nomyo-ai/nomyo-router
3
2
Fork 0
Code Issues 2 Pull requests 6 Projects Releases 10 Packages 1 Wiki Activity Actions 2

chore(deps): update dependency aiohttp to v3.14.1 - autoclosed #108

Closed
renovate-bot wants to merge 1 commit from renovate/aiohttp-3.x into main
pull from: renovate/aiohttp-3.x
merge into: nomyo-ai:main
Conversation 0 Commits 1 Files changed 1 +1 -1
renovate-bot commented 2026-06-08 09:29:32 +02:00
Collaborator
Copy link

This PR contains the following updates:

Package Change Age Confidence
aiohttp ==3.13.5==3.14.1 age confidence

Release Notes

aio-libs/aiohttp (aiohttp)

v3.14.1

Compare Source

===================

Bug fixes

  • Fixed a race condition in :py:class:~aiohttp.TCPConnector where closing the connector while a DNS resolution was in-flight could raise :py:exc:AttributeError instead of :py:exc:~aiohttp.ClientConnectionError -- by :user:goingforstudying-ctrl.

    Related issues and pull requests on GitHub:
    :issue:12497.

  • Fixed CancelledError not closing a connection -- by :user:aiolibsbot.

    Related issues and pull requests on GitHub:
    :issue:12795.

  • Tightened up some websocket parser checks -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:12817.

  • Fixed :class:~aiohttp.CookieJar dropping the host-only flag of cookies when persisted with :meth:~aiohttp.CookieJar.save and reloaded with :meth:~aiohttp.CookieJar.load, so a cookie set without a Domain attribute is again scoped to the exact host that set it after a reload; the absolute expiration deadline is now persisted as well, so a reloaded cookie keeps its original lifetime instead of being rescheduled from the load time. :meth:~aiohttp.CookieJar.load now replaces the jar contents rather than merging onto prior state, and loaded cookies pass through the same acceptance rules as :meth:~aiohttp.CookieJar.update_cookies, so a cookie for an IP-address host is dropped when loaded into a jar created without unsafe=True -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:12824.

  • Scoped :class:~aiohttp.DigestAuthMiddleware credentials to the origin of the first request it handles, so a redirect to a different origin no longer triggers a digest response computed from the configured credentials; a challenge from another origin is only answered when that origin falls within a protection space advertised by the anchor origin through the RFC 7616 domain directive -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:12825.

  • Fixed the C HTTP parser not enforcing max_line_size on a request target or response reason phrase that is split across multiple reads; each fragment was checked on its own, so an accumulated line could exceed the limit without raising LineTooLong. The accumulated length is now checked, matching the pure-Python parser -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:12826.

  • Changed :class:~aiohttp.TCPConnector to reject legacy non-canonical numeric IPv4 host forms such as 2130706433, 017700000001 and 127.1 with :exc:~aiohttp.InvalidUrlClientError; only canonical dotted-quad IPv4 literals are now treated as IP address literals, while every other host is sent through the configured resolver -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:12827.

  • Fixed :meth:~aiohttp.StreamReader.readany and :meth:~aiohttp.StreamReader.read_nowait joining data fed back into the buffer during the call (when draining below the low water mark resumes reading) into a single unbounded :class:bytes; a call now returns only the chunks that were buffered when it started, keeping the drain of an unread auto-decompressed request body bounded by the read buffer -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:12828.

  • Bounded the number of parsed-but-unhandled pipelined HTTP/1 requests buffered per connection on the server; once the queue reaches an internal limit the parser stops emitting and the transport is paused, resuming as the request handler drains the queue, so a client keeping one handler busy can no longer accumulate an unbounded backlog of pipelined requests -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:12830.

  • Fixed :meth:aiohttp.web.Response.write_eof skipping Payload.close() when the body write was interrupted by an error or cancellation, for example when a client disconnects mid-response; the payload close hook now runs in a finally so a :class:~aiohttp.payload.Payload body always releases its resources -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:12831.

  • Fixed the pure-Python HTTP parser not enforcing max_line_size on a chunk-size line when the whole line arrived in a single read; the limit was only applied to chunk-size metadata split across reads. The complete-line case is now checked too, matching the split-line behavior -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:12832.

  • Included the per-request server_hostname override in the :class:~aiohttp.TCPConnector connection pool key, so a pooled TLS connection is no longer reused for a request that sets server_hostname to a different value -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:12835.

v3.14.0

Compare Source

===================

We have a new website! https://aio-libs.org
Subscribe to the news feed to find out more about what we're working on in future.

Features

  • Added RequestKey and ResponseKey classes,
    which enable static type checking for request & response
    context storages in the same way that AppKey does for Application
    -- by :user:gsoldatov.

    Related issues and pull requests on GitHub:
    :issue:11766.

  • Added :func:~aiohttp.encode_basic_auth for encoding HTTP Basic
    Authentication credentials. Replaces the now-deprecated
    aiohttp.BasicAuth -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:12499.

  • Started accepting :term:asynchronous context managers <asynchronous context manager> for cleanup contexts.
    Legacy single-yield :term:asynchronous generator cleanup contexts continue to be
    supported; async context managers are adapted internally so they are
    entered at startup and exited during cleanup.

