nomyo-ai/nomyo-router
3
2
Fork 0
Code Issues 2 Pull requests 2 Projects Releases 10 Packages 1 Wiki Activity Actions

chore(deps): update dependency aiohttp to v3.14.1 #114

Merged
alpha-nerd merged 1 commit from renovate/aiohttp-3.x into main 2026-06-13 18:00:23 +02:00
Conversation 0 Commits 1 Files changed 1 +1 -1
renovate-bot commented 2026-06-10 17:30:59 +02:00
Collaborator
Copy link

This PR contains the following updates:

Package Change Age Confidence
aiohttp ==3.14.0==3.14.1 age confidence

Release Notes

aio-libs/aiohttp (aiohttp)

v3.14.1

Compare Source

===================

Bug fixes

  • Fixed a race condition in :py:class:~aiohttp.TCPConnector where closing the connector while a DNS resolution was in-flight could raise :py:exc:AttributeError instead of :py:exc:~aiohttp.ClientConnectionError -- by :user:goingforstudying-ctrl.

    Related issues and pull requests on GitHub:
    :issue:12497.

  • Fixed CancelledError not closing a connection -- by :user:aiolibsbot.

    Related issues and pull requests on GitHub:
    :issue:12795.

  • Tightened up some websocket parser checks -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:12817.

  • Fixed :class:~aiohttp.CookieJar dropping the host-only flag of cookies when persisted with :meth:~aiohttp.CookieJar.save and reloaded with :meth:~aiohttp.CookieJar.load, so a cookie set without a Domain attribute is again scoped to the exact host that set it after a reload; the absolute expiration deadline is now persisted as well, so a reloaded cookie keeps its original lifetime instead of being rescheduled from the load time. :meth:~aiohttp.CookieJar.load now replaces the jar contents rather than merging onto prior state, and loaded cookies pass through the same acceptance rules as :meth:~aiohttp.CookieJar.update_cookies, so a cookie for an IP-address host is dropped when loaded into a jar created without unsafe=True -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:12824.

  • Scoped :class:~aiohttp.DigestAuthMiddleware credentials to the origin of the first request it handles, so a redirect to a different origin no longer triggers a digest response computed from the configured credentials; a challenge from another origin is only answered when that origin falls within a protection space advertised by the anchor origin through the RFC 7616 domain directive -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:12825.

  • Fixed the C HTTP parser not enforcing max_line_size on a request target or response reason phrase that is split across multiple reads; each fragment was checked on its own, so an accumulated line could exceed the limit without raising LineTooLong. The accumulated length is now checked, matching the pure-Python parser -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:12826.

  • Changed :class:~aiohttp.TCPConnector to reject legacy non-canonical numeric IPv4 host forms such as 2130706433, 017700000001 and 127.1 with :exc:~aiohttp.InvalidUrlClientError; only canonical dotted-quad IPv4 literals are now treated as IP address literals, while every other host is sent through the configured resolver -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:12827.

  • Fixed :meth:~aiohttp.StreamReader.readany and :meth:~aiohttp.StreamReader.read_nowait joining data fed back into the buffer during the call (when draining below the low water mark resumes reading) into a single unbounded :class:bytes; a call now returns only the chunks that were buffered when it started, keeping the drain of an unread auto-decompressed request body bounded by the read buffer -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:12828.

  • Bounded the number of parsed-but-unhandled pipelined HTTP/1 requests buffered per connection on the server; once the queue reaches an internal limit the parser stops emitting and the transport is paused, resuming as the request handler drains the queue, so a client keeping one handler busy can no longer accumulate an unbounded backlog of pipelined requests -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:12830.

  • Fixed :meth:aiohttp.web.Response.write_eof skipping Payload.close() when the body write was interrupted by an error or cancellation, for example when a client disconnects mid-response; the payload close hook now runs in a finally so a :class:~aiohttp.payload.Payload body always releases its resources -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:12831.

  • Fixed the pure-Python HTTP parser not enforcing max_line_size on a chunk-size line when the whole line arrived in a single read; the limit was only applied to chunk-size metadata split across reads. The complete-line case is now checked too, matching the split-line behavior -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:12832.

  • Included the per-request server_hostname override in the :class:~aiohttp.TCPConnector connection pool key, so a pooled TLS connection is no longer reused for a request that sets server_hostname to a different value -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:12835.

