Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): update dependency aiohttp to v3 [security] - abandoned #1582

Open
wants to merge 2 commits into
base: main
Choose a base branch
from

Conversation

renovate-bot
Copy link
Contributor

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
aiohttp < 3.10.0 -> <3.10.3 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-42367

Summary

Static routes which contain files with compressed variants (.gz or .br extension) were vulnerable to path traversal outside the root directory if those variants are symbolic links.

Details

The server protects static routes from path traversal outside the root directory when follow_symlinks=False (default). It does this by resolving the requested URL to an absolute path and then checking that path relative to the root. However, these checks are not performed when looking for compressed variants in the FileResponse class, and symbolic links are then automatically followed when performing Path.stat() and Path.open() to send the file.

Impact

Servers with static routes that contain compressed variants as symbolic links, pointing outside the root directory, or that permit users to upload or create such links, are impacted.


Patch: https://github.com/aio-libs/aiohttp/pull/8653/files


Release Notes

aio-libs/aiohttp (aiohttp)

v3.10.2: 3.10.2

Compare Source

Bug fixes

  • Fixed server checks for circular symbolic links to be compatible with Python 3.13 -- by :user:steverep.

    Related issues and pull requests on GitHub:
    #​8565.

  • Fixed request body not being read when ignoring an Upgrade request -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    #​8597.

  • Fixed an edge case where shutdown would wait for timeout when the handler was already completed -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    #​8611.

  • Fixed connecting to npipe://, tcp://, and unix:// urls -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    #​8632.

  • Fixed WebSocket ping tasks being prematurely garbage collected -- by :user:bdraco.

    There was a small risk that WebSocket ping tasks would be prematurely garbage collected because the event loop only holds a weak reference to the task. The garbage collection risk has been fixed by holding a strong reference to the task. Additionally, the task is now scheduled eagerly with Python 3.12+ to increase the chance it can be completed immediately and avoid having to hold any references to the task.

    Related issues and pull requests on GitHub:
    #​8641.

  • Fixed incorrectly following symlinks for compressed file variants -- by :user:steverep.

    Related issues and pull requests on GitHub:
    #​8652.

Removals and backward incompatible breaking changes

  • Removed Request.wait_for_disconnection(), which was mistakenly added briefly in 3.10.0 -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    #​8636.

Contributor-facing changes

  • Fixed monkey patches for Path.stat() and Path.is_dir() for Python 3.13 compatibility -- by :user:steverep.

    Related issues and pull requests on GitHub:
    #​8551.

Miscellaneous internal changes

  • Improved WebSocket performance when messages are sent or received frequently -- by :user:bdraco.

    The WebSocket heartbeat scheduling algorithm was improved to reduce the asyncio scheduling overhead by decreasing the number of asyncio.TimerHandle creations and cancellations.

    Related issues and pull requests on GitHub:
    #​8608.

  • Minor improvements to various type annotations -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    #​8634.


v3.10.1

Compare Source

v3.10.0

Compare Source

v3.9.5

Compare Source

==================

Bug fixes

  • Fixed "Unclosed client session" when initialization of
    :py:class:~aiohttp.ClientSession fails -- by :user:NewGlad.

    Related issues and pull requests on GitHub:
    :issue:8253.

  • Fixed regression (from :pr:8280) with adding Content-Disposition to the form-data
    part after appending to writer -- by :user:Dreamsorcerer/:user:Olegt0rr.

    Related issues and pull requests on GitHub:
    :issue:8332.

  • Added default Content-Disposition in multipart/form-data responses to avoid broken
    form-data responses -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:8335.


v3.9.4

Compare Source

==================

Bug fixes

  • The asynchronous internals now set the underlying causes
    when assigning exceptions to the future objects
    -- by :user:webknjaz.

    Related issues and pull requests on GitHub:
    :issue:8089.

  • Treated values of Accept-Encoding header as case-insensitive when checking
    for gzip files -- by :user:steverep.

    Related issues and pull requests on GitHub:
    :issue:8104.

  • Improved the DNS resolution performance on cache hit -- by :user:bdraco.

    This is achieved by avoiding an :mod:asyncio task creation in this case.

    Related issues and pull requests on GitHub:
    :issue:8163.

  • Changed the type annotations to allow dict on :meth:aiohttp.MultipartWriter.append,
    :meth:aiohttp.MultipartWriter.append_json and
    :meth:aiohttp.MultipartWriter.append_form -- by :user:cakemanny

    Related issues and pull requests on GitHub:
    :issue:7741.

  • Ensure websocket transport is closed when client does not close it
    -- by :user:bdraco.

    The transport could remain open if the client did not close it. This
    change ensures the transport is closed when the client does not close
    it.

    Related issues and pull requests on GitHub:
    :issue:8200.

  • Leave websocket transport open if receive times out or is cancelled
    -- by :user:bdraco.

    This restores the behavior prior to the change in #​7978.

    Related issues and pull requests on GitHub:
    :issue:8251.

  • Fixed content not being read when an upgrade request was not supported with the pure Python implementation.
    -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:8252.

  • Fixed a race condition with incoming connections during server shutdown -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:8271.

  • Fixed multipart/form-data compliance with :rfc:7578 -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:8280.

  • Fixed blocking I/O in the event loop while processing files in a POST request
    -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:8283.

  • Escaped filenames in static view -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:8317.

  • Fixed the pure python parser to mark a connection as closing when a
    response has no length -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:8320.

Features

  • Upgraded llhttp to 9.2.1, and started rejecting obsolete line folding
    in Python parser to match -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:8146, :issue:8292.

Deprecations (removal in next major release)

  • Deprecated content_transfer_encoding parameter in :py:meth:FormData.add_field() <aiohttp.FormData.add_field> -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:8280.

Improved documentation

  • Added a note about canceling tasks to avoid delaying server shutdown -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:8267.

Contributor-facing changes

  • The pull request template is now asking the contributors to
    answer a question about the long-term maintenance challenges
    they envision as a result of merging their patches
    -- by :user:webknjaz.

    Related issues and pull requests on GitHub:
    :issue:8099.

  • Updated CI and documentation to use NPM clean install and upgrade
    node to version 18 -- by :user:steverep.

    Related issues and pull requests on GitHub:
    :issue:8116.

  • A pytest fixture hello_txt was introduced to aid
    static file serving tests in
    :file:test_web_sendfile_functional.py. It dynamically
    provisions hello.txt file variants shared across the
    tests in the module.

    -- by :user:steverep

    Related issues and pull requests on GitHub:
    :issue:8136.

Packaging updates and notes for downstreams

  • Added an internal pytest marker for tests which should be skipped
    by packagers (use -m 'not internal' to disable them) -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:8299.


v3.9.3

Compare Source

==================

Bug fixes

  • Fixed backwards compatibility breakage (in 3.9.2) of ssl parameter when set outside
    of ClientSession (e.g. directly in TCPConnector) -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:8097, :issue:8098.

