Update dependency aiohttp to v3.9.4 [SECURITY] #539

renovate · 2023-11-15T01:31:41Z

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
aiohttp	`==3.8.1` -> `==3.9.4`

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2024-23334

Summary

Improperly configuring static resource resolution in aiohttp when used as a web server can result in the unauthorized reading of arbitrary files on the system.

Details

When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if a given file path is within the root directory.This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present.

i.e. An application is only vulnerable with setup code like:

app.router.add_routes([
    web.static("/static", "static/", follow_symlinks=True),  # Remove follow_symlinks to avoid the vulnerability
])

Impact

This is a directory traversal vulnerability with CWE ID 22. When using aiohttp as a web server and enabling static resource resolution with follow_symlinks set to True, it can lead to this vulnerability. This vulnerability has been present since the introduction of the follow_symlinks parameter.

Workaround

Even if upgrading to a patched version of aiohttp, we recommend following these steps regardless.

If using follow_symlinks=True outside of a restricted local development environment, disable the option immediately. This option is NOT needed to follow symlinks which point to a location within the static root directory, it is only intended to allow a symlink to break out of the static directory. Even with this CVE fixed, there is still a substantial risk of misconfiguration when using this option on a server that accepts requests from remote users.

Additionally, aiohttp has always recommended using a reverse proxy server (such as nginx) to handle static resources and not to use these static resources in aiohttp for production environments. Doing so also protects against this vulnerability, and is why we expect the number of affected users to be very low.

Patch: https://github.com/aio-libs/aiohttp/pull/8079/files

CVE-2024-27306

Summary

A XSS vulnerability exists on index pages for static file handling.

Details

When using web.static(..., show_index=True), the resulting index pages do not escape file names.

If users can upload files with arbitrary filenames to the static directory, the server is vulnerable to XSS attacks.

Workaround

We have always recommended using a reverse proxy server (e.g. nginx) for serving static files. Users following the recommendation are unaffected.

Other users can disable show_index if unable to upgrade.

Patch: https://github.com/aio-libs/aiohttp/pull/8319/files

CVE-2024-30251

Summary

An attacker can send a specially crafted POST (multipart/form-data) request. When the aiohttp server processes it, the server will enter an infinite loop and be unable to process any further requests.

Impact

An attacker can stop the application from serving requests after sending a single request.

For anyone needing to patch older versions of aiohttp, the minimum diff needed to resolve the issue is (located in _read_chunk_from_length()):

diff --git a/aiohttp/multipart.py b/aiohttp/multipart.py
index 227be605c..71fc2654a 100644
--- a/aiohttp/multipart.py
+++ b/aiohttp/multipart.py
@&#8203;@&#8203; -338,6 +338,8 @&#8203;@&#8203; class BodyPartReader:
         assert self._length is not None, "Content-Length required for chunked read"
         chunk_size = min(size, self._length - self._read_bytes)
         chunk = await self._content.read(chunk_size)
+        if self._content.at_eof():
+            self._at_eof = True
         return chunk
 
     async def _read_chunk_from_stream(self, size: int) -> bytes:

This does however introduce some very minor issues with handling form data. So, if possible, it would be recommended to also backport the changes in:
aio-libs/aiohttp@cebe526
aio-libs/aiohttp@7eecdff
aio-libs/aiohttp@f21c6f2

Release Notes

aio-libs/aiohttp (aiohttp)

`v3.9.4`

Compare Source

==================

Bug fixes

The asynchronous internals now set the underlying causes
when assigning exceptions to the future objects
-- by :user:webknjaz.

Related issues and pull requests on GitHub:
:issue:8089.
Treated values of Accept-Encoding header as case-insensitive when checking
for gzip files -- by :user:steverep.

Related issues and pull requests on GitHub:
:issue:8104.
Improved the DNS resolution performance on cache hit -- by :user:bdraco.

This is achieved by avoiding an :mod:asyncio task creation in this case.

Related issues and pull requests on GitHub:
:issue:8163.
Changed the type annotations to allow dict on :meth:aiohttp.MultipartWriter.append,
:meth:aiohttp.MultipartWriter.append_json and
:meth:aiohttp.MultipartWriter.append_form -- by :user:cakemanny

Related issues and pull requests on GitHub:
:issue:7741.
Ensure websocket transport is closed when client does not close it
-- by :user:bdraco.

The transport could remain open if the client did not close it. This
change ensures the transport is closed when the client does not close
it.

Related issues and pull requests on GitHub:
:issue:8200.
Leave websocket transport open if receive times out or is cancelled
-- by :user:bdraco.

