Skip to content

Update dependency aiohttp to v3.13.4#182

Open
renovate[bot] wants to merge 1 commit intomainfrom
renovate/aiohttp-3.x
Open

Update dependency aiohttp to v3.13.4#182
renovate[bot] wants to merge 1 commit intomainfrom
renovate/aiohttp-3.x

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate bot commented Mar 30, 2026

This PR contains the following updates:

Package Change Age Confidence
aiohttp ==3.13.3==3.13.4 age confidence

Release Notes

aio-libs/aiohttp (aiohttp)

v3.13.4: 3.13.4

Compare Source

Features

  • Added max_headers parameter to limit the number of headers that should be read from a response -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    #​11955.

  • Added a dns_cache_max_size parameter to TCPConnector to limit the size of the cache -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    #​12106.

Bug fixes

  • Fixed server hanging indefinitely when chunked transfer encoding chunk-size
    does not match actual data length. The server now raises
    TransferEncodingError instead of waiting forever for data that will
    never arrive -- by :user:Fridayai700.

    Related issues and pull requests on GitHub:
    #​10596.

  • Fixed access log timestamps ignoring daylight saving time (DST) changes. The
    previous implementation used :py:data:time.timezone which is a constant and
    does not reflect DST transitions -- by :user:nightcityblade.

    Related issues and pull requests on GitHub:
    #​11283.

  • Fixed RuntimeError: An event loop is running error when using aiohttp.GunicornWebWorker
    or aiohttp.GunicornUVLoopWebWorker on Python >=3.14.
    -- by :user:Tasssadar.

    Related issues and pull requests on GitHub:
    #​11701.

  • Fixed :exc:ValueError when creating a TLS connection with ClientTimeout(total=0) by converting 0 to None before passing to ssl_handshake_timeout in :py:meth:asyncio.loop.start_tls -- by :user:veeceey.

    Related issues and pull requests on GitHub:
    #​11859.

  • Restored :py:meth:~aiohttp.BodyPartReader.decode as a synchronous method
    for backward compatibility. The method was inadvertently changed to async
    in 3.13.3 as part of the decompression bomb security fix. A new
    :py:meth:~aiohttp.BodyPartReader.decode_iter method is now available
    for non-blocking decompression of large payloads using an async generator.
    Internal aiohttp code uses the async variant to maintain security protections.

    Changed multipart processing chunk sizes from 64 KiB to 256KiB, to better
    match aiohttp internals
    -- by :user:bdraco and :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    #​11898.

  • Fixed false-positive :py:class:DeprecationWarning for passing enable_cleanup_closed=True to :py:class:~aiohttp.TCPConnector specifically on Python 3.12.7.
    -- by :user:Robsdedude.

    Related issues and pull requests on GitHub:
    #​11972.

  • Fixed _sendfile_fallback over-reading beyond requested count -- by :user:bysiber.

    Related issues and pull requests on GitHub:
    #​12096.

  • Fixed digest auth dropping challenge fields with empty string values -- by :user:bysiber.

    Related issues and pull requests on GitHub:
    #​12097.

  • ClientConnectorCertificateError.os_error no longer raises :exc:AttributeError
    -- by :user:themylogin.

    Related issues and pull requests on GitHub:
    #​12136.

  • Adjusted pure-Python request header value validation to align with RFC 9110 control-character handling, while preserving lax response parser behavior, and added regression tests for Host/header control-character cases.
    -- by :user:rodrigobnogueira.

    Related issues and pull requests on GitHub:
    #​12231.

  • Rejected duplicate singleton headers (Host, Content-Type,
    Content-Length, etc.) in the C extension HTTP parser to match
    the pure Python parser behaviour, preventing potential host-based
    access control bypasses via parser differentials
    -- by :user:rodrigobnogueira.

    Related issues and pull requests on GitHub:
    #​12240.

  • Aligned the pure-Python HTTP request parser with the C parser by splitting
    comma-separated and repeated Connection header values for keep-alive,
    close, and upgrade handling -- by :user:rodrigobnogueira.

    Related issues and pull requests on GitHub:
    #​12249.

Improved documentation

  • Documented :exc:asyncio.TimeoutError for WebSocketResponse.receive()
    and related methods -- by :user:veeceey.

    Related issues and pull requests on GitHub:
    #​12042.

Packaging updates and notes for downstreams

  • Upgraded llhttp to 3.9.1 -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    #​12069.

Contributor-facing changes

  • The benchmark CI job now runs only in the upstream repository -- by :user:Cycloctane.

    It used to always fail in forks, which this change fixed.

    Related issues and pull requests on GitHub:
    #​11737.

  • Fixed flaky performance tests by using appropriate fixed thresholds that account for CI variability -- by :user:rodrigobnogueira.

    Related issues and pull requests on GitHub:
    #​11992.

Miscellaneous internal changes

  • Fixed test_invalid_idna to work with idna 3.11 by using an invalid character (\u0080) that is rejected by yarl during URL construction -- by :user:rodrigobnogueira.

    Related issues and pull requests on GitHub:
    #​12027.

  • Fixed race condition in test_data_file on Python 3.14 free-threaded builds -- by :user:rodrigobnogueira.

    Related issues and pull requests on GitHub:
    #​12170.

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud bot commented Mar 30, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@codecov
Copy link
Copy Markdown

codecov bot commented Mar 30, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 86.64%. Comparing base (22bbbb2) to head (85e613d).

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #182   +/-   ##
=======================================
  Coverage   86.64%   86.64%           
=======================================
  Files           8        8           
  Lines         749      749           
=======================================
  Hits          649      649           
  Misses        100      100

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants