workers-runtime-sdk 1.1.1__tar.gz → 1.1.3__tar.gz

{workers_runtime_sdk-1.1.1 → workers_runtime_sdk-1.1.3}/CHANGELOG.md

@@ -2,6 +2,24 @@
 
 <!-- version list -->
 
+## v1.1.3 (2026-05-04)
+
+### Bug Fixes
+
+- Add entropy import context for packages from workerd
+  ([#99](https://github.com/cloudflare/workers-py/pull/99),
+  [`6e574ca`](https://github.com/cloudflare/workers-py/commit/6e574ca000776645d3cf2883e515c96f49a43c2c))
+
+
+## v1.1.2 (2026-04-21)
+
+### Bug Fixes
+
+- Make top level asgi import work with snapshots
+  ([#93](https://github.com/cloudflare/workers-py/pull/93),
+  [`3dd4115`](https://github.com/cloudflare/workers-py/commit/3dd41151d201aca4e1b895638fd3926eb1c68756))
+
+
 ## v1.1.1 (2026-03-18)
 
 ### Bug Fixes

{workers_runtime_sdk-1.1.1 → workers_runtime_sdk-1.1.3}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: workers-runtime-sdk
-Version: 1.1.1
+Version: 1.1.3
 Summary: Python SDK for Cloudflare Workers
 Project-URL: Homepage, https://github.com/cloudflare/workers-py
 Project-URL: Bug Tracker, https://github.com/cloudflare/workers-py/issues

{workers_runtime_sdk-1.1.1 → workers_runtime_sdk-1.1.3}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "workers-runtime-sdk"
-version = "1.1.1"
+version = "1.1.3"
 description = "Python SDK for Cloudflare Workers"
 readme = "README.md"
 requires-python = ">=3.12"
@@ -68,11 +68,10 @@ warn_unreachable = true
 no_implicit_optional = true
 
 [tool.hatch.build.targets.wheel]
-packages = ["src/workers", "src/asgi.py"]
+include = ["src/_*.py", "src/_*.pyi", "src/_*.pth", "src/workers"]
 
-[tool.hatch.build.targets.wheel.force-include]
-"src/_cloudflare_compat_flags.pyi" = "_cloudflare_compat_flags.pyi"
-"src/_pyodide_entrypoint_helper.pyi" = "_pyodide_entrypoint_helper.pyi"
+[tool.hatch.build.targets.wheel.sources]
+"src" = ""
 
 [tool.semantic_release]
 assets = []