Miscellaneous internal changes

  • Improved test suite handling of paths and temp files to consistently use pathlib and pytest fixtures.

    Related issues and pull requests on GitHub:
    :issue:3957.


v3.9.2

Compare Source

==================

Bug fixes

  • Fixed server-side websocket connection leak.

    Related issues and pull requests on GitHub:
    :issue:7978.

  • Fixed web.FileResponse doing blocking I/O in the event loop.

    Related issues and pull requests on GitHub:
    :issue:8012.

  • Fixed double compress when compression enabled and compressed file exists in server file responses.

    Related issues and pull requests on GitHub:
    :issue:8014.

  • Added runtime type check for ClientSession timeout parameter.

    Related issues and pull requests on GitHub:
    :issue:8021.

  • Fixed an unhandled exception in the Python HTTP parser on header lines starting with a colon -- by :user:pajod.

    Invalid request lines with anything but a dot between the HTTP major and minor version are now rejected.
    Invalid header field names containing question mark or slash are now rejected.
    Such requests are incompatible with :rfc:9110#section-5.6.2 and are not known to be of any legitimate use.

    Related issues and pull requests on GitHub:
    :issue:8074.

  • Improved validation of paths for static resources requests to the server -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:8079.

Features

  • Added support for passing :py:data:True to ssl parameter in ClientSession while
    deprecating :py:data:None -- by :user:xiangyan99.

    Related issues and pull requests on GitHub:
    :issue:7698.

Breaking changes

  • Fixed an unhandled exception in the Python HTTP parser on header lines starting with a colon -- by :user:pajod.

    Invalid request lines with anything but a dot between the HTTP major and minor version are now rejected.
    Invalid header field names containing question mark or slash are now rejected.
    Such requests are incompatible with :rfc:9110#section-5.6.2 and are not known to be of any legitimate use.

    Related issues and pull requests on GitHub:
    :issue:8074.

Improved documentation

  • Fixed examples of fallback_charset_resolver function in the :doc:client_advanced document. -- by :user:henry0312.

    Related issues and pull requests on GitHub:
    :issue:7995.

  • The Sphinx setup was updated to avoid showing the empty
    changelog draft section in the tagged release documentation
    builds on Read The Docs -- by :user:webknjaz.

    Related issues and pull requests on GitHub:
    :issue:8067.

Packaging updates and notes for downstreams

  • The changelog categorization was made clearer. The
    contributors can now mark their fragment files more
    accurately -- by :user:webknjaz.

    The new category tags are:

    * ``bugfix``
    
    * ``feature``
    
    * ``deprecation``
    
    * ``breaking`` (previously, ``removal``)
    
    * ``doc``
    
    * ``packaging``
    
    * ``contrib``
    
    * ``misc``
    

    Related issues and pull requests on GitHub:
    :issue:8066.

Contributor-facing changes

  • Updated :ref:contributing/Tests coverage <aiohttp-contributing> section to show how we use codecov -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:7916.

  • The changelog categorization was made clearer. The
    contributors can now mark their fragment files more
    accurately -- by :user:webknjaz.

    The new category tags are:

    * ``bugfix``
    
    * ``feature``
    
    * ``deprecation``
    
    * ``breaking`` (previously, ``removal``)
    
    * ``doc``
    
    * ``packaging``
    
    * ``contrib``
    
    * ``misc``
    

    Related issues and pull requests on GitHub:
    :issue:8066.

Miscellaneous internal changes

  • Replaced all tmpdir fixtures with tmp_path in test suite.

    Related issues and pull requests on GitHub:
    :issue:3551.


v3.9.1

Compare Source

==================

Bugfixes

  • Fixed importing aiohttp under PyPy on Windows.

    #&#8203;7848 <https://github.com/aio-libs/aiohttp/issues/7848>_

  • Fixed async concurrency safety in websocket compressor.

    #&#8203;7865 <https://github.com/aio-libs/aiohttp/issues/7865>_

  • Fixed ClientResponse.close() releasing the connection instead of closing.

    #&#8203;7869 <https://github.com/aio-libs/aiohttp/issues/7869>_

  • Fixed a regression where connection may get closed during upgrade. -- by :user:Dreamsorcerer

    #&#8203;7879 <https://github.com/aio-libs/aiohttp/issues/7879>_

  • Fixed messages being reported as upgraded without an Upgrade header in Python parser. -- by :user:Dreamsorcerer

    #&#8203;7895 <https://github.com/aio-libs/aiohttp/issues/7895>_


v3.9.0

Compare Source

==================

Features

  • Introduced AppKey for static typing support of Application storage.
    See https://docs.aiohttp.org/en/stable/web_advanced.html#application-s-config

    #&#8203;5864 <https://github.com/aio-libs/aiohttp/issues/5864>_

  • Added a graceful shutdown period which allows pending tasks to complete before the application's cleanup is called.
    The period can be adjusted with the shutdown_timeout parameter. -- by :user:Dreamsorcerer.
    See https://docs.aiohttp.org/en/latest/web_advanced.html#graceful-shutdown

    #&#8203;7188 <https://github.com/aio-libs/aiohttp/issues/7188>_

  • Added handler_cancellation <https://docs.aiohttp.org/en/stable/web_advanced.html#web-handler-cancellation>_ parameter to cancel web handler on client disconnection. -- by :user:mosquito
    This (optionally) reintroduces a feature removed in a previous release.
    Recommended for those looking for an extra level of protection against denial-of-service attacks.

    #&#8203;7056 <https://github.com/aio-libs/aiohttp/issues/7056>_

  • Added support for setting response header parameters max_line_size and max_field_size.

    #&#8203;2304 <https://github.com/aio-libs/aiohttp/issues/2304>_

  • Added auto_decompress parameter to ClientSession.request to override ClientSession._auto_decompress. -- by :user:Daste745

    #&#8203;3751 <https://github.com/aio-libs/aiohttp/issues/3751>_

  • Changed raise_for_status to allow a coroutine.

    #&#8203;3892 <https://github.com/aio-libs/aiohttp/issues/3892>_

  • Added client brotli compression support (optional with runtime check).

    #&#8203;5219 <https://github.com/aio-libs/aiohttp/issues/5219>_

  • Added client_max_size to BaseRequest.clone() to allow overriding the request body size. -- :user:anesabml.

    #&#8203;5704 <https://github.com/aio-libs/aiohttp/issues/5704>_

  • Added a middleware type alias aiohttp.typedefs.Middleware.

    #&#8203;5898 <https://github.com/aio-libs/aiohttp/issues/5898>_

  • Exported HTTPMove which can be used to catch any redirection request
    that has a location -- :user:dreamsorcerer.

    #&#8203;6594 <https://github.com/aio-libs/aiohttp/issues/6594>_

  • Changed the path parameter in web.run_app() to accept a pathlib.Path object.

    #&#8203;6839 <https://github.com/aio-libs/aiohttp/issues/6839>_

  • Performance: Skipped filtering CookieJar when the jar is empty or all cookies have expired.

