanup around compatibility functions (_compat module).

  • License unintentionally changed to MIT. BSD still declared and intended.


(no Git tag matched)

  • Improve HTTP request line validation:

    • Improve HTTP version parsing

  • Fix HTTP CONNECT method processing:

    • Respond with 405 Method Not Allowed if proxy_mode is False

    • Validate that request-target is in authority-form

  • Improve tests in test.test_core

  • PR #44: Fix EPROTOTYPE @ Mac OS


(no Git tag matched)

  • Fix PR #39 regression. Add HTTP request line check: absolute URI path must start with a forward slash (“/”).


(no Git tag matched)


(no Git tag matched)

  • CI improvements:

    • Switch to native PyPy support in Travis CI

    • Take into account PEP 257 compliant modules

    • Build wheel in AppVeyor and store it as an artifact

  • Improve urllib support in cheroot._compat

  • #38 via PR #39: Improve URI parsing:

    • Make it compliant with RFC 7230, RFC 7231 and RFC 2616

    • Fix setting of environ['QUERY_STRING'] in WSGI

    • Introduce proxy_mode and strict_mode argument in server.HTTPRequest

    • Fix decoding of Unicode URIs in WSGI 1.0 gateway


(no Git tag matched)

  • CI improvements:

    • Don’t run tests during deploy stage

    • Use VM based build job environments only for pyenv environments

    • Opt-in for beta trusty image @ Travis CI

    • Be verbose when running tests (show test names)

    • Show xfail/skip details during test run

  • #34: Fix _handle_no_ssl error handler calls

  • #21: Fix test_conn tests:

    • Improve setup_server def in HTTP connection tests

    • Fix HTTP streaming tests

    • Fix HTTP/1.1 pipelining test under Python 3

    • Fix test_readall_or_close test

    • Fix test_No_Message_Body

    • Clarify test_598 fail reason

  • #36: Add GitHub templates for PR, issue && contributing

  • #27: Default HTTP Server header to Cheroot version str

  • Cleanup _compat functions from server module


(no Git tag matched)

  • Fix all PEP 257 related errors in all non-test modules.

    cheroot/test/* folder is only one left allowed to fail with this linter.

  • CherryPy #1602 and PR #30: Optimize chunked body reader loop by returning empty data is the size is 0.

  • CherryPy #1486: Reset buffer if the body size is unknown

  • CherryPy #1131: Add missing size hint to SizeCheckWrapper


(no Git tag matched)


(no Git tag matched)


(no Git tag matched)

  • #17 via PR #25: Instead of a read_headers function, cheroot now supplies a HeaderReader class to perform the same function.

    Any HTTPRequest object may override the header_reader attribute to customize the handling of incoming headers.

    The server module also presents a provisional implementation of a DropUnderscoreHeaderReader that will exclude any headers containing an underscore. It remains an exercise for the implementer to demonstrate how this functionality might be employed in a server such as CherryPy.

  • PR #26: Configured TravisCI to run tests under OS X.


(no Git tag matched)

  • PR #22: Add “ciphers” parameter to SSLAdapter.


(no Git tag matched)


(no Git tag matched)

  • #5: Set Server.version to Cheroot version instead of CherryPy version.

  • PR #4: Prevent tracebacks and drop bad HTTPS connections in the BuiltinSSLAdapter, similar to pyOpenSSLAdapter.

  • #3: Test suite now runs and many tests pass. Some are still failing.


(no Git tag matched)


(no Git tag matched)

  • Fix error in parse_request_uri created in 68a5769.


(no Git tag matched)