    -- by :user:MannXo.

    Related issues and pull requests on GitHub:
    :issue:11681.

  • Added :py:attr:~aiohttp.CookieJar.cookies and :py:attr:~aiohttp.CookieJar.host_only_cookies read-only properties to :py:class:~aiohttp.CookieJar exposing the stored cookies with their full attributes -- by :user:Br1an67.

    Related issues and pull requests on GitHub:
    :issue:3951.

  • Added :py:attr:~aiohttp.web.TCPSite.port accessor for dynamic port allocations in :class:~aiohttp.web.TCPSite -- by :user:twhittock-disguise and :user:rodrigobnogueira.

    Related issues and pull requests on GitHub:
    :issue:10665.

  • Added decode_text parameter to :meth:~aiohttp.ClientSession.ws_connect and :class:~aiohttp.web.WebSocketResponse to receive WebSocket TEXT messages as raw bytes instead of decoded strings, enabling direct use with high-performance JSON parsers like orjson -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:11763, :issue:11764.

  • Large overhaul of parser/decompression code.

    The zip bomb security fix in 3.13 stopped highly compressed payloads
    from being decompressed, regardless of validity. Now aiohttp will
    decompress such payloads in chunks of 256+ KiB, allowing safe decompression
    of such payloads.

    -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:11966.

  • Added explicit APIs for bytes-returning JSON serializer:
    JSONBytesEncoder type, JsonBytesPayload,
    :func:~aiohttp.web.json_bytes_response,
    :meth:~aiohttp.web.WebSocketResponse.send_json_bytes and
    :meth:~aiohttp.ClientWebSocketResponse.send_json_bytes methods, and
    json_serialize_bytes parameter for :class:~aiohttp.ClientSession
    -- by :user:kevinpark1217.

    Related issues and pull requests on GitHub:
    :issue:11989.

  • Added :attr:~aiohttp.ClientResponse.output_size and
    :attr:~aiohttp.ClientResponse.upload_complete -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:12452.

Bug fixes

  • Fixed ZLibDecompressor silently dropping data past the first
    member when decompressing concatenated gzip/deflate streams. Each subsequent
    member is now handed to a fresh decompressor, matching the behaviour already
    implemented for ZSTD multi-frame streams.

    -- by :user:Ashutosh-177

    Related issues and pull requests on GitHub:
    :issue:7157.

  • Improved the parser error message shown when TLS handshake bytes are received on an HTTP port -- by :user:puneetdixit200.

    Related issues and pull requests on GitHub:
    :issue:10142.

  • Fixed the C parser failing to reject a response with a body when none was expected -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:10587.

  • Fixed http parser not rejecting HTTP/1.1 requests that do not have valid Host header.
    -- by :user:Cycloctane.

    Related issues and pull requests on GitHub:
    :issue:10600.

  • Fixed misleading TLS-in-TLS warning being emitted when sending HTTPS requests through an HTTP proxy. The warning now only fires when the proxy itself uses HTTPS, which is the only case where TLS-in-TLS actually applies -- by :user:wavebyrd.

    Related issues and pull requests on GitHub:
    :issue:10683.

  • Fixed AssertionError when the transport is None during WebSocket
    preparation or file response sending (e.g. when a client disconnects
    immediately after connecting). A ConnectionResetError is now raised
    instead -- by :user:agners.

    Related issues and pull requests on GitHub:
    :issue:11761.

  • Fixed ad-hoc cookies passed to individual requests not being sent when the session's cookie jar has unsafe=True and the target URL uses an IP address, by copying the unsafe setting from the session's cookie jar to the temporary cookie jar -- by :user:Krishnachaitanyakc.

    Related issues and pull requests on GitHub:
    :issue:12011.

  • Reset the WebSocket heartbeat timer on inbound data to avoid false ping/pong timeouts while receiving large frames
    -- by :user:hoffmang9.

    Related issues and pull requests on GitHub:
    :issue:12030.

  • Switched :py:meth:~aiohttp.CookieJar.save to use JSON format and
    :py:meth:~aiohttp.CookieJar.load to try JSON first with a fallback to
    a restricted pickle unpickler -- by :user:YuvalElbar6.

    Related issues and pull requests on GitHub:
    :issue:12091.

  • Fixed redirects with consumed non-rewindable request bodies to raise
    :class:aiohttp.ClientPayloadError instead of silently sending an empty body.

    Related issues and pull requests on GitHub:
    :issue:12195.

  • Fixed zstd decompression failing with ClientPayloadError when the server
    sends a response as multiple zstd frames -- by :user:josu-moreno.

    Related issues and pull requests on GitHub:
    :issue:12234.

  • Fixed spurious Future exception was never retrieved warning on disconnect during back-pressure -- by :user:availov.

    Related issues and pull requests on GitHub:
    :issue:12281.

  • Cookiejar.save() now uses 0x600 permissions to better protect them from being read by other users -- by :user:digiscrypt.

    Related issues and pull requests on GitHub:
    :issue:12312.

