Update dependency aiohttp to v3.10.11 #3

mend-for-github-com · 2024-11-06T10:21:11Z

This PR contains the following updates:

Package	Update	Change
aiohttp	minor	`==3.5.3` -> `==3.10.11`

By merging this PR, the issue #9 will be automatically resolved and closed:

Severity	CVSS Score	CVE	Reachability
High	7.5	CVE-2024-30251	Reachable
High	7.2	CVE-2023-49081	Reachable
Medium	6.5	CVE-2024-23829	Reachable
Medium	6.1	CVE-2024-27306	Reachable
Medium	5.9	CVE-2024-23334	Reachable
Medium	5.3	CVE-2023-37276	Reachable
Medium	5.3	CVE-2023-47627	Reachable
Medium	5.3	CVE-2023-49082	Reachable
Medium	4.8	CVE-2024-42367	Reachable
Low	3.4	CVE-2023-47641	Reachable
Low	3.1	CVE-2021-21330	Reachable
Low	0.0	CVE-2024-52304	Reachable

Release Notes

aio-libs/aiohttp (aiohttp)

`v3.10.11`

Compare Source

====================

Bug fixes

Authentication provided by a redirect now takes precedence over provided auth when making requests with the client -- by :user:PLPeeters.

Related issues and pull requests on GitHub:
:issue:9436.
Fixed :py:meth:WebSocketResponse.close() <aiohttp.web.WebSocketResponse.close> to discard non-close messages within its timeout window after sending close -- by :user:lenard-mosys.

Related issues and pull requests on GitHub:
:issue:9506.
Fixed a deadlock that could occur while attempting to get a new connection slot after a timeout -- by :user:bdraco.

The connector was not cancellation-safe.

Related issues and pull requests on GitHub:
:issue:9670, :issue:9671.
Fixed the WebSocket flow control calculation undercounting with multi-byte data -- by :user:bdraco.

Related issues and pull requests on GitHub:
:issue:9686.
Fixed incorrect parsing of chunk extensions with the pure Python parser -- by :user:bdraco.

Related issues and pull requests on GitHub:
:issue:9851.
Fixed system routes polluting the middleware cache -- by :user:bdraco.

Related issues and pull requests on GitHub:
:issue:9852.

Removals and backward incompatible breaking changes

Improved performance of the connector when a connection can be reused -- by :user:bdraco.

If BaseConnector.connect has been subclassed and replaced with custom logic, the ceil_timeout must be added.

Related issues and pull requests on GitHub:
:issue:9600.

Miscellaneous internal changes

Improved performance of the client request lifecycle when there are no cookies -- by :user:bdraco.

Related issues and pull requests on GitHub:
:issue:9470.
Improved performance of sending client requests when the writer can finish synchronously -- by :user:bdraco.

Related issues and pull requests on GitHub:
:issue:9485.
Improved performance of serializing HTTP headers -- by :user:bdraco.

Related issues and pull requests on GitHub:
:issue:9603.
Passing enable_cleanup_closed to :py:class:aiohttp.TCPConnector is now ignored on Python 3.12.7+ and 3.13.1+ since the underlying bug that caused asyncio to leak SSL connections has been fixed upstream -- by :user:bdraco.

Related issues and pull requests on GitHub:
:issue:9726, :issue:9736.

`v3.10.10`

Compare Source

====================

Bug fixes

Fixed error messages from :py:class:~aiohttp.resolver.AsyncResolver being swallowed -- by :user:bdraco.

Related issues and pull requests on GitHub:
:issue:9451, :issue:9455.

Features

Added :exc:aiohttp.ClientConnectorDNSError for differentiating DNS resolution errors from other connector errors -- by :user:mstojcevich.

Related issues and pull requests on GitHub:
:issue:8455.

Miscellaneous internal changes

Simplified DNS resolution throttling code to reduce chance of race conditions -- by :user:bdraco.

Related issues and pull requests on GitHub:
:issue:9454.

`v3.10.9`

Compare Source

===================

Bug fixes

Fixed proxy headers being used in the ConnectionKey hash when a proxy was not being used -- by :user:bdraco.

If default headers are used, they are also used for proxy headers. This could have led to creating connections that were not needed when one was already available.

Related issues and pull requests on GitHub:
:issue:9368.
Widened the type of the trace_request_ctx parameter of
:meth:ClientSession.request() <aiohttp.ClientSession.request> and friends
-- by :user:layday.

Related issues and pull requests on GitHub:
:issue:9397.

Removals and backward incompatible breaking changes

Fixed failure to try next host after single-host connection timeout -- by :user:brettdh.

The default client :class:aiohttp.ClientTimeout params has changed to include a sock_connect timeout of 30 seconds so that this correct behavior happens by default.

Related issues and pull requests on GitHub:
:issue:7342.

Miscellaneous internal changes

Improved performance of resolving hosts with Python 3.12+ -- by :user:bdraco.

Related issues and pull requests on GitHub:
:issue:9342.
Reduced memory required for timer objects created during the client request lifecycle -- by :user:bdraco.

Related issues and pull requests on GitHub:
:issue:9406.

`v3.10.8`

Compare Source

===================

Bug fixes

Fixed cancellation leaking upwards on timeout -- by :user:bdraco.

Related issues and pull requests on GitHub:
:issue:9326.

`v3.10.7`

Compare Source

===================

Bug fixes

Fixed assembling the :class:~yarl.URL for web requests when the host contains a non-default port or IPv6 address -- by :user:bdraco.

Related issues and pull requests on GitHub:
:issue:9309.

Miscellaneous internal changes

Improved performance of determining if a URL is absolute -- by :user:bdraco.

The property :attr:~yarl.URL.absolute is more performant than the method URL.is_absolute() and preferred when newer versions of yarl are used.

Related issues and pull requests on GitHub:
:issue:9171.
Replaced code that can now be handled by yarl -- by :user:bdraco.

Related issues and pull requests on GitHub:
:issue:9301.

`v3.10.6`

Compare Source

===================

Bug fixes

Added :exc:aiohttp.ClientConnectionResetError. Client code that previously threw :exc:ConnectionResetError
will now throw this -- by :user:Dreamsorcerer.

