From 0d68e193b135d08b5f8fb329369811c190517fd0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jeremy=20Lain=C3=A9?= <jeremy.laine@m4x.org>
Date: Wed, 20 Mar 2024 21:31:03 +0100
Subject: [PATCH] Update aioquic dependency to >= 1.0.0, < 2.0.0 (fixes: #6746)
 (#6747)

#### Description

This fixes some specification compliance issues as well as a potential
DoS vulnerability.

Start with version 1.0.0, aioquic follows semantic versioning, so no
breaking changes will occur before version 2.0.0.

#### Checklist

 - [x] I have updated tests where applicable.
 - [x] I have added an entry to the CHANGELOG.
---
 CHANGELOG.md   | 2 ++
 pyproject.toml | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 315a998a8..394e5e30f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -15,6 +15,8 @@
   ([#5370](https://github.com/mitmproxy/mitmproxy/pull/5370), @zioalex)  
 * Make it possible to read flows from stdin with mitmweb.
   ([#6732](https://github.com/mitmproxy/mitmproxy/pull/6732), @jaywor1)
+* Update aioquic dependency to >= 1.0.0, < 2.0.0.
+  ([#6747](https://github.com/mitmproxy/mitmproxy/pull/6747), @jlaine)
 
 ## 07 March 2024: mitmproxy 10.2.4
 
diff --git a/pyproject.toml b/pyproject.toml
index 597c5dfb8..f74dc7e89 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -31,7 +31,7 @@ classifiers = [
 # https://packaging.python.org/en/latest/discussions/install-requires-vs-requirements/#install-requires
 # It is not considered best practice to use install_requires to pin dependencies to specific versions.
 dependencies = [
-    "aioquic>=0.9.24,<0.10",
+    "aioquic>=1.0.0,<2.0.0",
     "asgiref>=3.2.10,<3.8",
     "Brotli>=1.0,<1.2",
     "certifi>=2019.9.11",  # no semver here - this should always be on the last release!