  • Fixed a crash (:external+python:exc:~http.cookies.CookieError) in the cookie parser when receiving cookies
    containing ASCII control characters on CPython builds with the :cve:2026-3644
    patch. The parser now gracefully skips cookies whose value contains control
    characters instead of letting the exception propagate -- by :user:rodrigobnogueira.

    Related issues and pull requests on GitHub:
    :issue:12395.

  • Fixed digest authentication failing for requests whose path or query string contains percent-encoded reserved characters; the digest signature now uses the encoded request-target that is sent on the wire instead of the decoded form -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:12436.

  • Fixed :func:aiohttp.web.run_app losing inner traceback frames when an
    exception is raised during application startup (e.g. inside
    cleanup_ctx or on_startup). Regression since 3.10.6.

    Related issues and pull requests on GitHub:
    :issue:12493.

  • Fixed per-request cookies not being dropped on cross-origin redirects -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:12550.

  • Fixed invalid bytes being allowed in multipart/payload headers -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:12719.

  • Fixed :py:meth:~aiohttp.FormData.add_field accepting invalid bytes in name and filename -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:12721.

  • Fixed websocket upgrade occurring when header contained a value like notupgrade -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:12723.

Deprecations (removal in next major release)

  • Deprecated aiohttp.BasicAuth and the auth / proxy_auth
    parameters. They will be removed in aiohttp 4.0. Use the new
    :func:~aiohttp.encode_basic_auth helper together with
    headers={"Authorization": ...} (or
    proxy_headers={"Proxy-Authorization": ...} for proxies) instead.
    Note that encode_basic_auth() defaults to utf-8, not latin1
    -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:12499.

  • Added deprecation warning to aiohttp.pytest_plugin, please switch to pytest-aiohttp -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:10785.

Removals and backward incompatible breaking changes

  • Stopped calling :func:socket.getfqdn as the fallback for
    :attr:aiohttp.web.BaseRequest.host. :func:socket.getfqdn
    performs blocking reverse DNS resolution on the event loop
    thread and can stall a worker for many seconds when the system
    resolver is slow, and could be triggered remotely by an HTTP/1.0
    request that omits the Host header. The fallback when no
    Host header is present is now the local socket address the
    request arrived on (transport sockname), or an empty string
    if no transport information is available. Code that relied on
    the FQDN being returned must now read it from
    :func:socket.getfqdn directly, off the event loop
    -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:9308, :issue:12597.

  • Dropped support for Python 3.9 -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:11601.

  • Tightened outbound header serialization to reject all ASCII control
    characters forbidden by :rfc:9110#section-5.5 and :rfc:9112#section-4
    (0x00-0x08, 0x0A-0x1F, 0x7F) in status lines,
    header field-names, and field-values. Previously only CR, LF and NUL were
    rejected. HTAB (0x09) remains permitted in field values. Applications
    that placed bare control characters in outbound headers will now raise
    :exc:ValueError instead of emitting non-RFC-compliant bytes -- by :user:rodrigobnogueira.

    Related issues and pull requests on GitHub:
    :issue:12689.

Improved documentation

  • Replaced the deprecated ujson library with orjson in the
    client quickstart documentation. ujson has been put into
    maintenance-only mode; orjson is the recommended alternative.
    -- by :user:indoor47

    Related issues and pull requests on GitHub:
    :issue:10795.

  • Added the :doc:threat_model to the Sphinx documentation -- by :user:omkar-334.

    Related issues and pull requests on GitHub:
    :issue:12549.

  • Removed archived and deprecated repositories from third party list -- by :user:Polandia94.

    Related issues and pull requests on GitHub:
    :issue:12726.

  • Added aiointercept to list of third-party libraries -- by :user:Polandia94.

    Related issues and pull requests on GitHub:
    :issue:12727.

Packaging updates and notes for downstreams

  • Added wheels for Android and iOS platforms -- by :user:timrid.

    Related issues and pull requests on GitHub:
    :issue:11750.

  • Parallelized the Cython extension compilation by defaulting
    build_ext.parallel to os.cpu_count(), so each module's
    gcc invocation now runs concurrently instead of one at a time
    -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:12576.

  • Submitted vendored llhttp to Github's SBOM -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:12678.

  • Updated llhttp to v9.4.1 -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:12681.

Contributor-facing changes

  • The coverage tool is now configured using the new native
    auto-discovered :file:.coveragerc.toml file
    -- by :user:webknjaz.

    It is also set up to use the ctrace core that works
    around the performance issues in the sysmon tracer
    which is default under Python 3.14.

    Related issues and pull requests on GitHub:
    :issue:11826.

  • Fixed and reworked autobahn tests -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:12173.

  • Added a CI job to measure Cython coverage -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:12349.

  • Disabled coverage and xdist by default to ease local development -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:12364.

  • Avoid installation of backports.zstd on Python 3.14 in linting dependency set
    -- by :user:seifertm.

    Related issues and pull requests on GitHub:
    :issue:12406.

  • Added --durations=30 to the benchmark CI run so the slowest tests are reported when the job hits its timeout -- by :user:aiolibsbot.

    Related issues and pull requests on GitHub:
    :issue:12562.