Related issues and pull requests on GitHub:
:issue:9137.
Fixed an unclosed transport ResourceWarning on web handlers -- by :user:Dreamsorcerer.

Related issues and pull requests on GitHub:
:issue:8875.
Fixed resolve_host() 'Task was destroyed but is pending' errors -- by :user:Dreamsorcerer.

Related issues and pull requests on GitHub:
:issue:8967.
Fixed handling of some file-like objects (e.g. tarfile.extractfile()) which raise AttributeError instead of OSError when fileno fails for streaming payload data -- by :user:ReallyReivax.

Related issues and pull requests on GitHub:
:issue:6732.
Fixed web router not matching pre-encoded URLs (requires yarl 1.9.6+) -- by :user:Dreamsorcerer.

Related issues and pull requests on GitHub:
:issue:8898, :issue:9267.
Fixed an error when trying to add a route for multiple methods with a path containing a regex pattern -- by :user:Dreamsorcerer.

Related issues and pull requests on GitHub:
:issue:8998.
Fixed Response.text when body is a Payload -- by :user:Dreamsorcerer.

Related issues and pull requests on GitHub:
:issue:6485.
Fixed compressed requests failing when no body was provided -- by :user:Dreamsorcerer.

Related issues and pull requests on GitHub:
:issue:9108.
Fixed client incorrectly reusing a connection when the previous message had not been fully sent -- by :user:Dreamsorcerer.

Related issues and pull requests on GitHub:
:issue:8992.
Fixed race condition that could cause server to close connection incorrectly at keepalive timeout -- by :user:Dreamsorcerer.

Related issues and pull requests on GitHub:
:issue:9140.
Fixed Python parser chunked handling with multiple Transfer-Encoding values -- by :user:Dreamsorcerer.

Related issues and pull requests on GitHub:
:issue:8823.
Fixed error handling after 100-continue so server sends 500 response instead of disconnecting -- by :user:Dreamsorcerer.

Related issues and pull requests on GitHub:
:issue:8876.
Stopped adding a default Content-Type header when response has no content -- by :user:Dreamsorcerer.

Related issues and pull requests on GitHub:
:issue:8858.
Added support for URL credentials with empty (zero-length) username, e.g. https://:password@host -- by :user:shuckc

Related issues and pull requests on GitHub:
:issue:6494.
Stopped logging exceptions from web.run_app() that would be raised regardless -- by :user:Dreamsorcerer.

Related issues and pull requests on GitHub:
:issue:6807.
Implemented binding to IPv6 addresses in the pytest server fixture.

Related issues and pull requests on GitHub:
:issue:4650.
Fixed the incorrect use of flags for getnameinfo() in the Resolver --by :user:GitNMLee

Link-Local IPv6 addresses can now be handled by the Resolver correctly.

Related issues and pull requests on GitHub:
:issue:9032.
Fixed StreamResponse.prepared to return True after EOF is sent -- by :user:arthurdarcet.

Related issues and pull requests on GitHub:
:issue:5343.
Changed make_mocked_request() to use empty payload by default -- by :user:rahulnht.

Related issues and pull requests on GitHub:
:issue:7167.
Used more precise type for ClientResponseError.headers, fixing some type errors when using them -- by :user:Dreamsorcerer.

Related issues and pull requests on GitHub:
:issue:8768.
Changed behavior when returning an invalid response to send a 500 response -- by :user:Dreamsorcerer.

Related issues and pull requests on GitHub:
:issue:8845.
Fixed response reading from closed session to throw an error immediately instead of timing out -- by :user:Dreamsorcerer.

Related issues and pull requests on GitHub:
:issue:8878.
Fixed CancelledError from one cleanup context stopping other contexts from completing -- by :user:Dreamsorcerer.

Related issues and pull requests on GitHub:
:issue:8908.
Fixed changing scheme/host in Response.clone() for absolute URLs -- by :user:Dreamsorcerer.

Related issues and pull requests on GitHub:
:issue:8990.
Fixed Site.name when host is an empty string -- by :user:Dreamsorcerer.

Related issues and pull requests on GitHub:
:issue:8929.
Updated Python parser to reject messages after a close message, matching C parser behaviour -- by :user:Dreamsorcerer.

Related issues and pull requests on GitHub:
:issue:9018.
Fixed creation of SSLContext inside of :py:class:aiohttp.TCPConnector with multiple event loops in different threads -- by :user:bdraco.

Related issues and pull requests on GitHub:
:issue:9029.
Fixed (on Python 3.11+) some edge cases where a task cancellation may get incorrectly suppressed -- by :user:Dreamsorcerer.

Related issues and pull requests on GitHub:
:issue:9030.
Fixed exception information getting lost on HttpProcessingError -- by :user:Dreamsorcerer.

Related issues and pull requests on GitHub:
:issue:9052.
Fixed If-None-Match not using weak comparison -- by :user:Dreamsorcerer.

Related issues and pull requests on GitHub:
:issue:9063.
Fixed badly encoded charset crashing when getting response text instead of falling back to charset detector.

Related issues and pull requests on GitHub:
:issue:9160.
Rejected \n in reason values to avoid sending broken HTTP messages -- by :user:Dreamsorcerer.

Related issues and pull requests on GitHub:
:issue:9167.
Changed :py:meth:ClientResponse.raise_for_status() <aiohttp.ClientResponse.raise_for_status> to only release the connection when invoked outside an async with context -- by :user:Dreamsorcerer.

Related issues and pull requests on GitHub:
:issue:9239.

Features

Improved type on params to match the underlying type allowed by yarl -- by :user:lpetre.

Related issues and pull requests on GitHub:
:issue:8564.
Declared Python 3.13 supported -- by :user:bdraco.

Related issues and pull requests on GitHub:
:issue:8748.

Removals and backward incompatible breaking changes

Improved middleware performance -- by :user:bdraco.

The set_current_app method was removed from UrlMappingMatchInfo because it is no longer used, and it was unlikely external caller would ever use it.

Related issues and pull requests on GitHub:
:issue:9200.
Increased minimum yarl version to 1.12.0 -- by :user:bdraco.

Related issues and pull requests on GitHub:
:issue:9267.