    #&#8203;7819 <https://github.com/aio-libs/aiohttp/issues/7819>_

  • Performance: Only check origin if insecure scheme and there are origins to treat as secure, in CookieJar.filter_cookies().

    #&#8203;7821 <https://github.com/aio-libs/aiohttp/issues/7821>_

  • Performance: Used timestamp instead of datetime to achieve faster cookie expiration in CookieJar.

    #&#8203;7824 <https://github.com/aio-libs/aiohttp/issues/7824>_

  • Added support for passing a custom server name parameter to HTTPS connection.

    #&#8203;7114 <https://github.com/aio-libs/aiohttp/issues/7114>_

  • Added support for using Basic Auth credentials from :file:.netrc file when making HTTP requests with the
    :py:class:~aiohttp.ClientSession trust_env argument is set to True. -- by :user:yuvipanda.

    #&#8203;7131 <https://github.com/aio-libs/aiohttp/issues/7131>_

  • Turned access log into no-op when the logger is disabled.

    #&#8203;7240 <https://github.com/aio-libs/aiohttp/issues/7240>_

  • Added typing information to RawResponseMessage. -- by :user:Gobot1234

    #&#8203;7365 <https://github.com/aio-libs/aiohttp/issues/7365>_

  • Removed async-timeout for Python 3.11+ (replaced with asyncio.timeout() on newer releases).

    #&#8203;7502 <https://github.com/aio-libs/aiohttp/issues/7502>_

  • Added support for brotlicffi as an alternative to brotli (fixing Brotli support on PyPy).

    #&#8203;7611 <https://github.com/aio-libs/aiohttp/issues/7611>_

  • Added WebSocketResponse.get_extra_info() to access a protocol transport's extra info.

    #&#8203;7078 <https://github.com/aio-libs/aiohttp/issues/7078>_

  • Allow link argument to be set to None/empty in HTTP 451 exception.

    #&#8203;7689 <https://github.com/aio-libs/aiohttp/issues/7689>_

Bugfixes

  • Implemented stripping the trailing dots from fully-qualified domain names in Host headers and TLS context when acting as an HTTP client.
    This allows the client to connect to URLs with FQDN host name like https://example.com./.
    -- by :user:martin-sucha.

    #&#8203;3636 <https://github.com/aio-libs/aiohttp/issues/3636>_

  • Fixed client timeout not working when incoming data is always available without waiting. -- by :user:Dreamsorcerer.

    #&#8203;5854 <https://github.com/aio-libs/aiohttp/issues/5854>_

  • Fixed readuntil to work with a delimiter of more than one character.

    #&#8203;6701 <https://github.com/aio-libs/aiohttp/issues/6701>_

  • Added __repr__ to EmptyStreamReader to avoid AttributeError.

    #&#8203;6916 <https://github.com/aio-libs/aiohttp/issues/6916>_

  • Fixed bug when using TCPConnector with ttl_dns_cache=0.

    #&#8203;7014 <https://github.com/aio-libs/aiohttp/issues/7014>_

  • Fixed response returned from expect handler being thrown away. -- by :user:Dreamsorcerer

    #&#8203;7025 <https://github.com/aio-libs/aiohttp/issues/7025>_

  • Avoided raising UnicodeDecodeError in multipart and in HTTP headers parsing.

    #&#8203;7044 <https://github.com/aio-libs/aiohttp/issues/7044>_

  • Changed sock_read timeout to start after writing has finished, avoiding read timeouts caused by an unfinished write. -- by :user:dtrifiro

    #&#8203;7149 <https://github.com/aio-libs/aiohttp/issues/7149>_

  • Fixed missing query in tracing method URLs when using yarl 1.9+.

    #&#8203;7259 <https://github.com/aio-libs/aiohttp/issues/7259>_

  • Changed max 32-bit timestamp to an aware datetime object, for consistency with the non-32-bit one, and to avoid a DeprecationWarning on Python 3.12.

    #&#8203;7302 <https://github.com/aio-libs/aiohttp/issues/7302>_

  • Fixed EmptyStreamReader.iter_chunks() never ending. -- by :user:mind1m

    #&#8203;7616 <https://github.com/aio-libs/aiohttp/issues/7616>_

  • Fixed a rare RuntimeError: await wasn't used with future exception. -- by :user:stalkerg

    #&#8203;7785 <https://github.com/aio-libs/aiohttp/issues/7785>_

  • Fixed issue with insufficient HTTP method and version validation.

    #&#8203;7700 <https://github.com/aio-libs/aiohttp/issues/7700>_

  • Added check to validate that absolute URIs have schemes.

    #&#8203;7712 <https://github.com/aio-libs/aiohttp/issues/7712>_

  • Fixed unhandled exception when Python HTTP parser encounters unpaired Unicode surrogates.

    #&#8203;7715 <https://github.com/aio-libs/aiohttp/issues/7715>_

  • Updated parser to disallow invalid characters in header field names and stop accepting LF as a request line separator.

    #&#8203;7719 <https://github.com/aio-libs/aiohttp/issues/7719>_

  • Fixed Python HTTP parser not treating 204/304/1xx as an empty body.

    #&#8203;7755 <https://github.com/aio-libs/aiohttp/issues/7755>_

  • Ensure empty body response for 1xx/204/304 per RFC 9112 sec 6.3.

    #&#8203;7756 <https://github.com/aio-libs/aiohttp/issues/7756>_

  • Fixed an issue when a client request is closed before completing a chunked payload. -- by :user:Dreamsorcerer

    #&#8203;7764 <https://github.com/aio-libs/aiohttp/issues/7764>_

  • Edge Case Handling for ResponseParser for missing reason value.

    #&#8203;7776 <https://github.com/aio-libs/aiohttp/issues/7776>_

  • Fixed ClientWebSocketResponse.close_code being erroneously set to None when there are concurrent async tasks receiving data and closing the connection.

    #&#8203;7306 <https://github.com/aio-libs/aiohttp/issues/7306>_

  • Added HTTP method validation.

    #&#8203;6533 <https://github.com/aio-libs/aiohttp/issues/6533>_

  • Fixed arbitrary sequence types being allowed to inject values via version parameter. -- by :user:Dreamsorcerer

    #&#8203;7835 <https://github.com/aio-libs/aiohttp/issues/7835>_

  • Performance: Fixed increase in latency with small messages from websocket compression changes.

    #&#8203;7797 <https://github.com/aio-libs/aiohttp/issues/7797>_

Improved Documentation

  • Fixed the ClientResponse.release's type in the doc. Changed from comethod to method.

    #&#8203;5836 <https://github.com/aio-libs/aiohttp/issues/5836>_

  • Added information on behavior of base_url parameter in ClientSession.

    #&#8203;6647 <https://github.com/aio-libs/aiohttp/issues/6647>_

  • Fixed ClientResponseError docs.

    #&#8203;6700 <https://github.com/aio-libs/aiohttp/issues/6700>_

  • Updated Redis code examples to follow the latest API.

    #&#8203;6907 <https://github.com/aio-libs/aiohttp/issues/6907>_

  • Added a note about possibly needing to update headers when using on_response_prepare. -- by :user:Dreamsorcerer

    #&#8203;7283 <https://github.com/aio-libs/aiohttp/issues/7283>_

  • Completed trust_env parameter description to honor wss_proxy, ws_proxy or no_proxy env.

    #&#8203;7325 <https://github.com/aio-libs/aiohttp/issues/7325>_

  • Expanded SSL documentation with more examples (e.g. how to use certifi). -- by :user:Dreamsorcerer

    #&#8203;7334 <https://github.com/aio-libs/aiohttp/issues/7334>_

  • Fix, update, and improve client exceptions documentation.

    #&#8203;7733 <https://github.com/aio-libs/aiohttp/issues/7733>_

Deprecations and Removals

  • Added shutdown_timeout parameter to BaseRunner, while
    deprecating shutdown_timeout parameter from BaseSite. -- by :user:Dreamsorcerer

    #&#8203;7718 <https://github.com/aio-libs/aiohttp/issues/7718>_

  • Dropped Python 3.6 support.

    #&#8203;6378 <https://github.com/aio-libs/aiohttp/issues/6378>_

  • Dropped Python 3.7 support. -- by :user:Dreamsorcerer

    #&#8203;7336 <https://github.com/aio-libs/aiohttp/issues/7336>_

  • Removed support for abandoned tokio event loop. -- by :user:Dreamsorcerer

    #&#8203;7281 <https://github.com/aio-libs/aiohttp/issues/7281>_

Misc

  • Made print argument in run_app() optional.

    #&#8203;3690 <https://github.com/aio-libs/aiohttp/issues/3690>_

  • Improved performance of ceil_timeout in some cases.

    #&#8203;6316 <https://github.com/aio-libs/aiohttp/issues/6316>_

  • Changed importing Gunicorn to happen on-demand, decreasing import time by ~53%. -- :user:Dreamsorcerer

    #&#8203;6591 <https://github.com/aio-libs/aiohttp/issues/6591>_

  • Improved import time by replacing http.server with http.HTTPStatus.

    #&#8203;6903 <https://github.com/aio-libs/aiohttp/issues/6903>_

  • Fixed annotation of ssl parameter to disallow True. -- by :user:Dreamsorcerer.

    #&#8203;7335 <https://github.com/aio-libs/aiohttp/issues/7335>_


v3.8.6

Compare Source

==================

Security bugfixes

  • Upgraded the vendored copy of llhttp_ to v9.1.3 -- by :user:Dreamsorcerer

    Thanks to :user:kenballus for reporting this, see
    GHSA-pjjw-qhg8-p2p9.

    .. _llhttp: https://llhttp.org

    #&#8203;7647 <https://github.com/aio-libs/aiohttp/issues/7647>_

  • Updated Python parser to comply with RFCs 9110/9112 -- by :user:Dreamorcerer

    Thanks to :user:kenballus for reporting this, see
    GHSA-gfw2-4jvh-wgfg.

    #&#8203;7663 <https://github.com/aio-libs/aiohttp/issues/7663>_

Deprecation

  • Added fallback_charset_resolver parameter in ClientSession to allow a user-supplied
    character set detection function.

    Character set detection will no longer be included in 3.9 as a default. If this feature is needed,
    please use fallback_charset_resolver <https://docs.aiohttp.org/en/stable/client_advanced.html#character-set-detection>_.

    #&#8203;7561 <https://github.com/aio-libs/aiohttp/issues/7561>_

Features

  • Enabled lenient response parsing for more flexible parsing in the client
    (this should resolve some regressions when dealing with badly formatted HTTP responses). -- by :user:Dreamsorcerer

    #&#8203;7490 <https://github.com/aio-libs/aiohttp/issues/7490>_

Bugfixes

  • Fixed PermissionError when .netrc is unreadable due to permissions.

    #&#8203;7237 <https://github.com/aio-libs/aiohttp/issues/7237>_

  • Fixed output of parsing errors pointing to a \n. -- by :user:Dreamsorcerer

    #&#8203;7468 <https://github.com/aio-libs/aiohttp/issues/7468>_

  • Fixed GunicornWebWorker max_requests_jitter not working.

    #&#8203;7518 <https://github.com/aio-libs/aiohttp/issues/7518>_

  • Fixed sorting in filter_cookies to use cookie with longest path. -- by :user:marq24.

    #&#8203;7577 <https://github.com/aio-libs/aiohttp/issues/7577>_

  • Fixed display of BadStatusLine messages from llhttp_. -- by :user:Dreamsorcerer

    #&#8203;7651 <https://github.com/aio-libs/aiohttp/issues/7651>_


v3.8.5: 3.8.5

Compare Source

Security bugfixes

  • Upgraded the vendored copy of llhttp_ to v8.1.1 -- by :user:webknjaz
    and :user:Dreamsorcerer.

    Thanks to :user:sethmlarson for reporting this and providing us with
    comprehensive reproducer, workarounds and fixing details! For more
    information, see
    GHSA-45c4-8wx5-qw6w.

    .. _llhttp: https://llhttp.org

    (#​7346)

Features

  • Added information to C parser exceptions to show which character caused the error. -- by :user:Dreamsorcerer

    (#​7366)

Bugfixes

  • Fixed a transport is :data:None error -- by :user:Dreamsorcerer.

    (#​3355)


v3.8.4

Compare Source

==================

Bugfixes

  • Fixed incorrectly overwriting cookies with the same name and domain, but different path.
    #&#8203;6638 <https://github.com/aio-libs/aiohttp/issues/6638>_
  • Fixed ConnectionResetError not being raised after client disconnection in SSL environments.
    #&#8203;7180 <https://github.com/aio-libs/aiohttp/issues/7180>_

v3.8.3

Compare Source

==================

.. attention::

This is the last :doc:aiohttp <index> release tested under
Python 3.6. The 3.9 stream is dropping it from the CI and the
distribution package metadata.

Bugfixes

  • Increased the upper boundary of the :doc:multidict:index dependency
    to allow for the version 6 -- by :user:hugovk.

    It used to be limited below version 7 in :doc:aiohttp <index> v3.8.1 but
    was lowered in v3.8.2 via :pr:6550 and never brought back, causing
    problems with dependency pins when upgrading. :doc:aiohttp <index> v3.8.3
    fixes that by recovering the original boundary of < 7.
    #&#8203;6950 <https://github.com/aio-libs/aiohttp/issues/6950>_


v3.8.2

Compare Source

=====================================================

Bugfixes

  • Support registering OPTIONS HTTP method handlers via RouteTableDef.
    #&#8203;4663 <https://github.com/aio-libs/aiohttp/issues/4663>_

  • Started supporting authority-form and absolute-form URLs on the server-side.
    #&#8203;6227 <https://github.com/aio-libs/aiohttp/issues/6227>_

  • Fix Python 3.11 alpha incompatibilities by using Cython 0.29.25
    #&#8203;6396 <https://github.com/aio-libs/aiohttp/issues/6396>_

  • Remove a deprecated usage of pytest.warns(None)
    #&#8203;6663 <https://github.com/aio-libs/aiohttp/issues/6663>_

  • Fix regression where asyncio.CancelledError occurs on client disconnection.
    #&#8203;6719 <https://github.com/aio-libs/aiohttp/issues/6719>_

  • Export :py:class:~aiohttp.web.PrefixedSubAppResource under
    :py:mod:aiohttp.web -- by :user:Dreamsorcerer.