  • Fixed two flakey test_middleware_uses_session_avoids_recursion_with_* tests
    that hard coded localhost in the inner middleware request; they now target
    the bound server URL so happy eyeballs cannot pick an unbound address on
    Windows runners -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:12571.

  • Restricted the isal test dependency to CPython, since
    isal 1.8.0 stopped publishing PyPy wheels and the source
    build requires nasm, which is not available on the CI
    runners. The parametrize_zlib_backend fixture already
    calls pytest.importorskip, so PyPy continues to exercise
    the zlib and zlib_ng backends with no further
    changes -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:12589.

  • Fixed a flakey test_tcp_connector_fingerprint_ok by aborting
    the SSL shutdown on the test's TCP connector before returning.
    The graceful TLS close was occasionally outliving the test event
    loop on one of the CI jobs, and the teardown gc.collect()
    then surfaced the still-open transport as a
    PytestUnraisableExceptionWarning -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:12592.

  • Switched the cibuildwheel build frontend to build[uv] so
    that uv provisions every build-isolation virtual environment
    in the wheel matrix, replacing the per-ABI pip resolve with a
    roughly sub-second uv resolve
    -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:12595.

  • Fixed flaky test_handler_returns_not_response and
    test_handler_returns_none by routing loop.set_debug(True)
    through a new loop_debug_mode fixture that disables debug
    mode before the aiohttp_client fixture finalizes. Leaving
    debug on through teardown let PyPy 3.11's asyncio slow-callback
    logger walk into Task.__repr__ during connector close,
    surfacing a spurious RuntimeWarning: coroutine was never awaited -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:12603.

  • Reduced runtime of several of the slowest unit tests
    (decompress size-limit payloads from 64 MiB to 2 MiB,
    test_chunk_splits_after_pause chunk count from 50000
    to 20000, and test_set_cookies_max_age sleep from 2
    seconds to 1.1 seconds) without changing what they
    exercise -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:12606.

  • Added a default 120-second per-test timeout via pytest-timeout so a
    hung test surfaces by name in CI output instead of getting hidden behind
    the job-level timeout added in :pr:12619. The autobahn and
    benchmark jobs opt out with --timeout=0 -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:12624.

  • Switched the CI test and autobahn jobs from
    actions/setup-python to astral-sh/setup-uv for installing
    interpreters, cutting the Setup Python step from 40-58s to a
    few seconds on macos-latest and windows-latest runners for
    variants not in the hosted tool-cache (notably the free-threaded
    3.14t)
    -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:12629.

  • Made the pip command used by the :file:Makefile configurable via a
    PIP variable; downstream consumers can now run, for example,
    make .develop PIP="uv pip" to install via uv without us
    maintaining a parallel target
    -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:12641.

  • Allowed re-running the deploy job in .github/workflows/ci-cd.yml
    after a partial release failure: the Make Release step now skips
    when the GitHub Release already exists, and the PyPI publish step uses
    skip-existing so dists that were already uploaded on a prior
    attempt do not break the retry -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:12651.

  • Switched the armv7l wheel builds onto GitHub's hosted ARM runners. The
    32-bit ARM build still runs under QEMU, but the host is now aarch64
    rather than x86_64, so the emulation overhead drops sharply
    -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:12655.

Miscellaneous internal changes

  • Added win_arm64 to the wheels that gets pushed to PyPI
    -- by :user:AraHaan.

    Related issues and pull requests on GitHub:
    :issue:11937.

  • Added cdef type declarations and inlined the upgrade check in the HTTP parser
    -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:12321.

  • Changed zlib_executor_size default so compressed payloads are async by default -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:12358.

  • Added THREAT_MODEL.md detailing our security stance -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:12512.

  • Reduced payload sizes and request counts in the slowest client and URL
    dispatcher benchmarks so they no longer dominate CI runtime
    -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:12569.

  • Improved ContentLengthError exception messages to include both expected and received byte counts. This enhancement provides better diagnostics when debugging response body size mismatches
    -- by :user:bdraco and :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:12753.