Improved documentation

Clarified that GracefulExit needs to be handled in AppRunner and ServerRunner when using handle_signals=True. -- by :user:Daste745

Related issues and pull requests on GitHub:
:issue:4414.
Clarified that auth parameter in ClientSession will persist and be included with any request to any origin, even during redirects to different origins. -- by :user:MaximZemskov.

Related issues and pull requests on GitHub:
:issue:6764.
Clarified which timeout exceptions happen on which timeouts -- by :user:Dreamsorcerer.

Related issues and pull requests on GitHub:
:issue:8968.
Updated ClientSession parameters to match current code -- by :user:Dreamsorcerer.

Related issues and pull requests on GitHub:
:issue:8991.

Packaging updates and notes for downstreams

Fixed test_client_session_timeout_zero to not require internet access -- by :user:Dreamsorcerer.

Related issues and pull requests on GitHub:
:issue:9004.

Miscellaneous internal changes

Improved performance of making requests when there are no auto headers to skip -- by :user:bdraco.

Related issues and pull requests on GitHub:
:issue:8847.
Exported aiohttp.TraceRequestHeadersSentParams -- by :user:Hadock-is-ok.

Related issues and pull requests on GitHub:
:issue:8947.
Avoided tracing overhead in the http writer when there are no active traces -- by user:bdraco.

Related issues and pull requests on GitHub:
:issue:9031.
Improved performance of reify Cython implementation -- by :user:bdraco.

Related issues and pull requests on GitHub:
:issue:9054.
Use :meth:URL.extend_query() <yarl.URL.extend_query> to extend query params (requires yarl 1.11.0+) -- by :user:bdraco.

If yarl is older than 1.11.0, the previous slower hand rolled version will be used.

Related issues and pull requests on GitHub:
:issue:9068.
Improved performance of checking if a host is an IP Address -- by :user:bdraco.

Related issues and pull requests on GitHub:
:issue:9095.
Significantly improved performance of middlewares -- by :user:bdraco.

The construction of the middleware wrappers is now cached and is built once per handler instead of on every request.

Related issues and pull requests on GitHub:
:issue:9158, :issue:9170.
Improved performance of web requests -- by :user:bdraco.

Related issues and pull requests on GitHub:
:issue:9168, :issue:9169, :issue:9172, :issue:9174, :issue:9175, :issue:9241.
Improved performance of starting web requests when there is no response prepare hook -- by :user:bdraco.

Related issues and pull requests on GitHub:
:issue:9173.
Significantly improved performance of expiring cookies -- by :user:bdraco.

Expiring cookies has been redesigned to use :mod:heapq instead of a linear search, to better scale.

Related issues and pull requests on GitHub:
:issue:9203.
Significantly sped up filtering cookies -- by :user:bdraco.

Related issues and pull requests on GitHub:
:issue:9204.

`v3.10.5`

Compare Source

=========================

Bug fixes

Fixed :meth:aiohttp.ClientResponse.json() not setting status when :exc:aiohttp.ContentTypeError is raised -- by :user:bdraco.

Related issues and pull requests on GitHub:
:issue:8742.

Miscellaneous internal changes

Improved performance of the WebSocket reader -- by :user:bdraco.

Related issues and pull requests on GitHub:
:issue:8736, :issue:8747.

`v3.10.4`

Compare Source

===================

Bug fixes

Fixed decoding base64 chunk in BodyPartReader -- by :user:hyzyla.

Related issues and pull requests on GitHub:
:issue:3867.
Fixed a race closing the server-side WebSocket where the close code would not reach the client -- by :user:bdraco.

Related issues and pull requests on GitHub:
:issue:8680.
Fixed unconsumed exceptions raised by the WebSocket heartbeat -- by :user:bdraco.

If the heartbeat ping raised an exception, it would not be consumed and would be logged as an warning.

Related issues and pull requests on GitHub:
:issue:8685.
Fixed an edge case in the Python parser when chunk separators happen to align with network chunks -- by :user:Dreamsorcerer.

Related issues and pull requests on GitHub:
:issue:8720.

Improved documentation

Added aiohttp-apischema to supported libraries -- by :user:Dreamsorcerer.

Related issues and pull requests on GitHub:
:issue:8700.

Miscellaneous internal changes

Improved performance of starting request handlers with Python 3.12+ -- by :user:bdraco.

This change is a followup to :issue:8661 to make the same optimization for Python 3.12+ where the request is connected.

Related issues and pull requests on GitHub:
:issue:8681.

`v3.10.3`

Compare Source

========================

Bug fixes

Fixed multipart reading when stream buffer splits the boundary over several read() calls -- by :user:Dreamsorcerer.

Related issues and pull requests on GitHub:
:issue:8653.
Fixed :py:class:aiohttp.TCPConnector doing blocking I/O in the event loop to create the SSLContext -- by :user:bdraco.

The blocking I/O would only happen once per verify mode. However, it could cause the event loop to block for a long time if the SSLContext creation is slow, which is more likely during startup when the disk cache is not yet present.

Related issues and pull requests on GitHub:
:issue:8672.

Miscellaneous internal changes

Improved performance of :py:meth:~aiohttp.ClientWebSocketResponse.receive and :py:meth:~aiohttp.web.WebSocketResponse.receive when there is no timeout. -- by :user:bdraco.

The timeout context manager is now avoided when there is no timeout as it accounted for up to 50% of the time spent in the :py:meth:~aiohttp.ClientWebSocketResponse.receive and :py:meth:~aiohttp.web.WebSocketResponse.receive methods.

Related issues and pull requests on GitHub:
:issue:8660.
Improved performance of starting request handlers with Python 3.12+ -- by :user:bdraco.

Related issues and pull requests on GitHub:
:issue:8661.
Improved performance of HTTP keep-alive checks -- by :user:bdraco.

Previously, when processing a request for a keep-alive connection, the keep-alive check would happen every second; the check is now rescheduled if it fires too early instead.

Related issues and pull requests on GitHub:
:issue:8662.
Improved performance of generating random WebSocket mask -- by :user:bdraco.

Related issues and pull requests on GitHub:
:issue:8667.