This restores the behavior prior to the change in #7978.

Related issues and pull requests on GitHub:
:issue:8251.
Fixed content not being read when an upgrade request was not supported with the pure Python implementation.
-- by :user:bdraco.

Related issues and pull requests on GitHub:
:issue:8252.
Fixed a race condition with incoming connections during server shutdown -- by :user:Dreamsorcerer.

Related issues and pull requests on GitHub:
:issue:8271.
Fixed multipart/form-data compliance with :rfc:7578 -- by :user:Dreamsorcerer.

Related issues and pull requests on GitHub:
:issue:8280.
Fixed blocking I/O in the event loop while processing files in a POST request
-- by :user:bdraco.

Related issues and pull requests on GitHub:
:issue:8283.
Escaped filenames in static view -- by :user:bdraco.

Related issues and pull requests on GitHub:
:issue:8317.
Fixed the pure python parser to mark a connection as closing when a
response has no length -- by :user:Dreamsorcerer.

Related issues and pull requests on GitHub:
:issue:8320.

Features

Upgraded llhttp to 9.2.1, and started rejecting obsolete line folding
in Python parser to match -- by :user:Dreamsorcerer.

Related issues and pull requests on GitHub:
:issue:8146, :issue:8292.

Deprecations (removal in next major release)

Deprecated content_transfer_encoding parameter in :py:meth:FormData.add_field() <aiohttp.FormData.add_field> -- by :user:Dreamsorcerer.

Related issues and pull requests on GitHub:
:issue:8280.

Improved documentation

Added a note about canceling tasks to avoid delaying server shutdown -- by :user:Dreamsorcerer.

Related issues and pull requests on GitHub:
:issue:8267.

Contributor-facing changes

The pull request template is now asking the contributors to
answer a question about the long-term maintenance challenges
they envision as a result of merging their patches
-- by :user:webknjaz.

Related issues and pull requests on GitHub:
:issue:8099.
Updated CI and documentation to use NPM clean install and upgrade
node to version 18 -- by :user:steverep.

Related issues and pull requests on GitHub:
:issue:8116.
A pytest fixture hello_txt was introduced to aid
static file serving tests in
:file:test_web_sendfile_functional.py. It dynamically
provisions hello.txt file variants shared across the
tests in the module.

-- by :user:steverep

Related issues and pull requests on GitHub:
:issue:8136.

Packaging updates and notes for downstreams

Added an internal pytest marker for tests which should be skipped
by packagers (use -m 'not internal' to disable them) -- by :user:Dreamsorcerer.

Related issues and pull requests on GitHub:
:issue:8299.

`v3.9.3`

Compare Source

==================

Bug fixes

Fixed backwards compatibility breakage (in 3.9.2) of ssl parameter when set outside
of ClientSession (e.g. directly in TCPConnector) -- by :user:Dreamsorcerer.

Related issues and pull requests on GitHub:
:issue:8097, :issue:8098.

Miscellaneous internal changes

Improved test suite handling of paths and temp files to consistently use pathlib and pytest fixtures.

Related issues and pull requests on GitHub:
:issue:3957.

`v3.9.2`

Compare Source

==================

Bug fixes

Fixed server-side websocket connection leak.

Related issues and pull requests on GitHub:
:issue:7978.
Fixed web.FileResponse doing blocking I/O in the event loop.

Related issues and pull requests on GitHub:
:issue:8012.
Fixed double compress when compression enabled and compressed file exists in server file responses.

Related issues and pull requests on GitHub:
:issue:8014.
Added runtime type check for ClientSession timeout parameter.

Related issues and pull requests on GitHub:
:issue:8021.
Fixed an unhandled exception in the Python HTTP parser on header lines starting with a colon -- by :user:pajod.

Invalid request lines with anything but a dot between the HTTP major and minor version are now rejected.
Invalid header field names containing question mark or slash are now rejected.
Such requests are incompatible with :rfc:9110#section-5.6.2 and are not known to be of any legitimate use.

Related issues and pull requests on GitHub:
:issue:8074.
Improved validation of paths for static resources requests to the server -- by :user:bdraco.

Related issues and pull requests on GitHub:
:issue:8079.

Features

Added support for passing :py:data:True to ssl parameter in ClientSession while
deprecating :py:data:None -- by :user:xiangyan99.

Related issues and pull requests on GitHub:
:issue:7698.

Breaking changes

Fixed an unhandled exception in the Python HTTP parser on header lines starting with a colon -- by :user:pajod.