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [aiohttp](https://github.com/aio-libs/aiohttp) | `==3.13.5` → `==3.14.1` | ![age](https://developer.mend.io/api/mc/badges/age/pypi/aiohttp/3.14.1?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/aiohttp/3.13.5/3.14.1?slim=true) | --- ### Release Notes <details> <summary>aio-libs/aiohttp (aiohttp)</summary> ### [`v3.14.1`](https://github.com/aio-libs/aiohttp/blob/HEAD/CHANGES.rst#3141-2026-06-07) [Compare Source](https://github.com/aio-libs/aiohttp/compare/v3.14.0...v3.14.1) \=================== ## Bug fixes - Fixed a race condition in :py:class:`~aiohttp.TCPConnector` where closing the connector while a DNS resolution was in-flight could raise :py:exc:`AttributeError` instead of :py:exc:`~aiohttp.ClientConnectionError` -- by :user:`goingforstudying-ctrl`. *Related issues and pull requests on GitHub:* :issue:`12497`. - Fixed `CancelledError` not closing a connection -- by :user:`aiolibsbot`. *Related issues and pull requests on GitHub:* :issue:`12795`. - Tightened up some websocket parser checks -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`12817`. - Fixed :class:`~aiohttp.CookieJar` dropping the host-only flag of cookies when persisted with :meth:`~aiohttp.CookieJar.save` and reloaded with :meth:`~aiohttp.CookieJar.load`, so a cookie set without a `Domain` attribute is again scoped to the exact host that set it after a reload; the absolute expiration deadline is now persisted as well, so a reloaded cookie keeps its original lifetime instead of being rescheduled from the load time. :meth:`~aiohttp.CookieJar.load` now replaces the jar contents rather than merging onto prior state, and loaded cookies pass through the same acceptance rules as :meth:`~aiohttp.CookieJar.update_cookies`, so a cookie for an IP-address host is dropped when loaded into a jar created without `unsafe=True` -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`12824`. - Scoped :class:`~aiohttp.DigestAuthMiddleware` credentials to the origin of the first request it handles, so a redirect to a different origin no longer triggers a digest response computed from the configured credentials; a challenge from another origin is only answered when that origin falls within a protection space advertised by the anchor origin through the RFC 7616 `domain` directive -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`12825`. - Fixed the C HTTP parser not enforcing `max_line_size` on a request target or response reason phrase that is split across multiple reads; each fragment was checked on its own, so an accumulated line could exceed the limit without raising `LineTooLong`. The accumulated length is now checked, matching the pure-Python parser -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`12826`. - Changed :class:`~aiohttp.TCPConnector` to reject legacy non-canonical numeric IPv4 host forms such as `2130706433`, `017700000001` and `127.1` with :exc:`~aiohttp.InvalidUrlClientError`; only canonical dotted-quad IPv4 literals are now treated as IP address literals, while every other host is sent through the configured resolver -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`12827`. - Fixed :meth:`~aiohttp.StreamReader.readany` and :meth:`~aiohttp.StreamReader.read_nowait` joining data fed back into the buffer during the call (when draining below the low water mark resumes reading) into a single unbounded :class:`bytes`; a call now returns only the chunks that were buffered when it started, keeping the drain of an unread auto-decompressed request body bounded by the read buffer -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`12828`. - Bounded the number of parsed-but-unhandled pipelined HTTP/1 requests buffered per connection on the server; once the queue reaches an internal limit the parser stops emitting and the transport is paused, resuming as the request handler drains the queue, so a client keeping one handler busy can no longer accumulate an unbounded backlog of pipelined requests -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`12830`. - Fixed :meth:`aiohttp.web.Response.write_eof` skipping `Payload.close()` when the body write was interrupted by an error or cancellation, for example when a client disconnects mid-response; the payload close hook now runs in a `finally` so a :class:`~aiohttp.payload.Payload` body always releases its resources -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`12831`. - Fixed the pure-Python HTTP parser not enforcing `max_line_size` on a chunk-size line when the whole line arrived in a single read; the limit was only applied to chunk-size metadata split across reads. The complete-line case is now checked too, matching the split-line behavior -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`12832`. - Included the per-request `server_hostname` override in the :class:`~aiohttp.TCPConnector` connection pool key, so a pooled TLS connection is no longer reused for a request that sets `server_hostname` to a different value -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`12835`. *** ### [`v3.14.0`](https://github.com/aio-libs/aiohttp/blob/HEAD/CHANGES.rst#3140-2026-06-01) [Compare Source](https://github.com/aio-libs/aiohttp/compare/v3.13.5...v3.14.0) \=================== We have a new website! <https://aio-libs.org> Subscribe to the news feed to find out more about what we're working on in future. ## Features - Added `RequestKey` and `ResponseKey` classes, which enable static type checking for request & response context storages in the same way that `AppKey` does for `Application` \-- by :user:`gsoldatov`. *Related issues and pull requests on GitHub:* :issue:`11766`. - Added :func:`~aiohttp.encode_basic_auth` for encoding HTTP Basic Authentication credentials. Replaces the now-deprecated `aiohttp.BasicAuth` -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`12499`. - Started accepting :term:`asynchronous context managers <asynchronous context manager>` for cleanup contexts. Legacy single-yield :term:`asynchronous generator` cleanup contexts continue to be supported; async