`v3.10.2`

Compare Source

===================

Bug fixes

Fixed server checks for circular symbolic links to be compatible with Python 3.13 -- by :user:steverep.

Related issues and pull requests on GitHub:
:issue:8565.
Fixed request body not being read when ignoring an Upgrade request -- by :user:Dreamsorcerer.

Related issues and pull requests on GitHub:
:issue:8597.
Fixed an edge case where shutdown would wait for timeout when the handler was already completed -- by :user:Dreamsorcerer.

Related issues and pull requests on GitHub:
:issue:8611.
Fixed connecting to npipe://, tcp://, and unix:// urls -- by :user:bdraco.

Related issues and pull requests on GitHub:
:issue:8632.
Fixed WebSocket ping tasks being prematurely garbage collected -- by :user:bdraco.

There was a small risk that WebSocket ping tasks would be prematurely garbage collected because the event loop only holds a weak reference to the task. The garbage collection risk has been fixed by holding a strong reference to the task. Additionally, the task is now scheduled eagerly with Python 3.12+ to increase the chance it can be completed immediately and avoid having to hold any references to the task.

Related issues and pull requests on GitHub:
:issue:8641.
Fixed incorrectly following symlinks for compressed file variants -- by :user:steverep.

Related issues and pull requests on GitHub:
:issue:8652.

Removals and backward incompatible breaking changes

Removed Request.wait_for_disconnection(), which was mistakenly added briefly in 3.10.0 -- by :user:Dreamsorcerer.

Related issues and pull requests on GitHub:
:issue:8636.

Contributor-facing changes

Fixed monkey patches for Path.stat() and Path.is_dir() for Python 3.13 compatibility -- by :user:steverep.

Related issues and pull requests on GitHub:
:issue:8551.

Miscellaneous internal changes

Improved WebSocket performance when messages are sent or received frequently -- by :user:bdraco.

The WebSocket heartbeat scheduling algorithm was improved to reduce the asyncio scheduling overhead by decreasing the number of asyncio.TimerHandle creations and cancellations.

Related issues and pull requests on GitHub:
:issue:8608.
Minor improvements to various type annotations -- by :user:Dreamsorcerer.

Related issues and pull requests on GitHub:
:issue:8634.

`v3.10.1`

Compare Source

====================

Bug fixes

Authentication provided by a redirect now takes precedence over provided auth when making requests with the client -- by :user:PLPeeters.

Related issues and pull requests on GitHub:
:issue:9436.
Fixed :py:meth:WebSocketResponse.close() <aiohttp.web.WebSocketResponse.close> to discard non-close messages within its timeout window after sending close -- by :user:lenard-mosys.

Related issues and pull requests on GitHub:
:issue:9506.
Fixed a deadlock that could occur while attempting to get a new connection slot after a timeout -- by :user:bdraco.

The connector was not cancellation-safe.

Related issues and pull requests on GitHub:
:issue:9670, :issue:9671.
Fixed the WebSocket flow control calculation undercounting with multi-byte data -- by :user:bdraco.

Related issues and pull requests on GitHub:
:issue:9686.
Fixed incorrect parsing of chunk extensions with the pure Python parser -- by :user:bdraco.

Related issues and pull requests on GitHub:
:issue:9851.
Fixed system routes polluting the middleware cache -- by :user:bdraco.

Related issues and pull requests on GitHub:
:issue:9852.

Removals and backward incompatible breaking changes

Improved performance of the connector when a connection can be reused -- by :user:bdraco.

If BaseConnector.connect has been subclassed and replaced with custom logic, the ceil_timeout must be added.

Related issues and pull requests on GitHub:
:issue:9600.

Miscellaneous internal changes

Improved performance of the client request lifecycle when there are no cookies -- by :user:bdraco.

Related issues and pull requests on GitHub:
:issue:9470.
Improved performance of sending client requests when the writer can finish synchronously -- by :user:bdraco.

Related issues and pull requests on GitHub:
:issue:9485.
Improved performance of serializing HTTP headers -- by :user:bdraco.

Related issues and pull requests on GitHub:
:issue:9603.
Passing enable_cleanup_closed to :py:class:aiohttp.TCPConnector is now ignored on Python 3.12.7+ and 3.13.1+ since the underlying bug that caused asyncio to leak SSL connections has been fixed upstream -- by :user:bdraco.

Related issues and pull requests on GitHub:
:issue:9726, :issue:9736.

`v3.10.0`

Compare Source

========================

Bug fixes

Fixed server response headers for Content-Type and Content-Encoding for
static compressed files -- by :user:steverep.

Server will now respond with a Content-Type appropriate for the compressed
file (e.g. "application/gzip"), and omit the Content-Encoding header.
Users should expect that most clients will no longer decompress such responses
by default.

Related issues and pull requests on GitHub:
:issue:4462.
Fixed duplicate cookie expiration calls in the CookieJar implementation

Related issues and pull requests on GitHub:
:issue:7784.
Adjusted FileResponse to check file existence and access when preparing the response -- by :user:steverep.

The :py:class:~aiohttp.web.FileResponse class was modified to respond with
403 Forbidden or 404 Not Found as appropriate. Previously, it would cause a
server error if the path did not exist or could not be accessed. Checks for
existence, non-regular files, and permissions were expected to be done in the
route handler. For static routes, this now permits a compressed file to exist
without its uncompressed variant and still be served. In addition, this
changes the response status for files without read permission to 403, and for
non-regular files from 404 to 403 for consistency.

Related issues and pull requests on GitHub:
:issue:8182.
Fixed AsyncResolver to match ThreadedResolver behavior
-- by :user:bdraco.

On system with IPv6 support, the :py:class:~aiohttp.resolver.AsyncResolver would not fallback
to providing A records when AAAA records were not available.
Additionally, unlike the :py:class:~aiohttp.resolver.ThreadedResolver, the :py:class:~aiohttp.resolver.AsyncResolver
did not handle link-local addresses correctly.

This change makes the behavior consistent with the :py:class:~aiohttp.resolver.ThreadedResolver.

Related issues and pull requests on GitHub:
:issue:8270.
Fixed ws_connect not respecting receive_timeout`` on WS(S) connection. -- by :user:arcivanov`.

Related issues and pull requests on GitHub:
:issue:8444.
Removed blocking I/O in the event loop for static resources and refactored
exception handling -- by :user:steverep.

File system calls when handling requests for static routes were moved to a
separate thread to potentially improve performance. Exception handling
was tightened in order to only return 403 Forbidden or 404 Not Found responses
for expected scenarios; 500 Internal Server Error would be returned for any
unknown errors.

Related issues and pull requests on GitHub:
:issue:8507.

Features

Added a Request.wait_for_disconnection() method, as means of allowing request handlers to be notified of premature client disconnections.

Related issues and pull requests on GitHub:
:issue:2492.
Added 5 new exceptions: :py:exc:~aiohttp.InvalidUrlClientError, :py:exc:~aiohttp.RedirectClientError,
:py:exc:~aiohttp.NonHttpUrlClientError, :py:exc:~aiohttp.InvalidUrlRedirectClientError,
:py:exc:~aiohttp.NonHttpUrlRedirectClientError

:py:exc:~aiohttp.InvalidUrlRedirectClientError, :py:exc:~aiohttp.NonHttpUrlRedirectClientError
are raised instead of :py:exc:ValueError or :py:exc:~aiohttp.InvalidURL when the redirect URL is invalid. Classes
:py:exc:~aiohttp.InvalidUrlClientError, :py:exc:~aiohttp.RedirectClientError,
:py:exc:~aiohttp.NonHttpUrlClientError are base for them.

The :py:exc:~aiohttp.InvalidURL now exposes a description property with the text explanation of the error details.

-- by :user:setla, :user:AraHaan, and :user:bdraco

Related issues and pull requests on GitHub:
:issue:2507, :issue:3315, :issue:6722, :issue:8481, :issue:8482.
Added a feature to retry closed connections automatically for idempotent methods. -- by :user:Dreamsorcerer

Related issues and pull requests on GitHub:
:issue:7297.

Implemented filter_cookies() with domain-matching and path-matching on the keys, instead of testing every single cookie.
This may break existing cookies that have been saved with CookieJar.save(). Cookies can be migrated with this script::

import pickle
with file_path.open("rb") as f:
    cookies = pickle.load(f)

morsels = [(name, m) for c in cookies.values() for name, m in c.items()]
cookies.clear()
for name, m in morsels:
    cookies[(m["domain"], m["path"].rstrip("/"))][name] = m

with file_path.open("wb") as f:
    pickle.dump(cookies, f, pickle.HIGHEST_PROTOCOL)

Related issues and pull requests on GitHub:
:issue:7583, :issue:8535.

Separated connection and socket timeout errors, from ServerTimeoutError.

Related issues and pull requests on GitHub:
:issue:7801.
Implemented happy eyeballs

Related issues and pull requests on GitHub:
:issue:7954.
Added server capability to check for static files with Brotli compression via a .br extension -- by :user:steverep.

Related issues and pull requests on GitHub:
:issue:8062.

Removals and backward incompatible breaking changes

The shutdown logic in 3.9 waited on all tasks, which caused issues with some libraries.
In 3.10 we've changed this logic to only wait on request handlers. This means that it's
important for developers to correctly handle the lifecycle of background tasks using a
library such as aiojobs. If an application is using handler_cancellation=True then
it is also a good idea to ensure that any :func:asyncio.shield calls are replaced with
:func:aiojobs.aiohttp.shield.

Please read the updated documentation on these points:
https://docs.aiohttp.org/en/stable/web_advanced.html#graceful-shutdown
https://docs.aiohttp.org/en/stable/web_advanced.html#web-handler-cancellation

-- by :user:Dreamsorcerer

Related issues and pull requests on GitHub:
:issue:8495.

Improved documentation

Added documentation for aiohttp.web.FileResponse.

Related issues and pull requests on GitHub:
:issue:3958.
Improved the docs for the ssl params.

Related issues and pull requests on GitHub:
:issue:8403.

Contributor-facing changes

Enabled HTTP parser tests originally intended for 3.9.2 release -- by :user:pajod.

Related issues and pull requests on GitHub:
:issue:8088.

Miscellaneous internal changes

Improved URL handler resolution time by indexing resources in the UrlDispatcher.
For applications with a large number of handlers, this should increase performance significantly.
-- by :user:bdraco

Related issues and pull requests on GitHub:
:issue:7829.
Added nacl_middleware <https://github.com/CosmicDNA/nacl_middleware>_ to the list of middlewares in the third party section of the documentation.

Related issues and pull requests on GitHub:
:issue:8346.
Minor improvements to static typing -- by :user:Dreamsorcerer.

Related issues and pull requests on GitHub:
:issue:8364.
Added a 3.11-specific overloads to ClientSession -- by :user:max-muoto.

Related issues and pull requests on GitHub:
:issue:8463.
Simplified path checks for UrlDispatcher.add_static() method -- by :user:steverep.

Related issues and pull requests on GitHub:
:issue:8491.
Avoided creating a future on every websocket receive -- by :user:bdraco.

Related issues and pull requests on GitHub:
:issue:8498.
Updated identity checks for all WSMsgType type compares -- by :user:bdraco.

Related issues and pull requests on GitHub:
:issue:8501.
When using Python 3.12 or later, the writer is no longer scheduled on the event loop if it can finish synchronously. Avoiding event loop scheduling reduces latency and improves performance. -- by :user:bdraco.

Related issues and pull requests on GitHub:
:issue:8510.
Restored :py:class:~aiohttp.resolver.AsyncResolver to be the default resolver. -- by :user:bdraco.

:py:class:~aiohttp.resolver.AsyncResolver was disabled by default because
of IPv6 compatibility issues. These issues have been resolved and
:py:class:~aiohttp.resolver.AsyncResolver is again now the default resolver.

Related issues and pull requests on GitHub:
:issue:8522.

`v3.9.5`

Compare Source

==================

Bug fixes

Fixed "Unclosed client session" when initialization of
:py:class:~aiohttp.ClientSession fails -- by :user:NewGlad.

