Bump h11

[LifeLex]

Summary

h11 has now released version 0.16.0 which amongst other things fixes a vulnerability, I've updated the requirements in uvicorn to use this release instead of targeting the main branch so we can use the latest tagged release and avoid this vulnerability

                            Vulnerable Dependencies                             
┏━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━┓
┃ Package     ┃ Version        ┃ Vulnerability ID            ┃ Fix Versions    ┃
┡━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━┩
│ h11         │ 0.14.0         │ GHSA-vqfr-h8mv-ghfj         │ 0.16.0          │
└─────────────┴────────────────┴─────────────────────────────┴─────────────────┘

Checklist

• I understand that this PR may be closed in case there was no previous discussion. (This doesn't apply to typos!)
• I've added a test for each change that was introduced, and I tried as much as possible to make a single atomic change.
• I've updated the documentation accordingly.

[Kludex]

A note that when a dependency has a vulnerability issue, we are not forced to update the constraints. Users can already bump their h11 version.

The vulnerability is on the dependency, not on uvicorn.

That said, I'll merge this soon.

[MadhavVij]

Any update on when will this be merged and released?

[Kludex]

I think there's a TODO on h11_impl.py about changing something when this is released. I'll check later.

[MadhavVij]

Thanks for the update!

[Kludex]

Well... I'm not sure if you intended to create this PR... This PR doesn't make you require h11 >= 0.16 when installing uvicorn - it just bumps when developing in this repository.

[Kludex]

I'll merge this because it removes the git installation.

[seth-addepar]

To Kludex's point, should we update https://github.com/encode/uvicorn/blob/master/pyproject.toml#L34 to ensure that consumers of uvicorn are not pulling in a vulnerable version of h11?

[Kludex]

No.

There's no need for it.