gh-144484: Warn users not to use wsgiref in production by sethmlarson · Pull Request #144487 · python/cpython

sethmlarson · 2026-02-04T20:36:41Z

Follow-up from the precautionary CVE for wsgiref, where even though the module is documented as a reference implementation (instead of production-ready), there isn't any explicit docs for this like other modules with this property (eg: http.server).

Issue: Document that wsgiref is not meant for production #144484

📚 Documentation preview 📚: https://cpython-previews--144487.org.readthedocs.build/

benediktjohannes · 2026-02-05T15:25:14Z

LGTM

vstinner

LGTM.

https://docs.python.org/dev/library/http.server.html has a similar banner but it also has a "Security considerations" section.

miss-islington-app · 2026-02-05T15:43:43Z

Thanks @sethmlarson for the PR 🌮🎉.. I'm working now to backport this PR to: 3.13, 3.14.
🐍🍒⛏🤖 I'm not a witch! I'm not a witch!

miss-islington-app · 2026-02-05T17:00:11Z

Thanks @sethmlarson for the PR 🌮🎉.. I'm working now to backport this PR to: 3.13.
🐍🍒⛏🤖

miss-islington-app · 2026-02-05T17:00:11Z

Thanks @sethmlarson for the PR 🌮🎉.. I'm working now to backport this PR to: 3.14.
🐍🍒⛏🤖

miss-islington-app · 2026-02-05T17:00:14Z

Sorry, @sethmlarson, I could not cleanly backport this to 3.13 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 7e777c587f01434ac5eea3d63d096f191278dad2 3.13

miss-islington-app · 2026-02-05T17:00:19Z

Sorry, @sethmlarson, I could not cleanly backport this to 3.14 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 7e777c587f01434ac5eea3d63d096f191278dad2 3.14

vstinner · 2026-02-05T17:00:45Z

Aha, it seems like you should backport the change manually to 3.14.

StanFromIreland · 2026-02-05T17:32:07Z

Aha, it seems like you should backport the change manually to 3.14.

The bot got confused, backports have already been merged #144511 / #144512.

Should this not be treated as a security fix and backported all the way?

sethmlarson · 2026-02-05T18:11:41Z

@StanFromIreland I believe it should be handled as a security-related change.

miss-islington-app · 2026-02-05T18:11:51Z

Thanks @sethmlarson for the PR 🌮🎉.. I'm working now to backport this PR to: 3.10.
🐍🍒⛏🤖

miss-islington-app · 2026-02-05T18:11:51Z

Thanks @sethmlarson for the PR 🌮🎉.. I'm working now to backport this PR to: 3.11.
🐍🍒⛏🤖

miss-islington-app · 2026-02-05T18:11:52Z

Thanks @sethmlarson for the PR 🌮🎉.. I'm working now to backport this PR to: 3.12.
🐍🍒⛏🤖

StanFromIreland · 2026-02-05T18:23:47Z

The bot made the PRs: #144523 #144522 #144521

pythongh-144484: Warn users not to use wsgiref in production

b71e5e0

bedevere-app Bot added awaiting review docs Documentation in the Doc dir skip news labels Feb 4, 2026

bedevere-app Bot mentioned this pull request Feb 4, 2026

Document that wsgiref is not meant for production #144484

Closed

github-project-automation Bot added this to Docs PRs Feb 4, 2026

github-project-automation Bot moved this to Todo in Docs PRs Feb 4, 2026

vstinner approved these changes Feb 5, 2026

View reviewed changes

bedevere-app Bot added awaiting merge and removed awaiting review labels Feb 5, 2026

vstinner added needs backport to 3.13 bugs and security fixes needs backport to 3.14 bugs and security fixes labels Feb 5, 2026

sethmlarson merged commit 7e777c5 into python:main Feb 5, 2026
44 checks passed

sethmlarson deleted the wsgiref-security-warning branch February 5, 2026 15:43

github-project-automation Bot moved this from Todo to Done in Docs PRs Feb 5, 2026

bedevere-app Bot removed the awaiting merge label Feb 5, 2026

vstinner added needs backport to 3.13 bugs and security fixes needs backport to 3.14 bugs and security fixes and removed needs backport to 3.13 bugs and security fixes needs backport to 3.14 bugs and security fixes labels Feb 5, 2026

miss-islington-app Bot assigned sethmlarson Feb 5, 2026

StanFromIreland removed the needs backport to 3.13 bugs and security fixes label Feb 5, 2026

StanFromIreland removed the needs backport to 3.14 bugs and security fixes label Feb 5, 2026

sethmlarson added needs backport to 3.10 only security fixes needs backport to 3.11 only security fixes needs backport to 3.12 only security fixes labels Feb 5, 2026

StanFromIreland removed needs backport to 3.10 only security fixes needs backport to 3.11 only security fixes needs backport to 3.12 only security fixes labels Feb 5, 2026

Uh oh!

Conversation

sethmlarson commented Feb 4, 2026 • edited by github-actions Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

benediktjohannes commented Feb 5, 2026

Uh oh!

vstinner left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

miss-islington-app Bot commented Feb 5, 2026

Uh oh!

miss-islington-app Bot commented Feb 5, 2026

Uh oh!

miss-islington-app Bot commented Feb 5, 2026

Uh oh!

miss-islington-app Bot commented Feb 5, 2026

Uh oh!

miss-islington-app Bot commented Feb 5, 2026

Uh oh!

vstinner commented Feb 5, 2026

Uh oh!

StanFromIreland commented Feb 5, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

sethmlarson commented Feb 5, 2026

Uh oh!

miss-islington-app Bot commented Feb 5, 2026

Uh oh!

miss-islington-app Bot commented Feb 5, 2026

Uh oh!

miss-islington-app Bot commented Feb 5, 2026

Uh oh!

StanFromIreland commented Feb 5, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

sethmlarson commented Feb 4, 2026 •

edited by github-actions Bot

Loading

StanFromIreland commented Feb 5, 2026 •

edited

Loading

StanFromIreland commented Feb 5, 2026 •

edited

Loading