workers_runtime_sdk-1.1.3/src/_workers_sdk_entropy_import_context.pth

@@ -0,0 +1 @@
+import _workers_sdk_entropy_import_context

workers_runtime_sdk-1.1.3/src/_workers_sdk_entropy_import_context.py

@@ -0,0 +1,183 @@
+"""
+Top level entropy patches for packages
+"""
+
+import sys
+from contextlib import contextmanager
+
+from _cloudflare.allow_entropy import (
+    allow_bad_entropy_calls,
+)
+from _cloudflare.import_patch_manager import (
+    block_calls,
+    register_after_snapshot,
+    register_before_first_request,
+    register_create_patch,
+    register_exec_patch,
+)
+
+
+class STATE:
+    imported_rust_package = False
+    numpy_random = None
+
+
+@register_create_patch("tiktoken._tiktoken")
+@register_exec_patch("cryptography.exceptions")
+@register_exec_patch("jiter")
+@contextmanager
+def rust_package_context(module):
+    """Rust packages need one entropy call if they create a rust hash map at
+    init time.
+
+    For reasons I don't entirely understand, in Pyodide 0.28 only the first Rust package to be
+    imported makes the get_entropy call. See gen_rust_import_tests() which tests that importing
+    four rust packages in different permutations works correctly.
+    """
+    if STATE.imported_rust_package:
+        yield
+        return
+    STATE.imported_rust_package = True
+    with allow_bad_entropy_calls(1):
+        yield
+
+
+@register_exec_patch("numpy.random")
+@contextmanager
+def numpy_random_context(numpy_random):
+    """numpy.random doesn't call getentropy() itself, but we want to block calls
+    that might use the bad seed.
+
+    TODO: Maybe there are more calls we can whitelist?
+    TODO: Is it not enough to just block numpy.random.mtrand calls?
+    """
+    yield
+    # Calling default_rng() with a given seed is fine, calling it without a seed
+    # will call getentropy() and fail.
+    block_calls(numpy_random, allowlist=("default_rng", "RandomState"))
+
+
+@register_after_snapshot("numpy.random")
+def numpy_random_after_snapshot(numpy_random):
+    r1 = numpy_random.random()
+    numpy_random.set_state(STATE.numpy_random)
+    r2 = numpy_random.random()
+    if r1 != r2:
+        raise RuntimeError("random seed in bad state")
+
+
+@register_before_first_request("numpy.random")
+def numpy_random_before_first_request(numpy_random):
+    numpy_random.seed()
+
+
+@register_exec_patch("numpy.random.mtrand")
+@contextmanager
+def numpy_random_mtrand_context(module):
+    # numpy.random.mtrand calls secrets.randbits at top level to seed itself.
+    # This will fail if we don't let it through.
+    with allow_bad_entropy_calls(1):
+        yield
+    # Block calls until we get a chance to replace the bad random seed.
+    STATE.numpy_random = module.get_state()
+    block_calls(module, allowlist=("RandomState",))
+
+
+@register_exec_patch("pydantic_core")
+@contextmanager
+def pydantic_core_context(module):
+    try:
+        # Initial import needs one entropy call to initialize
+        # std::collections::HashMap hash seed
+        with allow_bad_entropy_calls(1):
+            yield
+    finally:
+        try:
+            with allow_bad_entropy_calls(1):
+                # validate_core_schema makes an ahash::AHashMap which makes
+                # another entropy call for its hash seed. It will throw an error
+                # but only after making the needed entropy call.
+                module.validate_core_schema(None)
+        except module.SchemaError:
+            pass
+
+
+@register_exec_patch("aiohttp.http_websocket")
+@contextmanager
+def aiohttp_http_websocket_context(module):
+    import random
+
+    Random = random.Random
+
+    def patched_Random():
+        return random
+
+    random.Random = patched_Random
+    try:
+        yield
+    finally:
+        random.Random = Random
+
+
+class NoSslFinder:
+    def find_spec(self, fullname, path, target):
+        if fullname == "ssl":
+            raise ModuleNotFoundError(
+                f"No module named {fullname!r}", name=fullname
+            ) from None
+
+
+@contextmanager
+def no_ssl():
+    """
+    Various packages will call ssl.create_default_context() at top level which uses entropy if they
+    can import ssl. By temporarily making importing ssl raise an import error, we exercise the
+    workaround code and so avoid the entropy calls. After, we put the ssl module back to the normal
+    value.
+    """
+    try:
+        f = NoSslFinder()
+        ssl = sys.modules.pop("ssl", None)
+        sys.meta_path.insert(0, f)
+        yield
+    finally:
+        sys.meta_path.remove(f)
+        if ssl:
+            sys.modules["ssl"] = ssl
+
+
+@register_exec_patch("aiohttp.connector")
+@contextmanager
+def aiohttp_connector_context(module):
+    with no_ssl():
+        yield
+
+
+@register_exec_patch("requests.adapters")
+@contextmanager
+def requests_adapters_context(module):
+    with no_ssl():
+        yield
+
+
+@register_exec_patch("urllib3.util.ssl_")
+@contextmanager
+def urllib3_util_ssl__context(module):
+    with no_ssl():
+        yield
+
+
+@register_exec_patch("langsmith._internal._constants")
+@contextmanager
+def langsmith__internal__constants_context(module):
+    # Langsmith uses a UUID to communicate with a background thread. This obviously won't work so we
+    # might as well allow it to make a UUID.
+    with allow_bad_entropy_calls(1):
+        yield
+
+
+@register_exec_patch("langchain_openai.chat_models.base")
+@contextmanager
+def langchain_openai_chat_models_base_context(module):
+    with allow_bad_entropy_calls(1):
+        yield

{workers_runtime_sdk-1.1.1 → workers_runtime_sdk-1.1.3}/src/asgi.py

@@ -7,7 +7,7 @@ from typing import Any
 
 import js
 
-from workers import Context, Request, wait_until
+from workers import Context, Request
 
 ASGI = {"spec_version": "2.0", "version": "3.0"}
 logger = logging.getLogger("asgi")
@@ -221,6 +221,9 @@ async def process_request(
 
     # Create task to run the application in the background
     app_task = create_proxy(create_task(run_app()))
+
+    from workers import wait_until
+
     wait_until(app_task)
 
     try:

{workers_runtime_sdk-1.1.1 → workers_runtime_sdk-1.1.3}/uv.lock

@@ -210,7 +210,7 @@ wheels = [
 
 [[package]]
 name = "workers-runtime-sdk"
-version = "1.1.0"
+version = "1.1.2"
 source = { editable = "." }
 
 [package.dev-dependencies]