Related issues and pull requests on GitHub:
:issue:8253.
Fixed regression (from :pr:8280) with adding Content-Disposition to the form-data
part after appending to writer -- by :user:Dreamsorcerer/:user:Olegt0rr.

Related issues and pull requests on GitHub:
:issue:8332.
Added default Content-Disposition in multipart/form-data responses to avoid broken
form-data responses -- by :user:Dreamsorcerer.

Related issues and pull requests on GitHub:
:issue:8335.

`v3.9.4`

Compare Source

==================

Bug fixes

The asynchronous internals now set the underlying causes
when assigning exceptions to the future objects
-- by :user:webknjaz.

Related issues and pull requests on GitHub:
:issue:8089.
Treated values of Accept-Encoding header as case-insensitive when checking
for gzip files -- by :user:steverep.

Related issues and pull requests on GitHub:
:issue:8104.
Improved the DNS resolution performance on cache hit -- by :user:bdraco.

This is achieved by avoiding an :mod:asyncio task creation in this case.

Related issues and pull requests on GitHub:
:issue:8163.
Changed the type annotations to allow dict on :meth:aiohttp.MultipartWriter.append,
:meth:aiohttp.MultipartWriter.append_json and
:meth:aiohttp.MultipartWriter.append_form -- by :user:cakemanny

Related issues and pull requests on GitHub:
:issue:7741.
Ensure websocket transport is closed when client does not close it
-- by :user:bdraco.

The transport could remain open if the client did not close it. This
change ensures the transport is closed when the client does not close
it.

Related issues and pull requests on GitHub:
:issue:8200.
Leave websocket transport open if receive times out or is cancelled
-- by :user:bdraco.

This restores the behavior prior to the change in #7978.

Related issues and pull requests on GitHub:
:issue:8251.
Fixed content not being read when an upgrade request was not supported with the pure Python implementation.
-- by :user:bdraco.

Related issues and pull requests on GitHub:
:issue:8252.
Fixed a race condition with incoming connections during server shutdown -- by :user:Dreamsorcerer.

Related issues and pull requests on GitHub:
:issue:8271.
Fixed multipart/form-data compliance with :rfc:7578 -- by :user:Dreamsorcerer.

Related issues and pull requests on GitHub:
:issue:8280.
Fixed blocking I/O in the event loop while processing files in a POST request
-- by :user:bdraco.

Related issues and pull requests on GitHub:
:issue:8283.
Escaped filenames in static view -- by :user:bdraco.

Related issues and pull requests on GitHub:
:issue:8317.
Fixed the pure python parser to mark a connection as closing when a
response has no length -- by :user:Dreamsorcerer.

Related issues and pull requests on GitHub:
:issue:8320.

Features

Upgraded llhttp to 9.2.1, and started rejecting obsolete line folding
in Python parser to match -- by :user:Dreamsorcerer.

Related issues and pull requests on GitHub:
:issue:8146, :issue:8292.

Deprecations (removal in next major release)

Deprecated content_transfer_encoding parameter in :py:meth:FormData.add_field() <aiohttp.FormData.add_field> -- by :user:Dreamsorcerer.

Related issues and pull requests on GitHub:
:issue:8280.

Improved documentation

Added a note about canceling tasks to avoid delaying server shutdown -- by :user:Dreamsorcerer.

Related issues and pull requests on GitHub:
:issue:8267.

Contributor-facing changes

The pull request template is now asking the contributors to
answer a question about the long-term maintenance challenges
they envision as a result of merging their patches
-- by :user:webknjaz.

Related issues and pull requests on GitHub:
:issue:8099.
Updated CI and documentation to use NPM clean install and upgrade
node to version 18 -- by :user:steverep.

Related issues and pull requests on GitHub:
:issue:8116.
A pytest fixture hello_txt was introduced to aid
static file serving tests in
:file:test_web_sendfile_functional.py. It dynamically
provisions hello.txt file variants shared across the
tests in the module.

-- by :user:steverep

Related issues and pull requests on GitHub:
:issue:8136.

Packaging updates and notes for downstreams

Added an internal pytest marker for tests which should be skipped
by packagers (use -m 'not internal' to disable them) -- by :user:Dreamsorcerer.

Related issues and pull requests on GitHub:
:issue:8299.

`v3.9.3`

Compare Source

==================

Bug fixes

Fixed backwards compatibility breakage (in 3.9.2) of ssl parameter when set outside
of ClientSession (e.g. directly in TCPConnector) -- by :user:Dreamsorcerer.

Related issues and pull requests on GitHub:
:issue:8097, :issue:8098.

Miscellaneous internal changes

Improved test suite handling of paths and temp files to consistently use pathlib and pytest fixtures.

Related issues and pull requests on GitHub:
:issue:3957.

`v3.9.2`

Compare Source

==================

Bug fixes

Fixed server-side websocket connection leak.

Related issues and pull requests on GitHub:
:issue:7978.
Fixed web.FileResponse doing blocking I/O in the event loop.

Related issues and pull requests on GitHub:
:issue:8012.
Fixed double compress when compression enabled and compressed file exists in server file responses.

Related issues and pull requests on GitHub:
:issue:8014.
Added runtime type check for ClientSession timeout parameter.

Related issues and pull requests on GitHub:
:issue:8021.
Fixed an unhandled exception in the Python HTTP parser on header lines starting with a colon -- by :user:pajod.

Invalid request lines with anything but a dot between the HTTP major and minor version are now rejected.
Invalid header field names containing question mark or slash are now rejected.
Such requests are incompatible with :rfc:9110#section-5.6.2 and are not known to be of any legitimate use.

Related issues and pull requests on GitHub:
:issue:8074.
Improved validation of paths for static resources requests to the server -- by :user:bdraco.

Related issues and pull requests on GitHub:
:issue:8079.

Features

Added support for passing :py:data:True to ssl parameter in ClientSession while
deprecating :py:data:None -- by :user:xiangyan99.

Related issues and pull requests on GitHub:
:issue:7698.

Breaking changes

Fixed an unhandled exception in the Python HTTP parser on header lines starting with a colon -- by :user:pajod.

Invalid request lines with anything but a dot between the HTTP major and minor version are now rejected.
Invalid header field names containing question mark or slash are now rejected.
Such requests are incompatible with :rfc:9110#section-5.6.2 and are not known to be of any legitimate use.

