Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
An ASGI web server, for Python.
Documentation: https://www.uvicorn.org
Uvicorn is an ASGI web server implementation for Python.
Until recently Python has lacked a minimal low-level server/application interface for async frameworks. The ASGI specification fills this gap, and means we're now able to start building a common set of tooling usable across all async frameworks.
Uvicorn supports HTTP/1.1 and WebSockets.
Install using pip
:
$ pip install uvicorn
This will install uvicorn with minimal (pure Python) dependencies.
$ pip install 'uvicorn[standard]'
This will install uvicorn with "Cython-based" dependencies (where possible) and other "optional extras".
In this context, "Cython-based" means the following:
uvloop
will be installed and used if possible.httptools
if possible.Moreover, "optional extras" means that:
websockets
(should you want to use wsproto
you'd need to install it manually) if possible.--reload
flag in development mode will use watchfiles
.colorama
installed for the colored logs.python-dotenv
will be installed should you want to use the --env-file
option.PyYAML
will be installed to allow you to provide a .yaml
file to --log-config
, if desired.Create an application, in example.py
:
async def app(scope, receive, send):
assert scope['type'] == 'http'
await send({
'type': 'http.response.start',
'status': 200,
'headers': [
(b'content-type', b'text/plain'),
],
})
await send({
'type': 'http.response.body',
'body': b'Hello, world!',
})
Run the server:
$ uvicorn example:app
Most well established Python Web frameworks started out as WSGI-based frameworks.
WSGI applications are a single, synchronous callable that takes a request and returns a response. This doesn’t allow for long-lived connections, like you get with long-poll HTTP or WebSocket connections, which WSGI doesn't support well.
Having an async concurrency model also allows for options such as lightweight background tasks, and can be less of a limiting factor for endpoints that have long periods being blocked on network I/O such as dealing with slow HTTP requests.
A strength of the ASGI protocol is that it decouples the server implementation from the application framework. This allows for an ecosystem of interoperating webservers and application frameworks.
The first ASGI server implementation, originally developed to power Django Channels, is the Daphne webserver.
It is run widely in production, and supports HTTP/1.1, HTTP/2, and WebSockets.
Any of the example applications given here can equally well be run using daphne
instead.
$ pip install daphne
$ daphne app:App
Hypercorn was initially part of the Quart web framework, before being separated out into a standalone ASGI server.
Hypercorn supports HTTP/1.1, HTTP/2, and WebSockets.
It also supports the excellent trio
async framework, as an alternative to asyncio
.
$ pip install hypercorn
$ hypercorn app:App
Mangum is an adapter for using ASGI applications with AWS Lambda & API Gateway.
Granian is an ASGI compatible Rust HTTP server which supports HTTP/2, TLS and WebSockets.
Uvicorn is BSD licensed code.
Designed & crafted with care.
— 🦄 —
FAQs
The lightning-fast ASGI server.
We found that uvicorn demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.