The Fix
Upgrade to version 0.13.0 or later.
Based on closed encode/httpx issue #772 · PR/commit linked
Production note: Most teams hit this during upgrades or environment changes. Roll out with a canary and smoke critical endpoints (health, OpenAPI/docs) before 100%.
@@ -32,46 +32,46 @@ Debug output:
```console
$ HTTPX_LOG_LEVEL=debug python test_script.py
-DEBUG [2019-11-06 19:11:24] httpx.client - HTTP Request: GET https://google.com "HTTP/1.1 301 Moved Permanently"
-DEBUG [2019-11-06 19:11:24] httpx.client - HTTP Request: GET https://www.google.com/ "HTTP/1.1 200 OK"
+DEBUG [2019-11-06 19:11:24] httpx._client - HTTP Request: GET https://google.com "HTTP/1.1 301 Moved Permanently"
fix.md
Option A — Upgrade to fixed release\nUpgrade to version 0.13.0 or later.\nWhen NOT to use: This fix should not be used if users rely on sub-module imports.\n\n
Why This Fix Works in Production
- Trigger: This isn't *strictly* a breaking API change, but we *would* only want to make it on a median version bump (0.12.0 or 1.0.0), since it's likely that at least…
- Mechanism: Switching to private module names enforces public API usage
- Why the fix works: Switches to private module names to enforce public API usage. (first fixed release: 0.13.0).
Production impact:
- If left unfixed, the same config can fail only in production (env differences), causing startup failures or partial feature outages.
Why This Breaks in Prod
- Switching to private module names enforces public API usage
- Production symptom (often without a traceback): from httpx.config import SSLConfig
Proof / Evidence
- GitHub issue: #772
- Fix PR: https://github.com/encode/httpx/pull/785
- First fixed release: 0.13.0
- Reproduced locally: No (not executed)
- Last verified: 2026-02-09
- Confidence: 0.85
- Did this fix it?: Yes (upstream fix exists)
- Own content ratio: 0.62
Discussion
High-signal excerpts from the issue thread (symptoms, repros, edge-cases).
“> 💯 yes to this! Fantastic! I think this would be a good enough motivation to release a 0.12.0, where we start bolting down our…”
“Can you make ByteStream and AsyncDispatcher public? We need them in https://github.com/lepture/authlib/pull/209/files”
“💯 yes to this! Agreed that we can start with private modules/sub-packages, and then review methods on public classes later.”
Failure Signature (Search String)
- This isn't *strictly* a breaking API change, but we *would* only want to make it on a median version bump (0.12.0 or 1.0.0), since it's likely that at least *some* of our users
Copy-friendly signature
signature.txt
Failure Signature
-----------------
from httpx.config import SSLConfig
This isn't *strictly* a breaking API change, but we *would* only want to make it on a median version bump (0.12.0 or 1.0.0), since it's likely that at least *some* of our users are currently using sub-module import styles.
Error Message
Signature-only (no traceback captured)
error.txt
Error Message
-------------
from httpx.config import SSLConfig
This isn't *strictly* a breaking API change, but we *would* only want to make it on a median version bump (0.12.0 or 1.0.0), since it's likely that at least *some* of our users are currently using sub-module import styles.
What Broke
Users may inadvertently use non-public APIs leading to unexpected behavior.
Why It Broke
Switching to private module names enforces public API usage
Fix Options (Details)
Option A — Upgrade to fixed release Safe default (recommended)
Upgrade to version 0.13.0 or later.
When NOT to use: This fix should not be used if users rely on sub-module imports.
Use when you can deploy the upstream fix. It is usually lower-risk than long-lived workarounds.
Option D — Guard side-effects with OnceOnly Guardrail for side-effects
Mitigate duplicate external side-effects under retries/timeouts/agent loops by gating the operation before calling external systems.
- Place OnceOnly between your code/agent and real side-effects (Stripe, emails, CRM, APIs).
- Use a stable key per side-effect (e.g., customer_id + action + idempotency_key).
- Fail-safe: configure fail-open vs fail-closed based on blast radius and spend risk.
Show example snippet (optional)
onceonly.py
from onceonly import OnceOnly
import os
once = OnceOnly(api_key=os.environ["ONCEONLY_API_KEY"], fail_open=True)
# Stable idempotency key per real side-effect.
# Use a request id / job id / webhook delivery id / Stripe event id, etc.
event_id = "evt_..." # replace
key = f"stripe:webhook:{event_id}"
res = once.check_lock(key=key, ttl=3600)
if res.duplicate:
return {"status": "already_processed"}
# Safe to execute the side-effect exactly once.
handle_event(event_id)
When NOT to use: Do not use this to hide logic bugs or data corruption. Use it to block duplicate external side-effects and enforce tool permissions/spend caps.
Fix reference: https://github.com/encode/httpx/pull/785
First fixed release: 0.13.0
Last verified: 2026-02-09. Validate in your environment.
When NOT to Use This Fix
- This fix should not be used if users rely on sub-module imports.
- Do not use this to hide logic bugs or data corruption. Use it to block duplicate external side-effects and enforce tool permissions/spend caps.
Did This Fix Work in Your Case?
Quick signal helps us prioritize which fixes to verify and improve.
Prevention
- Add a CI check that diffs key outputs after upgrades (OpenAPI schema snapshots, JSON payload shapes, CLI output).
- Upgrade behind a canary and run integration tests against the canary before 100% rollout.
- Add a TLS smoke test that performs a real handshake in CI (include CA bundle validation and hostname checks).
- Alert on handshake failures by error string and endpoint to catch cert/CA changes quickly.
Version Compatibility Table
| Version | Status |
|---|---|
| 0.13.0 | Fixed |
Related Issues
No related fixes found.
Sources
We don’t republish the full GitHub discussion text. Use the links above for context.