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [aiohttp](https://github.com/aio-libs/aiohttp) | `==3.14.0` → `==3.14.1` | ![age](https://developer.mend.io/api/mc/badges/age/pypi/aiohttp/3.14.1?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/aiohttp/3.14.0/3.14.1?slim=true) | --- ### Release Notes <details> <summary>aio-libs/aiohttp (aiohttp)</summary> ### [`v3.14.1`](https://github.com/aio-libs/aiohttp/blob/HEAD/CHANGES.rst#3141-2026-06-07) [Compare Source](https://github.com/aio-libs/aiohttp/compare/v3.14.0...v3.14.1) \=================== ## Bug fixes - Fixed a race condition in :py:class:`~aiohttp.TCPConnector` where closing the connector while a DNS resolution was in-flight could raise :py:exc:`AttributeError` instead of :py:exc:`~aiohttp.ClientConnectionError` -- by :user:`goingforstudying-ctrl`. *Related issues and pull requests on GitHub:* :issue:`12497`. - Fixed `CancelledError` not closing a connection -- by :user:`aiolibsbot`. *Related issues and pull requests on GitHub:* :issue:`12795`. - Tightened up some websocket parser checks -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`12817`. - Fixed :class:`~aiohttp.CookieJar` dropping the host-only flag of cookies when persisted with :meth:`~aiohttp.CookieJar.save` and reloaded with :meth:`~aiohttp.CookieJar.load`, so a cookie set without a `Domain` attribute is again scoped to the exact host that set it after a reload; the absolute expiration deadline is now persisted as well, so a reloaded cookie keeps its original lifetime instead of being rescheduled from the load time. :meth:`~aiohttp.CookieJar.load` now replaces the jar contents rather than merging onto prior state, and loaded cookies pass through the same acceptance rules as :meth:`~aiohttp.CookieJar.update_cookies`, so a cookie for an IP-address host is dropped when loaded into a jar created without `unsafe=True` -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`12824`. - Scoped :class:`~aiohttp.DigestAuthMiddleware` credentials to the origin of the first request it handles, so a redirect to a different origin no longer triggers a digest response computed from the configured credentials; a challenge from another origin is only answered when that origin falls within a protection space advertised by the anchor origin through the RFC 7616 `domain` directive -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`12825`. - Fixed the C HTTP parser not enforcing `max_line_size` on a request target or response reason phrase that is split across multiple reads; each fragment was checked on its own, so an accumulated line could exceed the limit without raising `LineTooLong`. The accumulated length is now checked, matching the pure-Python parser -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`12826`. - Changed :class:`~aiohttp.TCPConnector` to reject legacy non-canonical numeric IPv4 host forms such as `2130706433`, `017700000001` and `127.1` with :exc:`~aiohttp.InvalidUrlClientError`; only canonical dotted-quad IPv4 literals are now treated as IP address literals, while every other host is sent through the configured resolver -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`12827`. - Fixed :meth:`~aiohttp.StreamReader.readany` and :meth:`~aiohttp.StreamReader.read_nowait` joining data fed back into the buffer during the call (when draining below the low water mark resumes reading) into a single unbounded :class:`bytes`; a call now returns only the chunks that were buffered when it started, keeping the drain of an unread auto-decompressed request body bounded by the read buffer -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`12828`. - Bounded the number of parsed-but-unhandled pipelined HTTP/1 requests buffered per connection on the server; once the queue reaches an internal limit the parser stops emitting and the transport is paused, resuming as the request handler drains the queue, so a client keeping one handler busy can no longer accumulate an unbounded backlog of pipelined requests -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`12830`. - Fixed :meth:`aiohttp.web.Response.write_eof` skipping `Payload.close()` when the body write was interrupted by an error or cancellation, for example when a client disconnects mid-response; the payload close hook now runs in a `finally` so a :class:`~aiohttp.payload.Payload` body always releases its resources -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`12831`. - Fixed the pure-Python HTTP parser not enforcing `max_line_size` on a chunk-size line when the whole line arrived in a single read; the limit was only applied to chunk-size metadata split across reads. The complete-line case is now checked too, matching the split-line behavior -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`12832`. - Included the per-request `server_hostname` override in the :class:`~aiohttp.TCPConnector` connection pool key, so a pooled TLS connection is no longer reused for a request that sets `server_hostname` to a different value -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`12835`. *** </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNjguNSIsInVwZGF0ZWRJblZlciI6IjQzLjE2OC41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->
renovate-bot added the
dependencies
 label 2026-06-10 17:30:59 +02:00
renovate-bot added 1 commit 2026-06-10 17:31:00 +02:00
chore(deps): update dependency aiohttp to v3.14.1
All checks were successful
PR Tests / test (pull_request) Successful in 1m16s
Details
NYX Security Scan / nyx-scan (pull_request) Successful in 6m3s
Details
e025e75c76
renovate-bot scheduled this pull request to auto merge when all checks succeed 2026-06-10 17:31:06 +02:00
renovate-bot force-pushed renovate/aiohttp-3.x from e025e75c76 to a2e4807475 2026-06-13 10:30:16 +02:00 Compare
alpha-nerd merged commit c1c7e54c4f into main 2026-06-13 18:00:23 +02:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
bug

Something is not working

  
dependencies

dependency management

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
help wanted

Need some help

  
invalid

Something is wrong

  
question

More information is needed

  
renovate: stop-updating

stop renovate-bot pushing

  
wontfix

This won't be fixed

  
bug

Something is not working

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
help wanted

Need some help

  
invalid

Something is wrong

  
question

More information is needed

  
renovate: stop-updating

cmd renovate to stop updating the pr

  
security

CVE warning

  
wontfix

This won't be fixed

No labels
bug
dependencies
duplicate
enhancement
help wanted
invalid
question
renovate: stop-updating
wontfix
bug
duplicate
enhancement
help wanted
invalid
question
renovate: stop-updating
security
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: nomyo-ai/nomyo-router#114
No description provided.
Delete branch "renovate/aiohttp-3.x"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?