Bump uvicorn from 0.40.0 to 0.42.0

[dependabot]

Bumps uvicorn from 0.40.0 to 0.42.0.

Release notes

Sourced from uvicorn's releases.

Version 0.42.0

Changed

• Use bytearray for request body accumulation to avoid O(n^2) allocation on fragmented bodies (#2845)

Fixed

• Escape brackets and backslash in httptools HEADER_RE regex (#2824)
• Fix multiple issues in websockets sans-io implementation (#2825)

---

New Contributors

• @​bysiber made their first contribution in Kludex/uvicorn#2825

---

Full Changelog: Kludex/uvicorn@0.41.0...0.42.0

Version 0.41.0

Added

• Add --limit-max-requests-jitter to stagger worker restarts (#2707)
• Add socket path to scope["server"] (#2561)

Changed

• Rename LifespanOn.error_occured to error_occurred (#2776)

Fixed

• Ignore permission denied errors in watchfiles reloader (#2817)
• Ensure lifespan shutdown runs when should_exit is set during startup (#2812)
• Reduce the log level of 'request limit exceeded' messages (#2788)

---

New Contributors

• @​t-kawasumi made their first contribution in Kludex/uvicorn#2776
• @​fardyn made their first contribution in Kludex/uvicorn#2800
• @​ewie made their first contribution in Kludex/uvicorn#2807
• @​shevron made their first contribution in Kludex/uvicorn#2788
• @​jonashaag made their first contribution in Kludex/uvicorn#2707

---

Full Changelog: Kludex/uvicorn@0.40.0...0.41.0

Changelog

Sourced from uvicorn's changelog.

0.42.0 (March 16, 2026)

Changed

• Use bytearray for request body accumulation to avoid O(n^2) allocation on fragmented bodies (#2845)

Fixed

• Escape brackets and backslash in httptools HEADER_RE regex (#2824)
• Fix multiple issues in websockets sans-io implementation (#2825)

0.41.0 (February 16, 2026)

Added

• Add --limit-max-requests-jitter to stagger worker restarts (#2707)
• Add socket path to scope["server"] (#2561)

Changed

• Rename LifespanOn.error_occured to error_occurred (#2776)

Fixed

• Ignore permission denied errors in watchfiles reloader (#2817)
• Ensure lifespan shutdown runs when should_exit is set during startup (#2812)
• Reduce the log level of 'request limit exceeded' messages (#2788)

Commits

• 02bed6f Version 0.42.0 (#2852)
• d8f2501 chore: pre-create Config objects in benchmarks to measure protocol hot paths ...
• 9dbb783 Add WebSocket protocol benchmarks for wsproto and websockets-sansio (#2849)
• b3c69da Use bytearray for request body accumulation (#2845)
• 3f3ebee Disable pytest-xdist for CodSpeed benchmark runs (#2847)
• d072de7 Add fragmented body benchmark for chunked body accumulation (#2846)
• e300c2c Add CodSpeed benchmark suite for HTTP protocol hot paths (#2844)
• 1fa6976 Escape brackets and backslash in httptools HEADER_RE regex (#2824)
• 59ec1de Fix multiple issues in websockets sansio implementation (#2825)
• 2fc0efc Clarify Windows asyncio event loop selection in docs (#2843)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[mandeepbal]

Risk Assessment — claude-code

Risk Level: 🟢 LOW — Recommend merge

What changed (0.40.0 → 0.42.0):

• Perf: Request body accumulation rewritten from string concat (O(n²)) to bytearray — meaningful improvement for large/fragmented request bodies
• Security-adjacent: Escaped brackets/backslash in httptools HEADER_RE regex — hardens against malformed header edge cases
• Fixed: Multiple WebSocket sans-io implementation issues
• Fixed (v0.41.0): Lifespan shutdown reliability when should_exit set during startup; worker restart jitter option

No breaking API changes. No security CVEs filed.

Test suite confidence: Moderate. The test suite spawns uvicorn as a subprocess and waits for port readiness — a startup regression would be caught. Subtle behavioral changes to request handling or WebSocket would not be caught (no unit tests, only e2e happy-path). Given the nature of this change (bug fixes, perf), the risk is low even with limited test coverage.

Verdict: Safe to merge.