Related issues and pull requests on GitHub:
:issue:8074.

Improved documentation

Fixed examples of fallback_charset_resolver function in the :doc:client_advanced document. -- by :user:henry0312.

Related issues and pull requests on GitHub:
:issue:7995.
The Sphinx setup was updated to avoid showing the empty
changelog draft section in the tagged release documentation
builds on Read The Docs -- by :user:webknjaz.

Related issues and pull requests on GitHub:
:issue:8067.

Packaging updates and notes for downstreams

The changelog categorization was made clearer. The
contributors can now mark their fragment files more
accurately -- by :user:webknjaz.

The new category tags are:
```
* ``bugfix``

* ``feature``

* ``deprecation``

* ``breaking`` (previously, ``removal``)

* ``doc``

* ``packaging``

* ``contrib``

* ``misc``
```
Related issues and pull requests on GitHub:
:issue:8066.

Contributor-facing changes

Updated :ref:contributing/Tests coverage <aiohttp-contributing> section to show how we use codecov -- by :user:Dreamsorcerer.

Related issues and pull requests on GitHub:
:issue:7916.
The changelog categorization was made clearer. The
contributors can now mark their fragment files more
accurately -- by :user:webknjaz.

The new category tags are:
```
* ``bugfix``

* ``feature``

* ``deprecation``

* ``breaking`` (previously, ``removal``)

* ``doc``

* ``packaging``

* ``contrib``

* ``misc``
```
Related issues and pull requests on GitHub:
:issue:8066.

Miscellaneous internal changes

Replaced all tmpdir fixtures with tmp_path in test suite.

Related issues and pull requests on GitHub:
:issue:3551.

`v3.9.1`

Compare Source

==================

Bugfixes

Fixed importing aiohttp under PyPy on Windows.

#7848 <https://github.com/aio-libs/aiohttp/issues/7848>_
Fixed async concurrency safety in websocket compressor.

#7865 <https://github.com/aio-libs/aiohttp/issues/7865>_
Fixed ClientResponse.close() releasing the connection instead of closing.

#7869 <https://github.com/aio-libs/aiohttp/issues/7869>_
Fixed a regression where connection may get closed during upgrade. -- by :user:Dreamsorcerer

#7879 <https://github.com/aio-libs/aiohttp/issues/7879>_
Fixed messages being reported as upgraded without an Upgrade header in Python parser. -- by :user:Dreamsorcerer

#7895 <https://github.com/aio-libs/aiohttp/issues/7895>_

`v3.9.0`

Compare Source

==================

Features

Introduced AppKey for static typing support of Application storage.
See https://docs.aiohttp.org/en/stable/web_advanced.html#application-s-config

#5864 <https://github.com/aio-libs/aiohttp/issues/5864>_
Added a graceful shutdown period which allows pending tasks to complete before the application's cleanup is called.
The period can be adjusted with the shutdown_timeout parameter. -- by :user:Dreamsorcerer.
See https://docs.aiohttp.org/en/latest/web_advanced.html#graceful-shutdown

#7188 <https://github.com/aio-libs/aiohttp/issues/7188>_
Added handler_cancellation <https://docs.aiohttp.org/en/stable/web_advanced.html#web-handler-cancellation>_ parameter to cancel web handler on client disconnection. -- by :user:mosquito
This (optionally) reintroduces a feature removed in a previous release.
Recommended for those looking for an extra level of protection against denial-of-service attacks.

#7056 <https://github.com/aio-libs/aiohttp/issues/7056>_
Added support for setting response header parameters max_line_size and max_field_size.

#2304 <https://github.com/aio-libs/aiohttp/issues/2304>_
Added auto_decompress parameter to ClientSession.request to override ClientSession._auto_decompress. -- by :user:Daste745

#3751 <https://github.com/aio-libs/aiohttp/issues/3751>_
Changed raise_for_status to allow a coroutine.

#3892 <https://github.com/aio-libs/aiohttp/issues/3892>_
Added client brotli compression support (optional with runtime check).

#5219 <https://github.com/aio-libs/aiohttp/issues/5219>_
Added client_max_size to BaseRequest.clone() to allow overriding the request body size. -- :user:anesabml.

#5704 <https://github.com/aio-libs/aiohttp/issues/5704>_
Added a middleware type alias aiohttp.typedefs.Middleware.

#5898 <https://github.com/aio-libs/aiohttp/issues/5898>_
Exported HTTPMove which can be used to catch any redirection request
that has a location -- :user:dreamsorcerer.

#6594 <https://github.com/aio-libs/aiohttp/issues/6594>_
Changed the path parameter in web.run_app() to accept a pathlib.Path object.

#6839 <https://github.com/aio-libs/aiohttp/issues/6839>_
Performance: Skipped filtering CookieJar when the jar is empty or all cookies have expired.

#7819 <https://github.com/aio-libs/aiohttp/issues/7819>_
Performance: Only check origin if insecure scheme and there are origins to treat as secure, in CookieJar.filter_cookies().

#7821 <https://github.com/aio-libs/aiohttp/issues/7821>_
Performance: Used timestamp instead of datetime to achieve faster cookie expiration in CookieJar.

#7824 <https://github.com/aio-libs/aiohttp/issues/7824>_
Added support for passing a custom server name parameter to HTTPS connection.

#7114 <https://github.com/aio-libs/aiohttp/issues/7114>_
Added support for using Basic Auth credentials from :file:.netrc file when making HTTP requests with the
:py:class:~aiohttp.ClientSession trust_env argument is set to True. -- by :user:yuvipanda.

#7131 <https://github.com/aio-libs/aiohttp/issues/7131>_
Turned access log into no-op when the logger is disabled.

#7240 <https://github.com/aio-libs/aiohttp/issues/7240>_
Added typing information to RawResponseMessage. -- by :user:Gobot1234

#7365 <https://github.com/aio-libs/aiohttp/issues/7365>_
Removed async-timeout for Python 3.11+ (replaced with asyncio.timeout() on newer releases).