context managers are adapted internally so they are entered at startup and exited during cleanup. \-- by :user:`MannXo`. *Related issues and pull requests on GitHub:* :issue:`11681`. - Added :py:attr:`~aiohttp.CookieJar.cookies` and :py:attr:`~aiohttp.CookieJar.host_only_cookies` read-only properties to :py:class:`~aiohttp.CookieJar` exposing the stored cookies with their full attributes -- by :user:`Br1an67`. *Related issues and pull requests on GitHub:* :issue:`3951`. - Added :py:attr:`~aiohttp.web.TCPSite.port` accessor for dynamic port allocations in :class:`~aiohttp.web.TCPSite` -- by :user:`twhittock-disguise` and :user:`rodrigobnogueira`. *Related issues and pull requests on GitHub:* :issue:`10665`. - Added `decode_text` parameter to :meth:`~aiohttp.ClientSession.ws_connect` and :class:`~aiohttp.web.WebSocketResponse` to receive WebSocket TEXT messages as raw bytes instead of decoded strings, enabling direct use with high-performance JSON parsers like `orjson` -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`11763`, :issue:`11764`. - Large overhaul of parser/decompression code. The zip bomb security fix in 3.13 stopped highly compressed payloads from being decompressed, regardless of validity. Now aiohttp will decompress such payloads in chunks of 256+ KiB, allowing safe decompression of such payloads. \-- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`11966`. - Added explicit APIs for bytes-returning JSON serializer: `JSONBytesEncoder` type, `JsonBytesPayload`, :func:`~aiohttp.web.json_bytes_response`, :meth:`~aiohttp.web.WebSocketResponse.send_json_bytes` and :meth:`~aiohttp.ClientWebSocketResponse.send_json_bytes` methods, and `json_serialize_bytes` parameter for :class:`~aiohttp.ClientSession` \-- by :user:`kevinpark1217`. *Related issues and pull requests on GitHub:* :issue:`11989`. - Added :attr:`~aiohttp.ClientResponse.output_size` and :attr:`~aiohttp.ClientResponse.upload_complete` -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`12452`. ## Bug fixes - Fixed `ZLibDecompressor` silently dropping data past the first member when decompressing concatenated gzip/deflate streams. Each subsequent member is now handed to a fresh decompressor, matching the behaviour already implemented for ZSTD multi-frame streams. \-- by :user:`Ashutosh-177` *Related issues and pull requests on GitHub:* :issue:`7157`. - Improved the parser error message shown when TLS handshake bytes are received on an HTTP port -- by :user:`puneetdixit200`. *Related issues and pull requests on GitHub:* :issue:`10142`. - Fixed the C parser failing to reject a response with a body when none was expected -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`10587`. - Fixed http parser not rejecting HTTP/1.1 requests that do not have valid Host header. \-- by :user:`Cycloctane`. *Related issues and pull requests on GitHub:* :issue:`10600`. - Fixed misleading TLS-in-TLS warning being emitted when sending HTTPS requests through an HTTP proxy. The warning now only fires when the proxy itself uses HTTPS, which is the only case where TLS-in-TLS actually applies -- by :user:`wavebyrd`. *Related issues and pull requests on GitHub:* :issue:`10683`. - Fixed `AssertionError` when the transport is `None` during WebSocket preparation or file response sending (e.g. when a client disconnects immediately after connecting). A `ConnectionResetError` is now raised instead -- by :user:`agners`. *Related issues and pull requests on GitHub:* :issue:`11761`. - Fixed ad-hoc cookies passed to individual requests not being sent when the session's cookie jar has `unsafe=True` and the target URL uses an IP address, by copying the `unsafe` setting from the session's cookie jar to the temporary cookie jar -- by :user:`Krishnachaitanyakc`. *Related issues and pull requests on GitHub:* :issue:`12011`. - Reset the WebSocket heartbeat timer on inbound data to avoid false ping/pong timeouts while receiving large frames \-- by :user:`hoffmang9`. *Related issues and pull requests on GitHub:* :issue:`12030`. - Switched :py:meth:`~aiohttp.CookieJar.save` to use JSON format and :py:meth:`~aiohttp.CookieJar.load` to try JSON first with a fallback to a restricted pickle unpickler -- by :user:`YuvalElbar6`. *Related issues and pull requests on GitHub:* :issue:`12091`. - Fixed redirects with consumed non-rewindable request bodies to raise :class:`aiohttp.ClientPayloadError` instead of silently sending an empty body. *Related issues and pull requests on GitHub:* :issue:`12195`. - Fixed zstd decompression failing with `ClientPayloadError` when the server sends a response as multiple zstd frames -- by :user:`josu-moreno`. *Related issues and pull requests on GitHub:* :issue:`12234`. - Fixed spurious `Future exception was never retrieved` warning on disconnect during back-pressure -- by :user:`availov`. *Related issues and pull requests on GitHub:* :issue:`12281`. - `Cookiejar.save()` now uses `0x600` permissions to better protect them from being read by other users -- by :user:`digiscrypt`. *Related issues and pull requests on GitHub:* :issue:`12312`. - Fixed a crash (:external+python:exc:`~http.cookies.CookieError`) in the cookie parser when receiving cookies containing ASCII control characters on CPython builds with the :cve:`2026-3644` patch. The parser now gracefully skips cookies whose value contains control characters instead of letting the exception propagate -- by :user:`rodrigobnogueira`. *Related issues and pull requests on GitHub:* :issue:`12395`. - Fixed digest authentication failing for requests whose path or query string contains percent-encoded reserved characters; the digest signature now uses the encoded request-target that is sent on the wire instead of the decoded form -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`12436`. - Fixed :func:`aiohttp.web.run_app` losing inner traceback frames when an exception is raised during application startup (e.g. inside `cleanup_ctx` or `on_startup`). Regression since 3.10.6. *Related issues and pull requests on GitHub:* :issue:`12493`. - Fixed per-request `cookies` not being dropped on cross-origin redirects -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`12550`. - Fixed invalid bytes being allowed in multipart/payload headers -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`12719`. - Fixed :py:meth:`~aiohttp.FormData.add_field` accepting invalid bytes in `name` and `filename` -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`12721`. - Fixed websocket upgrade occurring when header contained a value like `notupgrade` -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`12723`. ## Deprecations (removal in next major release) - Deprecated `aiohttp.BasicAuth` and the `auth` / `proxy_auth` parameters. They will be removed in aiohttp 4.0. Use the new :func:`~aiohttp.encode_basic_auth` helper together with `headers={"Authorization": ...