    This fixes a regression introduced by :pr:3469.
    #&#8203;6889 <https://github.com/aio-libs/aiohttp/issues/6889>_

  • Dropped the :class:object type possibility from
    the :py:attr:aiohttp.ClientSession.timeout
    property return type declaration.
    #&#8203;6917 <https://github.com/aio-libs/aiohttp/issues/6917>,
    #&#8203;6923 <https://github.com/aio-libs/aiohttp/issues/6923>

Improved Documentation

  • Added clarification on configuring the app object with settings such as a db connection.
    #&#8203;4137 <https://github.com/aio-libs/aiohttp/issues/4137>_
  • Edited the web.run_app declaration.
    #&#8203;6401 <https://github.com/aio-libs/aiohttp/issues/6401>_
  • Dropped the :class:object type possibility from
    the :py:attr:aiohttp.ClientSession.timeout
    property return type declaration.
    #&#8203;6917 <https://github.com/aio-libs/aiohttp/issues/6917>,
    #&#8203;6923 <https://github.com/aio-libs/aiohttp/issues/6923>

Deprecations and Removals

  • Drop Python 3.5 support, aiohttp works on 3.6+ now.
    #&#8203;4046 <https://github.com/aio-libs/aiohttp/issues/4046>_

Misc

  • #&#8203;6369 <https://github.com/aio-libs/aiohttp/issues/6369>, #&#8203;6399 <https://github.com/aio-libs/aiohttp/issues/6399>, #&#8203;6550 <https://github.com/aio-libs/aiohttp/issues/6550>, #&#8203;6708 <https://github.com/aio-libs/aiohttp/issues/6708>, #&#8203;6757 <https://github.com/aio-libs/aiohttp/issues/6757>, #&#8203;6857 <https://github.com/aio-libs/aiohttp/issues/6857>, #&#8203;6872 <https://github.com/aio-libs/aiohttp/issues/6872>_

v3.8.1

Compare Source

==================

Bugfixes

  • Fix the error in handling the return value of getaddrinfo.
    getaddrinfo will return an (int, bytes) tuple, if CPython could not handle the address family.
    It will cause an index out of range error in aiohttp. For example, if user compile CPython with
    --disable-ipv6 option, but his system enable the ipv6.
    #&#8203;5901 <https://github.com/aio-libs/aiohttp/issues/5901>_
  • Do not install "examples" as a top-level package.
    #&#8203;6189 <https://github.com/aio-libs/aiohttp/issues/6189>_
  • Restored ability to connect IPv6-only host.
    #&#8203;6195 <https://github.com/aio-libs/aiohttp/issues/6195>_
  • Remove Signal from __all__, replace aiohttp.Signal with aiosignal.Signal in docs
    #&#8203;6201 <https://github.com/aio-libs/aiohttp/issues/6201>_
  • Made chunked encoding HTTP header check stricter.
    #&#8203;6305 <https://github.com/aio-libs/aiohttp/issues/6305>_

Improved Documentation

  • update quick starter demo codes.
    #&#8203;6240 <https://github.com/aio-libs/aiohttp/issues/6240>_
  • Added an explanation of how tiny timeouts affect performance to the client reference document.
    #&#8203;6274 <https://github.com/aio-libs/aiohttp/issues/6274>_
  • Add flake8-docstrings to flake8 configuration, enable subset of checks.
    #&#8203;6276 <https://github.com/aio-libs/aiohttp/issues/6276>_
  • Added information on running complex applications with additional tasks/processes -- :user:Dreamsorcerer.
    #&#8203;6278 <https://github.com/aio-libs/aiohttp/issues/6278>_

Misc

  • #&#8203;6205 <https://github.com/aio-libs/aiohttp/issues/6205>_

v3.8.0

Compare Source

==================

Features

  • Added a GunicornWebWorker feature for extending the aiohttp server configuration by allowing the 'wsgi' coroutine to return web.AppRunner object.
    #&#8203;2988 <https://github.com/aio-libs/aiohttp/issues/2988>_

  • Switch from http-parser to llhttp
    #&#8203;3561 <https://github.com/aio-libs/aiohttp/issues/3561>_

  • Use Brotli instead of brotlipy
    #&#8203;3803 <https://github.com/aio-libs/aiohttp/issues/3803>_

  • Disable implicit switch-back to pure python mode. The build fails loudly if aiohttp
    cannot be compiled with C Accelerators. Use AIOHTTP_NO_EXTENSIONS=1 to explicitly
    disable C Extensions complication and switch to Pure-Python mode. Note that Pure-Python
    mode is significantly slower than compiled one.
    #&#8203;3828 <https://github.com/aio-libs/aiohttp/issues/3828>_

  • Make access log use local time with timezone
    #&#8203;3853 <https://github.com/aio-libs/aiohttp/issues/3853>_

  • Implemented readuntil in StreamResponse
    #&#8203;4054 <https://github.com/aio-libs/aiohttp/issues/4054>_

  • FileResponse now supports ETag.
    #&#8203;4594 <https://github.com/aio-libs/aiohttp/issues/4594>_

  • Add a request handler type alias aiohttp.typedefs.Handler.
    #&#8203;4686 <https://github.com/aio-libs/aiohttp/issues/4686>_

  • AioHTTPTestCase is more async friendly now.

    For people who use unittest and are used to use :py:exc:~unittest.TestCase
    it will be easier to write new test cases like the sync version of the :py:exc:~unittest.TestCase class,
    without using the decorator @unittest_run_loop, just async def test_*.
    The only difference is that for the people using python3.7 and below a new dependency is needed, it is asynctestcase.
    #&#8203;4700 <https://github.com/aio-libs/aiohttp/issues/4700>_

  • Add validation of HTTP header keys and values to prevent header injection.
    #&#8203;4818 <https://github.com/aio-libs/aiohttp/issues/4818>_

  • Add predicate to AbstractCookieJar.clear.
    Add AbstractCookieJar.clear_domain to clean all domain and subdomains cookies only.
    #&#8203;4942 <https://github.com/aio-libs/aiohttp/issues/4942>_

  • Add keepalive_timeout parameter to web.run_app.
    #&#8203;5094 <https://github.com/aio-libs/aiohttp/issues/5094>_

  • Tracing for client sent headers
    #&#8203;5105 <https://github.com/aio-libs/aiohttp/issues/5105>_

  • Make type hints for http parser stricter
    #&#8203;5267 <https://github.com/aio-libs/aiohttp/issues/5267>_

  • Add final declarations for constants.
    #&#8203;5275 <https://github.com/aio-libs/aiohttp/issues/5275>_

  • Switch to external frozenlist and aiosignal libraries.
    #&#8203;5293 <https://github.com/aio-libs/aiohttp/issues/5293>_

  • Don't send secure cookies by insecure transports.