Invalid request lines with anything but a dot between the HTTP major and minor version are now rejected.
Invalid header field names containing question mark or slash are now rejected.
Such requests are incompatible with :rfc:9110#section-5.6.2 and are not known to be of any legitimate use.

Related issues and pull requests on GitHub:
:issue:8074.

Improved documentation

Fixed examples of fallback_charset_resolver function in the :doc:client_advanced document. -- by :user:henry0312.

Related issues and pull requests on GitHub:
:issue:7995.
The Sphinx setup was updated to avoid showing the empty
changelog draft section in the tagged release documentation
builds on Read The Docs -- by :user:webknjaz.

Related issues and pull requests on GitHub:
:issue:8067.

Packaging updates and notes for downstreams

The changelog categorization was made clearer. The
contributors can now mark their fragment files more
accurately -- by :user:webknjaz.

The new category tags are:
```
* ``bugfix``

* ``feature``

* ``deprecation``

* ``breaking`` (previously, ``removal``)

* ``doc``

* ``packaging``

* ``contrib``

* ``misc``
```
Related issues and pull requests on GitHub:
:issue:8066.

Contributor-facing changes

Updated :ref:contributing/Tests coverage <aiohttp-contributing> section to show how we use codecov -- by :user:Dreamsorcerer.

Related issues and pull requests on GitHub:
:issue:7916.
The changelog categorization was made clearer. The
contributors can now mark their fragment files more
accurately -- by :user:webknjaz.

The new category tags are:
```
* ``bugfix``

* ``feature``

* ``deprecation``

* ``breaking`` (previously, ``removal``)

* ``doc``

* ``packaging``

* ``contrib``

* ``misc``
```
Related issues and pull requests on GitHub:
:issue:8066.

Miscellaneous internal changes

Replaced all tmpdir fixtures with tmp_path in test suite.

Related issues and pull requests on GitHub:
:issue:3551.

`v3.9.1`

Compare Source

==================

Bugfixes

Fixed importing aiohttp under PyPy on Windows.

#7848 <https://github.com/aio-libs/aiohttp/issues/7848>_
Fixed async concurrency safety in websocket compressor.

#7865 <https://github.com/aio-libs/aiohttp/issues/7865>_
Fixed ClientResponse.close() releasing the connection instead of closing.

#7869 <https://github.com/aio-libs/aiohttp/issues/7869>_
Fixed a regression where connection may get closed during upgrade. -- by :user:Dreamsorcerer

#7879 <https://github.com/aio-libs/aiohttp/issues/7879>_
Fixed messages being reported as upgraded without an Upgrade header in Python parser. -- by :user:Dreamsorcerer

#7895 <https://github.com/aio-libs/aiohttp/issues/7895>_

`v3.9.0`

Compare Source

==================

Features

Introduced AppKey for static typing support of Application storage.
See https://docs.aiohttp.org/en/stable/web_advanced.html#application-s-config

#5864 <https://github.com/aio-libs/aiohttp/issues/5864>_
Added a graceful shutdown period which allows pending tasks to complete before the application's cleanup is called.
The period can be adjusted with the shutdown_timeout parameter. -- by :user:Dreamsorcerer.
See https://docs.aiohttp.org/en/latest/web_advanced.html#graceful-shutdown

#7188 <https://github.com/aio-libs/aiohttp/issues/7188>_
Added handler_cancellation <https://docs.aiohttp.org/en/stable/web_advanced.html#web-handler-cancellation>_ parameter to cancel web handler on client disconnection. -- by :user:mosquito
This (optionally) reintroduces a feature removed in a previous release.
Recommended for those looking for an extra level of protection against denial-of-service attacks.

#7056 <https://github.com/aio-libs/aiohttp/issues/7056>_
Added support for setting response header parameters max_line_size and max_field_size.

#2304 <https://github.com/aio-libs/aiohttp/issues/2304>_
Added auto_decompress parameter to ClientSession.request to override ClientSession._auto_decompress. -- by :user:Daste745

#3751 <https://github.com/aio-libs/aiohttp/issues/3751>_
Changed raise_for_status to allow a coroutine.

#3892 <https://github.com/aio-libs/aiohttp/issues/3892>_
Added client brotli compression support (optional with runtime check).

#5219 <https://github.com/aio-libs/aiohttp/issues/5219>_
Added client_max_size to BaseRequest.clone() to allow overriding the request body size. -- :user:anesabml.

#5704 <https://github.com/aio-libs/aiohttp/issues/5704>_
Added a middleware type alias aiohttp.typedefs.Middleware.

#5898 <https://github.com/aio-libs/aiohttp/issues/5898>_
Exported HTTPMove which can be used to catch any redirection request
that has a location -- :user:dreamsorcerer.

#6594 <https://github.com/aio-libs/aiohttp/issues/6594>_
Changed the path parameter in web.run_app() to accept a pathlib.Path object.

#6839 <https://github.com/aio-libs/aiohttp/issues/6839>_
Performance: Skipped filtering CookieJar when the jar is empty or all cookies have expired.

#7819 <https://github.com/aio-libs/aiohttp/issues/7819>_
Performance: Only check origin if insecure scheme and there are origins to treat as secure, in CookieJar.filter_cookies().

#7821 <https://github.com/aio-libs/aiohttp/issues/7821>_
Performance: Used timestamp instead of datetime to achieve faster cookie expiration in CookieJar.

#7824 <https://github.com/aio-libs/aiohttp/issues/7824>_
Added support for passing a custom server name parameter to HTTPS connection.

#7114 <https://github.com/aio-libs/aiohttp/issues/7114>_
Added support for using Basic Auth credentials from :file:.netrc file when making HTTP requests with the
:py:class:~aiohttp.ClientSession trust_env argument is set to True. -- by :user:yuvipanda.

#7131 <https://github.com/aio-libs/aiohttp/issues/7131>_
Turned access log into no-op when the logger is disabled.

#7240 <https://github.com/aio-libs/aiohttp/issues/7240>_
Added typing information to RawResponseMessage. -- by :user:Gobot1234

#7365 <https://github.com/aio-libs/aiohttp/issues/7365>_
Removed async-timeout for Python 3.11+ (replaced with asyncio.timeout() on newer releases).

#7502 <https://github.com/aio-libs/aiohttp/issues/7502>_
Added support for brotlicffi as an alternative to brotli (fixing Brotli support on PyPy).

#7611 <https://github.com/aio-libs/aiohttp/issues/7611>_
Added WebSocketResponse.get_extra_info() to access a protocol transport's extra info.

#7078 <https://github.com/aio-libs/aiohttp/issues/7078>_
Allow link argument to be set to None/empty in HTTP 451 exception.

#7689 <https://github.com/aio-libs/aiohttp/issues/7689>_

Bugfixes

Implemented stripping the trailing dots from fully-qualified domain names in Host headers and TLS context when acting as an HTTP client.
This allows the client to connect to URLs with FQDN host name like https://example.com./.
-- by :user:martin-sucha.

#3636 <https://github.com/aio-libs/aiohttp/issues/3636>_
Fixed client timeout not working when incoming data is always available without waiting. -- by :user:Dreamsorcerer.

#5854 <https://github.com/aio-libs/aiohttp/issues/5854>_
Fixed readuntil to work with a delimiter of more than one character.

#6701 <https://github.com/aio-libs/aiohttp/issues/6701>_
Added __repr__ to EmptyStreamReader to avoid AttributeError.

#6916 <https://github.com/aio-libs/aiohttp/issues/6916>_
Fixed bug when using TCPConnector with ttl_dns_cache=0.

#7014 <https://github.com/aio-libs/aiohttp/issues/7014>_
Fixed response returned from expect handler being thrown away. -- by :user:Dreamsorcerer

#7025 <https://github.com/aio-libs/aiohttp/issues/7025>_
Avoided raising UnicodeDecodeError in multipart and in HTTP headers parsing.

#7044 <https://github.com/aio-libs/aiohttp/issues/7044>_
Changed sock_read timeout to start after writing has finished, avoiding read timeouts caused by an unfinished write. -- by :user:dtrifiro

#7149 <https://github.com/aio-libs/aiohttp/issues/7149>_
Fixed missing query in tracing method URLs when using yarl 1.9+.

#7259 <https://github.com/aio-libs/aiohttp/issues/7259>_
Changed max 32-bit timestamp to an aware datetime object, for consistency with the non-32-bit one, and to avoid a DeprecationWarning on Python 3.12.

#7302 <https://github.com/aio-libs/aiohttp/issues/7302>_
Fixed EmptyStreamReader.iter_chunks() never ending. -- by :user:mind1m

#7616 <https://github.com/aio-libs/aiohttp/issues/7616>_
Fixed a rare RuntimeError: await wasn't used with future exception. -- by :user:stalkerg

#7785 <https://github.com/aio-libs/aiohttp/issues/7785>_
Fixed issue with insufficient HTTP method and version validation.

#7700 <https://github.com/aio-libs/aiohttp/issues/7700>_
Added check to validate that absolute URIs have schemes.

#7712 <https://github.com/aio-libs/aiohttp/issues/7712>_
Fixed unhandled exception when Python HTTP parser encounters unpaired Unicode surrogates.

#7715 <https://github.com/aio-libs/aiohttp/issues/7715>_
Updated parser to disallow invalid characters in header field names and stop accepting LF as a request line separator.

#7719 <https://github.com/aio-libs/aiohttp/issues/7719>_
Fixed Python HTTP parser not treating 204/304/1xx as an empty body.

#7755 <https://github.com/aio-libs/aiohttp/issues/7755>_
Ensure empty body response for 1xx/204/304 per RFC 9112 sec 6.3.

#7756 <https://github.com/aio-libs/aiohttp/issues/7756>_
Fixed an issue when a client request is closed before completing a chunked payload. -- by :user:Dreamsorcerer

#7764 <https://github.com/aio-libs/aiohttp/issues/7764>_
Edge Case Handling for ResponseParser for missing reason value.

#7776 <https://github.com/aio-libs/aiohttp/issues/7776>_
Fixed ClientWebSocketResponse.close_code being erroneously set to None when there are concurrent async tasks receiving data and closing the connection.

#7306 <https://github.com/aio-libs/aiohttp/issues/7306>_
Added HTTP method validation.

#6533 <https://github.com/aio-libs/aiohttp/issues/6533>_
Fixed arbitrary sequence types being allowed to inject values via version parameter. -- by :user:Dreamsorcerer

#7835 <https://github.com/aio-libs/aiohttp/issues/7835>_
Performance: Fixed increase in latency with small messages from websocket compression changes.

#7797 <https://github.com/aio-libs/aiohttp/issues/7797>_

Improved Documentation

Fixed the ClientResponse.release's type in the doc. Changed from comethod to method.

#5836 <https://github.com/aio-libs/aiohttp/issues/5836>_
Added information on behavior of base_url parameter in ClientSession.

#6647 <https://github.com/aio-libs/aiohttp/issues/6647>_
Fixed ClientResponseError docs.

#6700 <https://github.com/aio-libs/aiohttp/issues/6700>_
Updated Redis code examples to follow the latest API.

#6907 <https://github.com/aio-libs/aiohttp/issues/6907>_
Added a note about possibly needing to update headers when using on_response_prepare. -- by :user:Dreamsorcerer

#7283 <https://github.com/aio-libs/aiohttp/issues/7283>_
Completed trust_env parameter description to honor wss_proxy, ws_proxy or no_proxy env.

#7325 <https://github.com/aio-libs/aiohttp/issues/7325>_
Expanded SSL documentation with more examples (e.g. how to use certifi). -- by :user:Dreamsorcerer

#7334 <https://github.com/aio-libs/aiohttp/issues/7334>_
Fix, update, and improve client exceptions documentation.

#7733 <https://github.com/aio-libs/aiohttp/issues/7733>_

Deprecations and Removals

Added shutdown_timeout parameter to BaseRunner, while
deprecating shutdown_timeout parameter from BaseSite. -- by :user:Dreamsorcerer

#7718 <https://github.com/aio-libs/aiohttp/issues/7718>_
Dropped Python 3.6 support.

#6378 <https://github.com/aio-libs/aiohttp/issues/6378>_
Dropped Python 3.7 support. -- by :user:Dreamsorcerer

#7336 <https://github.com/aio-libs/aiohttp/issues/7336>_
Removed support for abandoned tokio event loop. -- by :user:Dreamsorcerer

#7281 <https://github.com/aio-libs/aiohttp/issues/7281>_

Misc

Made print argument in run_app() optional.

#3690 <https://github.com/aio-libs/aiohttp/issues/3690>_
Improved performance of ceil_timeout in some cases.

#6316 <https://github.com/aio-libs/aiohttp/issues/6316>_
Changed importing Gunicorn to happen on-demand, decreasing import time by ~53%. -- :user:Dreamsorcerer

#6591 <https://github.com/aio-libs/aiohttp/issues/6591>_
Improved import time by replacing http.server with http.HTTPStatus.

#6903 <https://github.com/aio-libs/aiohttp/issues/6903>_
Fixed annotation of ssl parameter to disallow True. -- by :user:Dreamsorcerer.

#7335 <https://github.com/aio-libs/aiohttp/issues/7335>_

`v3.8.6`

Compare Source

==================

Security bugfixes

Upgraded the vendored copy of llhttp_ to v9.1.3 -- by :user:Dreamsorcerer

Thanks to :user:kenballus for reporting this, see
GHSA-pjjw-qhg8-p2p9.

.. _llhttp: https://llhttp.org

#7647 <https://github.com/aio-libs/aiohttp/issues/7647>_
Updated Python parser to comply with RFCs 9110/9112 -- by :user:Dreamorcerer

Thanks to :user:kenballus for reporting this, see
GHSA-gfw2-4jvh-wgfg.

#7663 <https://github.com/aio-libs/aiohttp/issues/7663>_

Deprecation

Added fallback_charset_resolver parameter in ClientSession to allow a user-supplied
character set detection function.

Character set detection will no longer be included in 3.9 as a default. If this feature is needed,
please use fallback_charset_resolver <https://docs.aiohttp.org/en/stable/client_advanced.html#character-set-detection>_.

#7561 <https://github.com/aio-libs/aiohttp/issues/7561>_

Features

Enabled lenient response parsing for more flexible parsing in the client
(this should resolve some regressions when dealing with badly formatted HTTP responses). -- by :user:Dreamsorcerer

#7490 <https://github.com/aio-libs/aiohttp/issues/7490>_

Bugfixes

Fixed PermissionError when .netrc is unreadable due to permissions.

#7237 <https://github.com/aio-libs/aiohttp/issues/7237>_
Fixed output of parsing errors pointing to a \n. -- by :user:Dreamsorcerer

#7468 <https://github.com/aio-libs/aiohttp/issues/7468>_
Fixed GunicornWebWorker max_requests_jitter not working.

#7518 <https://github.com/aio-libs/aiohttp/issues/7518>_
Fixed sorting in filter_cookies to use cookie with longest path. -- by :user:marq24.

#7577 <https://github.com/aio-libs/aiohttp/issues/7577>_
Fixed display of BadStatusLine messages from llhttp_. -- by :user:Dreamsorcerer

#7651 <https://github.com/aio-libs/aiohttp/issues/7651>_

`v3.8.5`: 3.8.5

Compare Source

Security bugfixes

Upgraded the vendored copy of llhttp_ to v8.1.1 -- by :user:webknjaz
and :user:Dreamsorcerer.

Thanks to :user:sethmlarson for reporting this and providing us with
comprehensive reproducer, workarounds and fixing details! For more
information, see
GHSA-45c4-8wx5-qw6w.

.. _llhttp: https://llhttp.org

(#7346)

Features

Added information to C parser exceptions to show which character caused the error. -- by :user:Dreamsorcerer

(#7366)

Bugfixes

Fixed a transport is :data:None error -- by :user:Dreamsorcerer.

(#3355)

`v3.8.4`

Compare Source

==================

Bugfixes

Fixed incorrectly overwriting cookies with the same name and domain, but different path.
#6638 <https://github.com/aio-libs/aiohttp/issues/6638>_
Fixed ConnectionResetError not being raised after client disconnection in SSL environments.
#7180 <https://github.com/aio-libs/aiohttp/issues/7180>_

`v3.8.3`

Compare Source

==================

.. attention::

This is the last :doc:aiohttp <index> release tested under
Python 3.6. The 3.9 stream is dropping it from the CI and the
distribution package metadata.

Bugfixes

Increased the upper boundary of the :doc:multidict:index dependency
to allow for the version 6 -- by :user:hugovk.

It used to be limited below version 7 in :doc:aiohttp <index> v3.8.1 but
was lowered in v3.8.2 via :pr:6550 and never brought back, causing
problems with dependency pins when upgrading. :doc:aiohttp <index> v3.8.3
fixes that by recovering the original boundary of < 7.
#6950 <https://github.com/aio-libs/aiohttp/issues/6950>_

`v3.8.2`

Compare Source

=====================================================

Bugfixes

Support registering OPTIONS HTTP method handlers via RouteTableDef.
#4663 <https://github.com/aio-libs/aiohttp/issues/4663>_
Started supporting authority-form and absolute-form URLs on the server-side.
#6227 <https://github.com/aio-libs/aiohttp/issues/6227>_
Fix Python 3.11 alpha incompatibilities by using Cython 0.29.25
#6396 <https://github.com/aio-libs/aiohttp/issues/6396>_
Remove a deprecated usage of pytest.warns(None)
#6663 <https://github.com/aio-libs/aiohttp/issues/6663>_
Fix regression where asyncio.CancelledError occurs on client disconnection.
#6719 <https://github.com/aio-libs/aiohttp/issues/6719>_
Export :py:class:~aiohttp.web.PrefixedSubAppResource under
:py:mod:aiohttp.web -- by :user:Dreamsorcerer.

This fixes a regression introduced by :pr:3469.
#6889 <https://github.com/aio-libs/aiohttp/issues/6889>_
Dropped the :class:object type possibility from
the :py:attr:aiohttp.ClientSession.timeout
property return type declaration.
#6917 <https://github.com/aio-libs/aiohttp/issues/6917>,
#6923 <https://github.com/aio-libs/aiohttp/issues/6923>

Improved Documentation

Added clarification on configuring the app object with settings such as a db connection.
#4137 <https://github.com/aio-libs/aiohttp/issues/4137>_
Edited the web.run_app declaration.
#6401 <https://github.com/aio-libs/aiohttp/issues/6401>_
Dropped the :class:object type possibility from
the :py:attr:aiohttp.ClientSession.timeout
property return type declaration.
#6917 <https://github.com/aio-libs/aiohttp/issues/6917>,
#6923 <https://github.com/aio-libs/aiohttp/issues/6923>

Deprecations and Removals

Drop Python 3.5 support, aiohttp works on 3.6+ now.
#4046 <https://github.com/aio-libs/aiohttp/issues/4046>_

Misc

#6369 <https://github.com/aio-libs/aiohttp/issues/6369>, #6399 <https://github.com/aio-libs/aiohttp/issues/6399>, #6550 <https://github.com/aio-libs/aiohttp/issues/6550>, #6708 <https://github.com/aio-libs/aiohttp/issues/6708>, #6757 <https://github.com/aio-libs/aiohttp/issues/6757>, #6857 <https://github.com/aio-libs/aiohttp/issues/6857>, #6872 <https://github.com/aio-libs/aiohttp/issues/6872>_

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

guardrails · 2023-11-15T01:32:08Z

⚠️ We detected 23 security issues in this pull request:

Vulnerable Libraries (23)

Severity	Details
Medium	pkg:pypi/[email protected] (t) - no patch available
High	pkg:pypi/[email protected] (t) upgrade to: 70f906c51ce49c485f1d355703e9cc3386b1cc2b,afd63b16170b7c047f5758eb910c416511e9c965,2.2.5,2.3.2
High	pkg:pypi/[email protected] (t) upgrade to: 0.9.3,24.8.3,25.8.1,0.2.6,0.1.8,26.2.1,27.0.0-beta.2,2.88.6,10.0.1,22.3.24
High	pkg:pypi/[email protected] (t) upgrade to: 2.2.5,2.3.2,70f906c51ce49c485f1d355703e9cc3386b1cc2b,afd63b16170b7c047f5758eb910c416511e9c965
High	pkg:pypi/[email protected] (t) upgrade to: 70f906c51ce49c485f1d355703e9cc3386b1cc2b,afd63b16170b7c047f5758eb910c416511e9c965,2.2.5,2.3.2
High	pkg:pypi/[email protected] (t) upgrade to: 925760291d6efec64fda6e9dd1fd9cfbd5be068c,1.2.2
High	pkg:pypi/[email protected] (t) upgrade to: 2.88.6,10.0.1,0.2.6,0.1.8,0.9.3,22.3.24,24.8.3,25.8.1,26.2.1,27.0.0-beta.2
High	pkg:pypi/[email protected] (t) upgrade to: 2.4.0
Critical	pkg:pypi/[email protected] (t) upgrade to: 9a3a981d70d2e9ec3344b5192f86fcaf3210cd85,2.1.1
High	pkg:pypi/[email protected] (t) upgrade to: 70f906c51ce49c485f1d355703e9cc3386b1cc2b,afd63b16170b7c047f5758eb910c416511e9c965,2.2.5,2.3.2
High	pkg:pypi/[email protected] (t) upgrade to: 925760291d6efec64fda6e9dd1fd9cfbd5be068c,1.2.2
High	pkg:pypi/[email protected] (t) upgrade to: 0.9.3,22.3.24,26.2.1,0.1.8,24.8.3,25.8.1,27.0.0-beta.2,2.88.6,10.0.1,0.2.6
High	pkg:pypi/[email protected] (t) upgrade to: 2.4.0
Critical	pkg:pypi/[email protected] (t) upgrade to: 9a3a981d70d2e9ec3344b5192f86fcaf3210cd85,2.1.1
N/A	pkg:pypi/[email protected] (t) upgrade to: ca965ecc81853bca7675261729143f54e5bf4cdd,3.1.32
High	pkg:pypi/[email protected] (t) upgrade to: f3c803b3ade485a45f12b6d6617595350c0f03e2,f2300208d5e2a5076cbbb4c2aad71096fd040ef9,2.3.8,3.0.1
N/A	pkg:pypi/[email protected] (t) upgrade to: 3.1.32
High	pkg:pypi/[email protected] (t) upgrade to: 22.3.24,24.8.3,25.8.1,26.2.1,0.1.8,0.9.3,10.0.1,0.2.6,27.0.0-beta.2,2.88.6
High	pkg:pypi/[email protected] (t) upgrade to: 3.0.1,f3c803b3ade485a45f12b6d6617595350c0f03e2,f2300208d5e2a5076cbbb4c2aad71096fd040ef9,2.3.8
N/A	pkg:pypi/[email protected] (t) upgrade to: 3.1.32,ca965ecc81853bca7675261729143f54e5bf4cdd
Medium	pkg:pypi/[email protected] (t) upgrade to: 3.1.3
N/A	pkg:pypi/[email protected] (t) upgrade to: 3.1.32
Medium	pkg:pypi/[email protected] (t) upgrade to: 3.1.3

More info on how to fix Vulnerable Libraries in Python.

👉 Go to the dashboard for detailed results.

📥 Happy? Share your feedback with us.

github-actions · 2024-07-03T02:40:13Z

Stale pull request message

renovate · 2024-07-13T02:43:37Z

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (==3.9.4). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.

renovate bot force-pushed the renovate/pypi-aiohttp-vulnerability branch from 21fdd0d to 9d97845 Compare November 28, 2023 00:35

renovate bot changed the title ~~Update dependency aiohttp to v3.8.6 [SECURITY]~~ Update dependency aiohttp to v3.9.0 [SECURITY] Nov 28, 2023

renovate bot force-pushed the renovate/pypi-aiohttp-vulnerability branch from 9d97845 to 2503672 Compare January 30, 2024 01:55

renovate bot changed the title ~~Update dependency aiohttp to v3.9.0 [SECURITY]~~ Update dependency aiohttp to v3.9.2 [SECURITY] Jan 30, 2024

Update dependency aiohttp to v3.9.4 [SECURITY]

cd70f6b

renovate bot force-pushed the renovate/pypi-aiohttp-vulnerability branch from 2503672 to cd70f6b Compare April 18, 2024 16:52

renovate bot changed the title ~~Update dependency aiohttp to v3.9.2 [SECURITY]~~ Update dependency aiohttp to v3.9.4 [SECURITY] Apr 18, 2024

github-actions bot added the no-pr-activity label Jul 3, 2024

github-actions bot closed this Jul 13, 2024

renovate bot deleted the renovate/pypi-aiohttp-vulnerability branch July 13, 2024 02:43

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update dependency aiohttp to v3.9.4 [SECURITY] #539

Update dependency aiohttp to v3.9.4 [SECURITY] #539

renovate bot commented Nov 15, 2023 •

edited

Loading

guardrails bot commented Nov 15, 2023 •

edited

Loading

github-actions bot commented Jul 3, 2024

renovate bot commented Jul 13, 2024

Update dependency aiohttp to v3.9.4 [SECURITY] #539

Update dependency aiohttp to v3.9.4 [SECURITY] #539

Conversation

renovate bot commented Nov 15, 2023 • edited Loading

GitHub Vulnerability Alerts

Summary

Details

Impact

Workaround

Summary

Details

Workaround

Summary

Impact

Release Notes

Bug fixes

Features

Deprecations (removal in next major release)

Improved documentation

Contributor-facing changes

Packaging updates and notes for downstreams

Bug fixes

Miscellaneous internal changes

Bug fixes

Features

Breaking changes

Improved documentation

Packaging updates and notes for downstreams

Contributor-facing changes

Miscellaneous internal changes

Bugfixes

Features

Bugfixes

Improved Documentation

Deprecations and Removals

Misc

Security bugfixes

Deprecation

Features

Bugfixes

v3.8.5: 3.8.5

Security bugfixes

Features

Bugfixes

Bugfixes

Bugfixes

Bugfixes

Improved Documentation

Deprecations and Removals

Misc

Configuration

guardrails bot commented Nov 15, 2023 • edited Loading

github-actions bot commented Jul 3, 2024

renovate bot commented Jul 13, 2024

Renovate Ignore Notification

renovate bot commented Nov 15, 2023 •

edited

Loading

`v3.8.5`: 3.8.5

guardrails bot commented Nov 15, 2023 •

edited

Loading