}` (or `proxy_headers={"Proxy-Authorization": ...}` for proxies) instead. Note that `encode_basic_auth()` defaults to `utf-8`, not `latin1` \-- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`12499`. - Added deprecation warning to `aiohttp.pytest_plugin`, please switch to `pytest-aiohttp` -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`10785`. ## Removals and backward incompatible breaking changes - Stopped calling :func:`socket.getfqdn` as the fallback for :attr:`aiohttp.web.BaseRequest.host`. :func:`socket.getfqdn` performs blocking reverse DNS resolution on the event loop thread and can stall a worker for many seconds when the system resolver is slow, and could be triggered remotely by an HTTP/1.0 request that omits the `Host` header. The fallback when no `Host` header is present is now the local socket address the request arrived on (transport `sockname`), or an empty string if no transport information is available. Code that relied on the FQDN being returned must now read it from :func:`socket.getfqdn` directly, off the event loop \-- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`9308`, :issue:`12597`. - Dropped support for Python 3.9 -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`11601`. - Tightened outbound header serialization to reject all ASCII control characters forbidden by :rfc:`9110#section-5.5` and :rfc:`9112#section-4` (`0x00`-`0x08`, `0x0A`-`0x1F`, `0x7F`) in status lines, header field-names, and field-values. Previously only CR, LF and NUL were rejected. HTAB (`0x09`) remains permitted in field values. Applications that placed bare control characters in outbound headers will now raise :exc:`ValueError` instead of emitting non-RFC-compliant bytes -- by :user:`rodrigobnogueira`. *Related issues and pull requests on GitHub:* :issue:`12689`. ## Improved documentation - Replaced the deprecated `ujson` library with `orjson` in the client quickstart documentation. `ujson` has been put into maintenance-only mode; `orjson` is the recommended alternative. \-- by :user:`indoor47` *Related issues and pull requests on GitHub:* :issue:`10795`. - Added the :doc:`threat_model` to the Sphinx documentation -- by :user:`omkar-334`. *Related issues and pull requests on GitHub:* :issue:`12549`. - Removed archived and deprecated repositories from third party list -- by :user:`Polandia94`. *Related issues and pull requests on GitHub:* :issue:`12726`. - Added `aiointercept` to list of third-party libraries -- by :user:`Polandia94`. *Related issues and pull requests on GitHub:* :issue:`12727`. ## Packaging updates and notes for downstreams - Added wheels for Android and iOS platforms -- by :user:`timrid`. *Related issues and pull requests on GitHub:* :issue:`11750`. - Parallelized the Cython extension compilation by defaulting `build_ext.parallel` to `os.cpu_count()`, so each module's `gcc` invocation now runs concurrently instead of one at a time \-- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`12576`. - Submitted vendored `llhttp` to Github's SBOM -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`12678`. - Updated `llhttp` to v9.4.1 -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`12681`. ## Contributor-facing changes - The coverage tool is now configured using the new native auto-discovered :file:`.coveragerc.toml` file \-- by :user:`webknjaz`. It is also set up to use the `ctrace` core that works around the performance issues in the `sysmon` tracer which is default under Python 3.14. *Related issues and pull requests on GitHub:* :issue:`11826`. - Fixed and reworked `autobahn` tests -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`12173`. - Added a CI job to measure Cython coverage -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`12349`. - Disabled `coverage` and `xdist` by default to ease local development -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`12364`. - Avoid installation of backports.zstd on Python 3.14 in linting dependency set \-- by :user:`seifertm`. *Related issues and pull requests on GitHub:* :issue:`12406`. - Added `--durations=30` to the benchmark CI run so the slowest tests are reported when the job hits its timeout -- by :user:`aiolibsbot`. *Related issues and pull requests on GitHub:* :issue:`12562`. - Fixed two flakey `test_middleware_uses_session_avoids_recursion_with_*` tests that hard coded `localhost` in the inner middleware request; they now target the bound server URL so happy eyeballs cannot pick an unbound address on Windows runners -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`12571`. - Restricted the `isal` test dependency to CPython, since `isal` 1.8.0 stopped publishing PyPy wheels and the source build requires `nasm`, which is not available on the CI runners. The `parametrize_zlib_backend` fixture already calls `pytest.importorskip`, so PyPy continues to exercise the `zlib` and `zlib_ng` backends with no further changes -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`12589`. - Fixed a flakey `test_tcp_connector_fingerprint_ok` by aborting the SSL shutdown on the test's TCP connector before returning. The graceful TLS close was occasionally outliving the test event loop on one of the CI jobs, and the teardown `gc.collect()` then surfaced the still-open transport as a `PytestUnraisableExceptionWarning` -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`12592`. - Switched the `cibuildwheel` build frontend to `build[uv]` so that `uv` provisions every build-isolation virtual environment in the wheel matrix, replacing the per-ABI `pip` resolve with a roughly sub-second `uv` resolve \-- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`12595`. - Fixed flaky `test_handler_returns_not_response` and `test_handler_returns_none` by routing `loop.set_debug(True)` through a new `loop_debug_mode` fixture that disables debug mode before the `aiohttp_client` fixture finalizes. Leaving debug on through teardown let PyPy 3.11's asyncio slow-callback logger walk into `Task.