    By default, the transport is secure if https or wss scheme is used.
    Use CookieJar(treat_as_secure_origin="http://127.0.0.1") to override the default security checker.
    #&#8203;5571 <https://github.com/aio-libs/aiohttp/issues/5571>_

  • Always create a new event loop in aiohttp.web.run_app().
    This adds better compatibility with asyncio.run() or if trying to run multiple apps in sequence.
    #&#8203;5572 <https://github.com/aio-libs/aiohttp/issues/5572>_

  • Add aiohttp.pytest_plugin.AiohttpClient for static typing of pytest plugin.
    #&#8203;5585 <https://github.com/aio-libs/aiohttp/issues/5585>_

  • Added a socket_factory argument to BaseTestServer.
    #&#8203;5844 <https://github.com/aio-libs/aiohttp/issues/5844>_

  • Add compression strategy parameter to enable_compression method.
    #&#8203;5909 <https://github.com/aio-libs/aiohttp/issues/5909>_

  • Added support for Python 3.10 to Github Actions CI/CD workflows and fix the related deprecation warnings -- :user:Hanaasagi.
    #&#8203;5927 <https://github.com/aio-libs/aiohttp/issues/5927>_

  • Switched chardet to charset-normalizer for guessing the HTTP payload body encoding -- :user:Ousret.
    #&#8203;5930 <https://github.com/aio-libs/aiohttp/issues/5930>_

  • Added optional auto_decompress argument for HttpRequestParser
    #&#8203;5957 <https://github.com/aio-libs/aiohttp/issues/5957>_

  • Added support for HTTPS proxies to the extent CPython's
    :py:mod:asyncio supports it -- by :user:bmbouter,
    :user:jborean93 and :user:webknjaz.
    #&#8203;5992 <https://github.com/aio-libs/aiohttp/issues/5992>_

  • Added base_url parameter to the initializer of :class:~aiohttp.ClientSession.
    #&#8203;6013 <https://github.com/aio-libs/aiohttp/issues/6013>_

  • Add Trove classifier and create binary wheels for 3.10. -- :user:hugovk.
    #&#8203;6079 <https://github.com/aio-libs/aiohttp/issues/6079>_

  • Started shipping platform-specific wheels with the musl tag targeting typical Alpine Linux runtimes — :user:asvetlov.
    #&#8203;6139 <https://github.com/aio-libs/aiohttp/issues/6139>_

  • Started shipping platform-specific arm64 wheels for Apple Silicon — :user:asvetlov.
    #&#8203;6139 <https://github.com/aio-libs/aiohttp/issues/6139>_

Bugfixes

  • Modify drain_helper() to handle concurrent await resp.write(...) or ws.send_json(...) calls without race-condition.
    #&#8203;2934 <https://github.com/aio-libs/aiohttp/issues/2934>
  • Started using MultiLoopChildWatcher when it's available under POSIX while setting up the test I/O loop.
    #&#8203;3450 <https://github.com/aio-libs/aiohttp/issues/3450>_
  • Only encode content-disposition filename parameter using percent-encoding.
    Other parameters are encoded to quoted-string or RFC2231 extended parameter
    value.
    #&#8203;4012 <https://github.com/aio-libs/aiohttp/issues/4012>_
  • Fixed HTTP client requests to honor no_proxy environment variables.
    #&#8203;4431 <https://github.com/aio-libs/aiohttp/issues/4431>_
  • Fix supporting WebSockets proxies configured via environment variables.
    #&#8203;4648 <https://github.com/aio-libs/aiohttp/issues/4648>_
  • Change return type on URLDispatcher to UrlMappingMatchInfo to improve type annotations.
    #&#8203;4748 <https://github.com/aio-libs/aiohttp/issues/4748>_
  • Ensure a cleanup context is cleaned up even when an exception occurs during startup.
    #&#8203;4799 <https://github.com/aio-libs/aiohttp/issues/4799>_
  • Added a new exception type for Unix socket client errors which provides a more useful error message.
    #&#8203;4984 <https://github.com/aio-libs/aiohttp/issues/4984>_
  • Remove Transfer-Encoding and Content-Type headers for 204 in StreamResponse
    #&#8203;5106 <https://github.com/aio-libs/aiohttp/issues/5106>_
  • Only depend on typing_extensions for Python <3.8
    #&#8203;5107 <https://github.com/aio-libs/aiohttp/issues/5107>_
  • Add ABNORMAL_CLOSURE and BAD_GATEWAY to WSCloseCode
    #&#8203;5192 <https://github.com/aio-libs/aiohttp/issues/5192>_
  • Fix cookies disappearing from HTTPExceptions.
    #&#8203;5233 <https://github.com/aio-libs/aiohttp/issues/5233>_
  • StaticResource prefixes no longer match URLs with a non-folder prefix. For example routes.static('/foo', '/foo') no longer matches the URL /foobar. Previously, this would attempt to load the file /foo/ar.
    #&#8203;5250 <https://github.com/aio-libs/aiohttp/issues/5250>_
  • Acquire the connection before running traces to prevent race condition.
    #&#8203;5259 <https://github.com/aio-libs/aiohttp/issues/5259>_
  • Add missing slots to ```_RequestContextManagerandWSRequestContextManager``
    #&#8203;5329 <https://github.com/aio-libs/aiohttp/issues/5329>
  • Ensure sending a zero byte file does not throw an exception (round 2)
    #&#8203;5380 <https://github.com/aio-libs/aiohttp/issues/5380>_
  • Set "text/plain" when data is an empty string in client requests.
    #&#8203;5392 <https://github.com/aio-libs/aiohttp/issues/5392>_
  • Stop automatically releasing the ClientResponse object on calls to the ok property for the failed requests.
    #&#8203;5403 <https://github.com/aio-libs/aiohttp/issues/5403>_
  • Include query parameters from params keyword argument in tracing URL.
    #&#8203;5432 <https://github.com/aio-libs/aiohttp/issues/5432>_
  • Fix annotations
    #&#8203;5466 <https://github.com/aio-libs/aiohttp/issues/5466>_
  • Fixed the multipart POST requests processing to always release file
    descriptors for the tempfile.Temporaryfile-created
    _io.BufferedRandom instances of files sent within multipart request
    bodies via HTTP POST requests -- by :user:webknjaz.
    #&#8203;5494 <https://github.com/aio-libs/aiohttp/issues/5494>_
  • Fix 0 being incorrectly treated as an immediate timeout.
    #&#8203;5527 <https://github.com/aio-libs/aiohttp/issues/5527>_
  • Fixes failing tests when an environment variable proxy is set.
    #&#8203;5554 <https://github.com/aio-libs/aiohttp/issues/5554>
  • Replace deprecated app handler design in tests/autobahn/server.py with call to web.run_app; replace deprecated aiohttp.ws_connect calls in tests/autobahn/client.py with aiohttp.ClienSession.ws_connect.
    #&#8203;5606 <https://github.com/aio-libs/aiohttp/issues/5606>_
  • Fixed test for HTTPUnauthorized that access the text argument. This is not used in any part of the code, so it's removed now.
    #&#8203;5657 <https://github.com/aio-libs/aiohttp/issues/5657>_
  • Remove incorrect default from docs
    #&#8203;5727 <https://github.com/aio-libs/aiohttp/issues/5727>_
  • Remove external test dependency to http://httpbin.org
    #&#8203;5840 <https://github.com/aio-libs/aiohttp/issues/5840>_
  • Don't cancel current task when entering a cancelled timer.
    #&#8203;5853 <https://github.com/aio-libs/aiohttp/issues/5853>_
  • Added params keyword argument to ClientSession.ws_connect. -- :user:hoh.
    #&#8203;5868 <https://github.com/aio-libs/aiohttp/issues/5868>_
  • Uses :py:class:~asyncio.ThreadedChildWatcher under POSIX to allow setting up test loop in non-main thread.
    #&#8203;5877 <https://github.com/aio-libs/aiohttp/issues/5877>_
  • Fix the error in handling the return value of getaddrinfo.
    getaddrinfo will return an (int, bytes) tuple, if CPython could not handle the address family.
    It will cause a index out of range error in aiohttp. For example, if user compile CPython with
    --disable-ipv6 option but his system enable the ipv6.
    #&#8203;5901 <https://github.com/aio-libs/aiohttp/issues/5901>_
  • Removed the deprecated loop argument from the asyncio.sleep/gather calls
    #&#8203;5905 <https://github.com/aio-libs/aiohttp/issues/5905>_
  • Return None from request.if_modified_since, request.if_unmodified_since, request.if_range and response.last_modified when corresponding http date headers are invalid.
    #&#8203;5925 <https://github.com/aio-libs/aiohttp/issues/5925>_
  • Fix resetting SIGCHLD signals in Gunicorn aiohttp Worker to fix subprocesses that capture output having an incorrect returncode.
    #&#8203;6130 <https://github.com/aio-libs/aiohttp/issues/6130>_
  • Raise 400: Content-Length can't be present with Transfer-Encoding if both Content-Length and Transfer-Encoding are sent by peer by both C and Python implementations
    #&#8203;6182 <https://github.com/aio-libs/aiohttp/issues/6182>_

Improved Documentation

  • Refactored OpenAPI/Swagger aiohttp addons, added aio-openapi
    #&#8203;5326 <https://github.com/aio-libs/aiohttp/issues/5326>_
  • Fixed docs on request cookies type, so it matches what is actually used in the code (a
    read-only dictionary-like object).
    #&#8203;5725 <https://github.com/aio-libs/aiohttp/issues/5725>_
  • Documented that the HTTP client Authorization header is removed
    on redirects to a different host or protocol.
    #&#8203;5850 <https://github.com/aio-libs/aiohttp/issues/5850>_

Misc

  • #&#8203;3927 <https://github.com/aio-libs/aiohttp/issues/3927>, #&#8203;4247 <https://github.com/aio-libs/aiohttp/issues/4247>, #&#8203;4247 <https://github.com/aio-libs/aiohttp/issues/4247>, #&#8203;5389 <https://github.com/aio-libs/aiohttp/issues/5389>, #&#8203;5457 <https://github.com/aio-libs/aiohttp/issues/5457>, #&#8203;5486 <https://github.com/aio-libs/aiohttp/issues/5486>, #&#8203;5494 <https://github.com/aio-libs/aiohttp/issues/5494>, #&#8203;5515 <https://github.com/aio-libs/aiohttp/issues/5515>, #&#8203;5625 <https://github.com/aio-libs/aiohttp/issues/5625>, #&#8203;5635 <https://github.com/aio-libs/aiohttp/issues/5635>, #&#8203;5648 <https://github.com/aio-libs/aiohttp/issues/5648>, #&#8203;5657 <https://github.com/aio-libs/aiohttp/issues/5657>, #&#8203;5890 <https://github.com/aio-libs/aiohttp/issues/5890>, #&#8203;5914 <https://github.com/aio-libs/aiohttp/issues/5914>, #&#8203;5932 <https://github.com/aio-libs/aiohttp/issues/5932>, #&#8203;6002 <https://github.com/aio-libs/aiohttp/issues/6002>, #&#8203;6045 <https://github.com/aio-libs/aiohttp/issues/6045>, #&#8203;6131 <https://github.com/aio-libs/aiohttp/issues/6131>, #&#8203;6156 <https://github.com/aio-libs/aiohttp/issues/6156>, #&#8203;6165 <https://github.com/aio-libs/aiohttp/issues/6165>, #&#8203;6166 <https://github.com/aio-libs/aiohttp/issues/6166>_

v3.7.4.post0

Compare Source

========================

Misc

  • Bumped upper bound of the chardet runtime dependency
    to allow their v4.0 version stream.
    #&#8203;5366 <https://github.com/aio-libs/aiohttp/issues/5366>_

v3.7.4

Compare Source

========================

Misc

  • Bumped upper bound of the chardet runtime dependency
    to allow their v4.0 version stream.
    #&#8203;5366 <https://github.com/aio-libs/aiohttp/issues/5366>_

v3.7.3

Compare Source

==================

Features

  • Use Brotli instead of brotlipy
    #&#8203;3803 <https://github.com/aio-libs/aiohttp/issues/3803>_
  • Made exceptions pickleable. Also changed the repr of some exceptions.
    #&#8203;4077 <https://github.com/aio-libs/aiohttp/issues/4077>_

Bugfixes

  • Raise a ClientResponseError instead of an AssertionError for a blank
    HTTP Reason Phrase.
    #&#8203;3532 <https://github.com/aio-libs/aiohttp/issues/3532>_
  • Fix web_middlewares.normalize_path_middleware behavior for patch without slash.
    #&#8203;3669 <https://github.com/aio-libs/aiohttp/issues/3669>_
  • Fix overshadowing of overlapped sub-applications prefixes.
    #&#8203;3701 <https://github.com/aio-libs/aiohttp/issues/3701>_
  • Make BaseConnector.close() a coroutine and wait until the client closes all connections. Drop deprecated "with Connector():" syntax.
    #&#8203;3736 <https://github.com/aio-libs/aiohttp/issues/3736>_
  • Reset the sock_read timeout each time data is received for a aiohttp.client response.
    #&#8203;3808 <https://github.com/aio-libs/aiohttp/issues/3808>_
  • Fixed type annotation for add_view method of UrlDispatcher to accept any subclass of View
    #&#8203;3880 <https://github.com/aio-libs/aiohttp/issues/3880>_
  • Fixed querying the address families from DNS that the current host supports.
    #&#8203;5156 <https://github.com/aio-libs/aiohttp/issues/5156>_
  • Change return type of MultipartReader.aiter() and BodyPartReader.aiter() to AsyncIterator.
    #&#8203;5163 <https://github.com/aio-libs/aiohttp/issues/5163>_
  • Provide x86 Windows wheels.
    #&#8203;5230 <https://github.com/aio-libs/aiohttp/issues/5230>_