#7502 <https://github.com/aio-libs/aiohttp/issues/7502>_
Added support for brotlicffi as an alternative to brotli (fixing Brotli support on PyPy).

#7611 <https://github.com/aio-libs/aiohttp/issues/7611>_
Added WebSocketResponse.get_extra_info() to access a protocol transport's extra info.

#7078 <https://github.com/aio-libs/aiohttp/issues/7078>_
Allow link argument to be set to None/empty in HTTP 451 exception.

#7689 <https://github.com/aio-libs/aiohttp/issues/7689>_

Bugfixes

Implemented stripping the trailing dots from fully-qualified domain names in Host headers and TLS context when acting as an HTTP client.
This allows the client to connect to URLs with FQDN host name like https://example.com./.
-- by :user:martin-sucha.

#3636 <https://github.com/aio-libs/aiohttp/issues/3636>_
Fixed client timeout not working when incoming data is always available without waiting. -- by :user:Dreamsorcerer.

#5854 <https://github.com/aio-libs/aiohttp/issues/5854>_
Fixed readuntil to work with a delimiter of more than one character.

#6701 <https://github.com/aio-libs/aiohttp/issues/6701>_
Added __repr__ to EmptyStreamReader to avoid AttributeError.

#6916 <https://github.com/aio-libs/aiohttp/issues/6916>_
Fixed bug when using TCPConnector with ttl_dns_cache=0.

#7014 <https://github.com/aio-libs/aiohttp/issues/7014>_
Fixed response returned from expect handler being thrown away. -- by :user:Dreamsorcerer

#7025 <https://github.com/aio-libs/aiohttp/issues/7025>_
Avoided raising UnicodeDecodeError in multipart and in HTTP headers parsing.

#7044 <https://github.com/aio-libs/aiohttp/issues/7044>_
Changed sock_read timeout to start after writing has finished, avoiding read timeouts caused by an unfinished write. -- by :user:dtrifiro

#7149 <https://github.com/aio-libs/aiohttp/issues/7149>_
Fixed missing query in tracing method URLs when using yarl 1.9+.

#7259 <https://github.com/aio-libs/aiohttp/issues/7259>_
Changed max 32-bit timestamp to an aware datetime object, for consistency with the non-32-bit one, and to avoid a DeprecationWarning on Python 3.12.

#7302 <https://github.com/aio-libs/aiohttp/issues/7302>_
Fixed EmptyStreamReader.iter_chunks() never ending. -- by :user:mind1m

#7616 <https://github.com/aio-libs/aiohttp/issues/7616>_
Fixed a rare RuntimeError: await wasn't used with future exception. -- by :user:stalkerg

#7785 <https://github.com/aio-libs/aiohttp/issues/7785>_
Fixed issue with insufficient HTTP method and version validation.

#7700 <https://github.com/aio-libs/aiohttp/issues/7700>_
Added check to validate that absolute URIs have schemes.

#7712 <https://github.com/aio-libs/aiohttp/issues/7712>_
Fixed unhandled exception when Python HTTP parser encounters unpaired Unicode surrogates.

#7715 <https://github.com/aio-libs/aiohttp/issues/7715>_
Updated parser to disallow invalid characters in header field names and stop accepting LF as a request line separator.

#7719 <https://github.com/aio-libs/aiohttp/issues/7719>_
Fixed Python HTTP parser not treating 204/304/1xx as an empty body.

#7755 <https://github.com/aio-libs/aiohttp/issues/7755>_
Ensure empty body response for 1xx/204/304 per RFC 9112 sec 6.3.

#7756 <https://github.com/aio-libs/aiohttp/issues/7756>_
Fixed an issue when a client request is closed before completing a chunked payload. -- by :user:Dreamsorcerer

#7764 <https://github.com/aio-libs/aiohttp/issues/7764>_
Edge Case Handling for ResponseParser for missing reason value.

#7776 <https://github.com/aio-libs/aiohttp/issues/7776>\

mend-for-github-com bot added the security fix Security fix generated by Mend label Nov 6, 2024

Update dependency aiohttp to v3.10.11

58fcc6c

mend-for-github-com bot force-pushed the whitesource-remediate/aiohttp-3.x branch from 4890ea4 to 58fcc6c Compare November 19, 2024 21:00

mend-for-github-com bot changed the title ~~Update dependency aiohttp to v3.10.2~~ Update dependency aiohttp to v3.10.11 Nov 19, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update dependency aiohttp to v3.10.11 #3

Update dependency aiohttp to v3.10.11 #3

mend-for-github-com bot commented Nov 6, 2024 •

edited

Loading

Update dependency aiohttp to v3.10.11 #3

Are you sure you want to change the base?

Update dependency aiohttp to v3.10.11 #3

Conversation

mend-for-github-com bot commented Nov 6, 2024 • edited Loading

Release Notes

Bug fixes

Removals and backward incompatible breaking changes

Miscellaneous internal changes

Bug fixes

Features

Miscellaneous internal changes

Bug fixes

Removals and backward incompatible breaking changes

Miscellaneous internal changes

Bug fixes

Bug fixes

Miscellaneous internal changes

Bug fixes

Features

Removals and backward incompatible breaking changes

Improved documentation

Packaging updates and notes for downstreams

Miscellaneous internal changes

Bug fixes

Miscellaneous internal changes

Bug fixes

Improved documentation

Miscellaneous internal changes

Bug fixes

Miscellaneous internal changes

Bug fixes

Removals and backward incompatible breaking changes

Contributor-facing changes

Miscellaneous internal changes

Bug fixes

Removals and backward incompatible breaking changes

Miscellaneous internal changes

Bug fixes

Features

Removals and backward incompatible breaking changes

Improved documentation

Contributor-facing changes

Miscellaneous internal changes

Bug fixes

Bug fixes

Features

Deprecations (removal in next major release)

Improved documentation

Contributor-facing changes

Packaging updates and notes for downstreams

Bug fixes

Miscellaneous internal changes

Bug fixes

Features

Breaking changes

Improved documentation

Packaging updates and notes for downstreams

Contributor-facing changes

Miscellaneous internal changes

Bugfixes

Features

Bugfixes

mend-for-github-com bot commented Nov 6, 2024 •

edited

Loading