__repr__` during connector close, surfacing a spurious `RuntimeWarning: coroutine was never awaited` -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`12603`. - Reduced runtime of several of the slowest unit tests (decompress size-limit payloads from 64 MiB to 2 MiB, `test_chunk_splits_after_pause` chunk count from 50000 to 20000, and `test_set_cookies_max_age` sleep from 2 seconds to 1.1 seconds) without changing what they exercise -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`12606`. - Added a default 120-second per-test timeout via `pytest-timeout` so a hung test surfaces by name in CI output instead of getting hidden behind the job-level timeout added in :pr:`12619`. The `autobahn` and benchmark jobs opt out with `--timeout=0` -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`12624`. - Switched the CI `test` and `autobahn` jobs from `actions/setup-python` to `astral-sh/setup-uv` for installing interpreters, cutting the `Setup Python` step from 40-58s to a few seconds on `macos-latest` and `windows-latest` runners for variants not in the hosted tool-cache (notably the free-threaded `3.14t`) \-- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`12629`. - Made the `pip` command used by the :file:`Makefile` configurable via a `PIP` variable; downstream consumers can now run, for example, `make .develop PIP="uv pip"` to install via `uv` without us maintaining a parallel target \-- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`12641`. - Allowed re-running the `deploy` job in `.github/workflows/ci-cd.yml` after a partial release failure: the `Make Release` step now skips when the GitHub Release already exists, and the PyPI publish step uses `skip-existing` so dists that were already uploaded on a prior attempt do not break the retry -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`12651`. - Switched the armv7l wheel builds onto GitHub's hosted ARM runners. The 32-bit ARM build still runs under QEMU, but the host is now aarch64 rather than x86\_64, so the emulation overhead drops sharply \-- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`12655`. ## Miscellaneous internal changes - Added win\_arm64 to the wheels that gets pushed to PyPI \-- by :user:`AraHaan`. *Related issues and pull requests on GitHub:* :issue:`11937`. - Added `cdef` type declarations and inlined the upgrade check in the HTTP parser \-- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`12321`. - Changed `zlib_executor_size` default so compressed payloads are async by default -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`12358`. - Added `THREAT_MODEL.md` detailing our security stance -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`12512`. - Reduced payload sizes and request counts in the slowest client and URL dispatcher benchmarks so they no longer dominate CI runtime \-- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`12569`. - Improved `ContentLengthError` exception messages to include both expected and received byte counts. This enhancement provides better diagnostics when debugging response body size mismatches \-- by :user:`bdraco` and :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`12753`. *** </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNjguNSIsInVwZGF0ZWRJblZlciI6IjQzLjE2OC41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->
renovate-bot added the
dependencies
 label 2026-06-08 09:29:32 +02:00
renovate-bot added 1 commit 2026-06-08 09:29:33 +02:00
chore(deps): update dependency aiohttp to v3.14.1
Some checks failed
PR Tests / test (pull_request) Failing after 1m21s
Details
NYX Security Scan / nyx-scan (pull_request) Successful in 6m36s
Details
60ca1a592c
renovate-bot scheduled this pull request to auto merge when all checks succeed 2026-06-08 09:29:38 +02:00
renovate-bot changed title from chore(deps): update dependency aiohttp to v3.14.1 to chore(deps): update dependency aiohttp to v3.14.1 - autoclosed 2026-06-08 10:30:43 +02:00
renovate-bot closed this pull request 2026-06-08 10:30:45 +02:00
Some checks failed
PR Tests / test (pull_request) Failing after 1m21s
Required
Details
NYX Security Scan / nyx-scan (pull_request) Successful in 6m36s
Required
Details

Pull request closed

This pull request cannot be reopened because the branch was deleted.
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
bug

Something is not working

  
dependencies

dependency management

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
help wanted

Need some help

  
invalid

Something is wrong

  
question

More information is needed

  
renovate: stop-updating

stop renovate-bot pushing

  
wontfix

This won't be fixed

  
bug

Something is not working

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
help wanted

Need some help

  
invalid

Something is wrong

  
question

More information is needed

  
renovate: stop-updating

cmd renovate to stop updating the pr

  
security

CVE warning

  
wontfix

This won't be fixed

No labels
bug
dependencies
duplicate
enhancement
help wanted
invalid
question
renovate: stop-updating
wontfix
bug
duplicate
enhancement
help wanted
invalid
question
renovate: stop-updating
security
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: nomyo-ai/nomyo-router#108
No description provided.
Delete branch "renovate/aiohttp-3.x"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?