Improved Documentation

  • Add documentation for aiohttp.web.FileResponse.
    #&#8203;3958 <https://github.com/aio-libs/aiohttp/issues/3958>_
  • Removed deprecation warning in tracing example docs
    #&#8203;3964 <https://github.com/aio-libs/aiohttp/issues/3964>_
  • Fixed wrong "Usage" docstring of aiohttp.client.request.
    #&#8203;4603 <https://github.com/aio-libs/aiohttp/issues/4603>_
  • Add aiohttp-pydantic to third party libraries
    #&#8203;5228 <https://github.com/aio-libs/aiohttp/issues/5228>_

Misc

  • #&#8203;4102 <https://github.com/aio-libs/aiohttp/issues/4102>_

v3.7.2

Compare Source

==================

Bugfixes

  • Fixed static files handling for loops without .sendfile() support
    #&#8203;5149 <https://github.com/aio-libs/aiohttp/issues/5149>_

v3.7.1

Compare Source

==================

Bugfixes

  • Fixed a type error caused by the conditional import of Protocol.
    #&#8203;5111 <https://github.com/aio-libs/aiohttp/issues/5111>_
  • Server doesn't send Content-Length for 1xx or 204
    #&#8203;4901 <https://github.com/aio-libs/aiohttp/issues/4901>_
  • Fix run_app typing
    #&#8203;4957 <https://github.com/aio-libs/aiohttp/issues/4957>_
  • Always require typing_extensions library.
    #&#8203;5107 <https://github.com/aio-libs/aiohttp/issues/5107>_
  • Fix a variable-shadowing bug causing ThreadedResolver.resolve to
    return the resolved IP as the hostname in each record, which prevented
    validation of HTTPS connections.
    #&#8203;5110 <https://github.com/aio-libs/aiohttp/issues/5110>_
  • Added annotations to all public attributes.
    #&#8203;5115 <https://github.com/aio-libs/aiohttp/issues/5115>_
  • Fix flaky test_when_timeout_smaller_second
    #&#8203;5116 <https://github.com/aio-libs/aiohttp/issues/5116>_
  • Ensure sending a zero byte file does not throw an exception
    #&#8203;5124 <https://github.com/aio-libs/aiohttp/issues/5124>_
  • Fix a bug in web.run_app() about Python version checking on Windows
    #&#8203;5127 <https://github.com/aio-libs/aiohttp/issues/5127>_

v3.7.0

Compare Source

==================

Features

  • Response headers are now prepared prior to running on_response_prepare hooks, directly before headers are sent to the client.
    #&#8203;1958 <https://github.com/aio-libs/aiohttp/issues/1958>_
  • Add a quote_cookie option to CookieJar, a way to skip quotation wrapping of cookies containing special characters.
    #&#8203;2571 <https://github.com/aio-libs/aiohttp/issues/2571>_
  • Call AccessLogger.log with the current exception available from sys.exc_info().
    #&#8203;3557 <https://github.com/aio-libs/aiohttp/issues/3557>_
  • web.UrlDispatcher.add_routes and web.Application.add_routes return a list
    of registered AbstractRoute instances. AbstractRouteDef.register (and all
    subclasses) return a list of registered resources registered resource.
    #&#8203;3866 <https://github.com/aio-libs/aiohttp/issues/3866>_
  • Added properties of default ClientSession params to ClientSession class so it is available for introspection
    #&#8203;3882 <https://github.com/aio-libs/aiohttp/issues/3882>_
  • Don't cancel web handler on peer disconnection, raise OSError on reading/writing instead.
    #&#8203;4080 <https://github.com/aio-libs/aiohttp/issues/4080>_
  • Implement BaseRequest.get_extra_info() to access a protocol transports' extra info.
    #&#8203;4189 <https://github.com/aio-libs/aiohttp/issues/4189>_
  • Added ClientSession.timeout property.
    #&#8203;4191 <https://github.com/aio-libs/aiohttp/issues/4191>_
  • allow use of SameSite in cookies.
    #&#8203;4224 <https://github.com/aio-libs/aiohttp/issues/4224>_
  • Use loop.sendfile() instead of custom implementation if available.
    #&#8203;4269 <https://github.com/aio-libs/aiohttp/issues/4269>_
  • Apply SO_REUSEADDR to test server's socket.
    #&#8203;4393 <https://github.com/aio-libs/aiohttp/issues/4393>_
  • Use .raw_host instead of slower .host in client API
    #&#8203;4402 <https://github.com/aio-libs/aiohttp/issues/4402>_
  • Allow configuring the buffer size of input stream by passing read_bufsize argument.
    #&#8203;4453 <https://github.com/aio-libs/aiohttp/issues/4453>_
  • Pass tests on Python 3.8 for Windows.
    #&#8203;4513 <https://github.com/aio-libs/aiohttp/issues/4513>_
  • Add method and url attributes to TraceRequestChunkSentParams and TraceResponseChunkReceivedParams.
    #&#8203;4674 <https://github.com/aio-libs/aiohttp/issues/4674>_
  • Add ClientResponse.ok property for checking status code under 400.
    `#​4711 <https://github.com/aio-libs/

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate-bot renovate-bot requested review from a team as code owners August 13, 2024 11:42
@trusted-contributions-gcf trusted-contributions-gcf bot added kokoro:force-run Add this label to force Kokoro to re-run the tests. owlbot:run Add this label to trigger the Owlbot post processor. labels Aug 13, 2024
@gcf-owl-bot gcf-owl-bot bot removed the owlbot:run Add this label to trigger the Owlbot post processor. label Aug 13, 2024
@yoshi-kokoro yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Aug 13, 2024
@trusted-contributions-gcf trusted-contributions-gcf bot added kokoro:force-run Add this label to force Kokoro to re-run the tests. owlbot:run Add this label to trigger the Owlbot post processor. labels Aug 13, 2024
@gcf-owl-bot gcf-owl-bot bot removed the owlbot:run Add this label to trigger the Owlbot post processor. label Aug 13, 2024
@yoshi-kokoro yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Aug 13, 2024
Copy link

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

@renovate-bot renovate-bot changed the title chore(deps): update dependency aiohttp to v3 [security] chore(deps): update dependency aiohttp to v3 [security] - abandoned Dec 8, 2024
Copy link

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants