Skip to content

fix(deps): upgrade aiohttp to 3.14.1 for CVE-2026-34993#2382

Open
mtclinton wants to merge 1 commit into
RedHatInsights:masterfrom
mtclinton:fix/cve-2026-34993-aiohttp
Open

fix(deps): upgrade aiohttp to 3.14.1 for CVE-2026-34993#2382
mtclinton wants to merge 1 commit into
RedHatInsights:masterfrom
mtclinton:fix/cve-2026-34993-aiohttp

Conversation

@mtclinton

@mtclinton mtclinton commented Jun 11, 2026
edited by sourcery-ai Bot
Loading

Copy link
Copy Markdown
Contributor

Bump aiohttp from 3.13.5 to 3.14.1 to remediate CVE-2026-34993, an insecure deserialization flaw in CookieJar.load() that could allow arbitrary code execution via crafted pickle payloads.

Refs: #RHINENG-26950

Secure Coding Practices Checklist GitHub Link

Secure Coding Checklist

  • Input Validation
  • Output Encoding
  • Authentication and Password Management
  • Session Management
  • Access Control
  • Cryptographic Practices
  • Error Handling and Logging
  • Data Protection
  • Communication Security
  • System Configuration
  • Database Security
  • File Management
  • Memory Management
  • General Coding Practices

Summary by Sourcery

Upgrade aiohttp dependency to the latest 3.14.x release to address a known security vulnerability.

Build:

  • Update pinned aiohttp version and hashes in requirements.txt to 3.14.1 for Python 3.12–3.13.
  • Relax Poetry dependency constraint for aiohttp to ^3.14.0 in pyproject.toml to align with the upgraded runtime version.

Chores:

  • Regenerate poetry.lock to reflect the updated aiohttp dependency.

@sourcery-ai

sourcery-ai Bot commented Jun 11, 2026
edited
Loading

Copy link
Copy Markdown

Reviewer's Guide

Upgrades the aiohttp dependency to a non-vulnerable version across both requirements.txt and Poetry configuration to remediate CVE-2026-34993, ensuring lockfile consistency.

File-Level Changes

Change Details Files
Upgrade aiohttp to 3.14.x across dependency management files to address a security vulnerability.
  • Bump aiohttp from 3.13.5 to 3.14.1 in requirements.txt and refresh associated hash pins.
  • Relax Poetry dependency constraint from ^3.10.11 to ^3.14.0 in pyproject.toml so that it can resolve to the new secure version.
  • Regenerate poetry.lock so its resolved aiohttp version matches the updated constraints.
 requirements.txt
pyproject.toml
poetry.lock
Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

sourcery-ai[bot]
sourcery-ai Bot reviewed Jun 11, 2026
View reviewed changes

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've reviewed your changes and they look great!

Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

@mtclinton mtclinton force-pushed the fix/cve-2026-34993-aiohttp branch 2 times, most recently from 5007925 to 30d0198 Compare June 12, 2026 13:02
@mtclinton
fix(deps): upgrade aiohttp to 3.14.1 for CVE-2026-34993
5842c85 
Bump aiohttp from 3.13.5 to 3.14.1 to remediate CVE-2026-34993,
an insecure deserialization flaw in CookieJar.load() that could
allow arbitrary code execution via crafted pickle payloads.

Refs: #RHINENG-26950
@mtclinton mtclinton force-pushed the fix/cve-2026-34993-aiohttp branch from 30d0198 to 5842c85 Compare June 12, 2026 13:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sourcery-ai sourcery-ai[bot] sourcery-ai[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mtclinton