⬆️ Bump aiohttp to 3.14.1

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
aiohttp	>=3.9.5 → >=3.14.1

---

Release Notes

aio-libs/aiohttp (aiohttp)

v3.14.1: 3.14.1

Compare Source

Bug fixes

• Fixed a race condition in :py:class:~aiohttp.TCPConnector where closing the connector while a DNS resolution was in-flight could raise :py:exc:AttributeError instead of :py:exc:~aiohttp.ClientConnectionError -- by :user:goingforstudying-ctrl.

  Related issues and pull requests on GitHub:
  #​12497.

• Fixed CancelledError not closing a connection -- by :user:aiolibsbot.

  Related issues and pull requests on GitHub:
  #​12795.

• Tightened up some websocket parser checks -- by :user:Dreamsorcerer.

  Related issues and pull requests on GitHub:
  #​12817.

• Fixed :class:~aiohttp.CookieJar dropping the host-only flag of cookies when persisted with :meth:~aiohttp.CookieJar.save and reloaded with :meth:~aiohttp.CookieJar.load, so a cookie set without a Domain attribute is again scoped to the exact host that set it after a reload; the absolute expiration deadline is now persisted as well, so a reloaded cookie keeps its original lifetime instead of being rescheduled from the load time. :meth:~aiohttp.CookieJar.load now replaces the jar contents rather than merging onto prior state, and loaded cookies pass through the same acceptance rules as :meth:~aiohttp.CookieJar.update_cookies, so a cookie for an IP-address host is dropped when loaded into a jar created without unsafe=True -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  #​12824.

• Scoped :class:~aiohttp.DigestAuthMiddleware credentials to the origin of the first request it handles, so a redirect to a different origin no longer triggers a digest response computed from the configured credentials; a challenge from another origin is only answered when that origin falls within a protection space advertised by the anchor origin through the RFC 7616 domain directive -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  #​12825.

• Fixed the C HTTP parser not enforcing max_line_size on a request target or response reason phrase that is split across multiple reads; each fragment was checked on its own, so an accumulated line could exceed the limit without raising LineTooLong. The accumulated length is now checked, matching the pure-Python parser -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  #​12826.

• Changed :class:~aiohttp.TCPConnector to reject legacy non-canonical numeric IPv4 host forms such as 2130706433, 017700000001 and 127.1 with :exc:~aiohttp.InvalidUrlClientError; only canonical dotted-quad IPv4 literals are now treated as IP address literals, while every other host is sent through the configured resolver -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  #​12827.

• Fixed :meth:~aiohttp.StreamReader.readany and :meth:~aiohttp.StreamReader.read_nowait joining data fed back into the buffer during the call (when draining below the low water mark resumes reading) into a single unbounded :class:bytes; a call now returns only the chunks that were buffered when it started, keeping the drain of an unread auto-decompressed request body bounded by the read buffer -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  #​12828.

• Bounded the number of parsed-but-unhandled pipelined HTTP/1 requests buffered per connection on the server; once the queue reaches an internal limit the parser stops emitting and the transport is paused, resuming as the request handler drains the queue, so a client keeping one handler busy can no longer accumulate an unbounded backlog of pipelined requests -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  #​12830.

• Fixed :meth:aiohttp.web.Response.write_eof skipping Payload.close() when the body write was interrupted by an error or cancellation, for example when a client disconnects mid-response; the payload close hook now runs in a finally so a :class:~aiohttp.payload.Payload body always releases its resources -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  #​12831.

• Fixed the pure-Python HTTP parser not enforcing max_line_size on a chunk-size line when the whole line arrived in a single read; the limit was only applied to chunk-size metadata split across reads. The complete-line case is now checked too, matching the split-line behavior -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  #​12832.

• Included the per-request server_hostname override in the :class:~aiohttp.TCPConnector connection pool key, so a pooled TLS connection is no longer reused for a request that sets server_hostname to a different value -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  #​12835.

---

v3.14.0: 3.14.0

Compare Source

We have a new website! https://aio-libs.org
Subscribe to the news feed to find out more about what we're working on in future.

Features

• Added RequestKey and ResponseKey classes,
  which enable static type checking for request & response
  context storages in the same way that AppKey does for Application
  -- by :user:gsoldatov.

  Related issues and pull requests on GitHub:
  #​11766.

• Added :func:~aiohttp.encode_basic_auth for encoding HTTP Basic
  Authentication credentials. Replaces the now-deprecated
  :class:~aiohttp.BasicAuth -- by :user:Dreamsorcerer.

  Related issues and pull requests on GitHub:
  #​12499.

• Started accepting :term:asynchronous context managers <asynchronous context manager> for cleanup contexts.
  Legacy single-yield :term:asynchronous generator cleanup contexts continue to be
  supported; async context managers are adapted internally so they are
  entered at startup and exited during cleanup.

  -- by :user:MannXo.

  Related issues and pull requests on GitHub:
  #​11681.

• Added :py:attr:~aiohttp.CookieJar.cookies and :py:attr:~aiohttp.CookieJar.host_only_cookies read-only properties to :py:class:~aiohttp.CookieJar exposing the stored cookies with their full attributes -- by :user:Br1an67.

  Related issues and pull requests on GitHub:
  #​3951.

• Added :py:attr:~aiohttp.web.TCPSite.port accessor for dynamic port allocations in :class:~aiohttp.web.TCPSite -- by :user:twhittock-disguise and :user:rodrigobnogueira.

  Related issues and pull requests on GitHub:
  #​10665.

• Added decode_text parameter to :meth:~aiohttp.ClientSession.ws_connect and :class:~aiohttp.web.WebSocketResponse to receive WebSocket TEXT messages as raw bytes instead of decoded strings, enabling direct use with high-performance JSON parsers like orjson -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  #​11763, #​11764.

• Large overhaul of parser/decompression code.

  The zip bomb security fix in 3.13 stopped highly compressed payloads
  from being decompressed, regardless of validity. Now aiohttp will
  decompress such payloads in chunks of 256+ KiB, allowing safe decompression
  of such payloads.

  -- by :user:Dreamsorcerer.

  Related issues and pull requests on GitHub:
  #​11966.

• Added explicit APIs for bytes-returning JSON serializer:
  JSONBytesEncoder type, JsonBytesPayload,
  :func:~aiohttp.web.json_bytes_response,
  :meth:~aiohttp.web.WebSocketResponse.send_json_bytes and
  :meth:~aiohttp.ClientWebSocketResponse.send_json_bytes methods, and
  json_serialize_bytes parameter for :class:~aiohttp.ClientSession
  -- by :user:kevinpark1217.

  Related issues and pull requests on GitHub:
  #​11989.

• Added :attr:~aiohttp.ClientResponse.output_size and
  :attr:~aiohttp.ClientResponse.upload_complete -- by :user:Dreamsorcerer.

  Related issues and pull requests on GitHub:
  #​12452.

Bug fixes

• Fixed ZLibDecompressor silently dropping data past the first
  member when decompressing concatenated gzip/deflate streams. Each subsequent
  member is now handed to a fresh decompressor, matching the behaviour already
  implemented for ZSTD multi-frame streams.

  -- by :user:Ashutosh-177

  Related issues and pull requests on GitHub:
  #​7157.

• Improved the parser error message shown when TLS handshake bytes are received on an HTTP port -- by :user:puneetdixit200.

  Related issues and pull requests on GitHub:
  #​10142.

• Fixed the C parser failing to reject a response with a body when none was expected -- by :user:Dreamsorcerer.

  Related issues and pull requests on GitHub:
  #​10587.

• Fixed http parser not rejecting HTTP/1.1 requests that do not have valid Host header.
  -- by :user:Cycloctane.

  Related issues and pull requests on GitHub:
  #​10600.

• Fixed misleading TLS-in-TLS warning being emitted when sending HTTPS requests through an HTTP proxy. The warning now only fires when the proxy itself uses HTTPS, which is the only case where TLS-in-TLS actually applies -- by :user:wavebyrd.

  Related issues and pull requests on GitHub:
  #​10683.

• Fixed AssertionError when the transport is None during WebSocket
  preparation or file response sending (e.g. when a client disconnects
  immediately after connecting). A ConnectionResetError is now raised
  instead -- by :user:agners.

  Related issues and pull requests on GitHub:
  #​11761.

• Fixed ad-hoc cookies passed to individual requests not being sent when the session's cookie jar has unsafe=True and the target URL uses an IP address, by copying the unsafe setting from the session's cookie jar to the temporary cookie jar -- by :user:Krishnachaitanyakc.

  Related issues and pull requests on GitHub:
  #​12011.

• Reset the WebSocket heartbeat timer on inbound data to avoid false ping/pong timeouts while receiving large frames
  -- by :user:hoffmang9.

  Related issues and pull requests on GitHub:
  #​12030.

• Switched :py:meth:~aiohttp.CookieJar.save to use JSON format and
  :py:meth:~aiohttp.CookieJar.load to try JSON first with a fallback to
  a restricted pickle unpickler -- by :user:YuvalElbar6.

  Related issues and pull requests on GitHub:
  #​12091.

• Fixed redirects with consumed non-rewindable request bodies to raise
  :class:aiohttp.ClientPayloadError instead of silently sending an empty body.

  Related issues and pull requests on GitHub:
  #​12195.

• Fixed zstd decompression failing with ClientPayloadError when the server
  sends a response as multiple zstd frames -- by :user:josu-moreno.

  Related issues and pull requests on GitHub:
  #​12234.

• Fixed spurious Future exception was never retrieved warning on disconnect during back-pressure -- by :user:availov.

  Related issues and pull requests on GitHub:
  #​12281.

• Cookiejar.save() now uses 0x600 permissions to better protect them from being read by other users -- by :user:digiscrypt.

  Related issues and pull requests on GitHub:
  #​12312.

• Fixed a crash (:external+python:exc:~http.cookies.CookieError) in the cookie parser when receiving cookies
  containing ASCII control characters on CPython builds with the :cve:2026-3644
  patch. The parser now gracefully skips cookies whose value contains control
  characters instead of letting the exception propagate -- by :user:rodrigobnogueira.

  Related issues and pull requests on GitHub:
  #​12395.

• Fixed digest authentication failing for requests whose path or query string contains percent-encoded reserved characters; the digest signature now uses the encoded request-target that is sent on the wire instead of the decoded form -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  #​12436.

• Fixed :func:aiohttp.web.run_app losing inner traceback frames when an
  exception is raised during application startup (e.g. inside
  cleanup_ctx or on_startup). Regression since 3.10.6.

  Related issues and pull requests on GitHub:
  #​12493.

• Fixed per-request cookies not being dropped on cross-origin redirects -- by :user:Dreamsorcerer.

  Related issues and pull requests on GitHub:
  #​12550.

• Fixed invalid bytes being allowed in multipart/payload headers -- by :user:Dreamsorcerer.

  Related issues and pull requests on GitHub:
  #​12719.

• Fixed :py:meth:~aiohttp.FormData.add_field accepting invalid bytes in name and filename -- by :user:Dreamsorcerer.

  Related issues and pull requests on GitHub:
  #​12721.

• Fixed websocket upgrade occurring when header contained a value like notupgrade -- by :user:Dreamsorcerer.

  Related issues and pull requests on GitHub:
  #​12723.

Deprecations (removal in next major release)

• Deprecated :class:~aiohttp.BasicAuth and the auth / proxy_auth
  parameters. They will be removed in aiohttp 4.0. Use the new
  :func:~aiohttp.encode_basic_auth helper together with
  headers={"Authorization": ...} (or
  proxy_headers={"Proxy-Authorization": ...} for proxies) instead.
  Note that encode_basic_auth() defaults to utf-8, not latin1
  -- by :user:Dreamsorcerer.

  Related issues and pull requests on GitHub:
  #​12499.

• Added deprecation warning to aiohttp.pytest_plugin, please switch to pytest-aiohttp -- by :user:Dreamsorcerer.

  Related issues and pull requests on GitHub:
  #​10785.

Removals and backward incompatible breaking changes

• Stopped calling :func:socket.getfqdn as the fallback for
  :attr:aiohttp.web.BaseRequest.host. :func:socket.getfqdn
  performs blocking reverse DNS resolution on the event loop
  thread and can stall a worker for many seconds when the system
  resolver is slow, and could be triggered remotely by an HTTP/1.0
  request that omits the Host header. The fallback when no
  Host header is present is now the local socket address the
  request arrived on (transport sockname), or an empty string
  if no transport information is available. Code that relied on
  the FQDN being returned must now read it from
  :func:socket.getfqdn directly, off the event loop
  -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  #​9308, #​12597.

• Dropped support for Python 3.9 -- by :user:Dreamsorcerer.

  Related issues and pull requests on GitHub:
  #​11601.

• Tightened outbound header serialization to reject all ASCII control
  characters forbidden by :rfc:9110#section-5.5 and :rfc:9112#section-4
  (0x00-0x08, 0x0A-0x1F, 0x7F) in status lines,
  header field-names, and field-values. Previously only CR, LF and NUL were
  rejected. HTAB (0x09) remains permitted in field values. Applications
  that placed bare control characters in outbound headers will now raise
  :exc:ValueError instead of emitting non-RFC-compliant bytes -- by :user:rodrigobnogueira.

  Related issues and pull requests on GitHub:
  #​12689.

Improved documentation

• Replaced the deprecated ujson library with orjson in the
  client quickstart documentation. ujson has been put into
  maintenance-only mode; orjson is the recommended alternative.
  -- by :user:indoor47

  Related issues and pull requests on GitHub:
  #​10795.

• Added the :doc:threat_model to the Sphinx documentation -- by :user:omkar-334.

  Related issues and pull requests on GitHub:
  #​12549.

• Removed archived and deprecated repositories from third party list -- by :user:Polandia94.

  Related issues and pull requests on GitHub:
  #​12726.

• Added aiointercept to list of third-party libraries -- by :user:Polandia94.

  Related issues and pull requests on GitHub:
  #​12727.

Packaging updates and notes for downstreams

• Added wheels for Android and iOS platforms -- by :user:timrid.

  Related issues and pull requests on GitHub:
  #​11750.

• Parallelized the Cython extension compilation by defaulting
  build_ext.parallel to os.cpu_count(), so each module's
  gcc invocation now runs concurrently instead of one at a time
  -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  #​12576.

• Submitted vendored llhttp to Github's SBOM -- by :user:Dreamsorcerer.

  Related issues and pull requests on GitHub:
  #​12678.

• Updated llhttp to v9.4.1 -- by :user:Dreamsorcerer.

  Related issues and pull requests on GitHub:
  #​12681.

Contributor-facing changes

• The coverage tool is now configured using the new native
  auto-discovered :file:.coveragerc.toml file
  -- by :user:webknjaz.

  It is also set up to use the ctrace core that works
  around the performance issues in the sysmon tracer
  which is default under Python 3.14.

  Related issues and pull requests on GitHub:
  #​11826.

• Fixed and reworked autobahn tests -- by :user:Dreamsorcerer.

  Related issues and pull requests on GitHub:
  #​12173.

• Added a CI job to measure Cython coverage -- by :user:Dreamsorcerer.

  Related issues and pull requests on GitHub:
  #​12349.

• Disabled coverage and xdist by default to ease local development -- by :user:Dreamsorcerer.

  Related issues and pull requests on GitHub:
  #​12364.

• Avoid installation of backports.zstd on Python 3.14 in linting dependency set
  -- by :user:seifertm.

  Related issues and pull requests on GitHub:
  #​12406.

• Added --durations=30 to the benchmark CI run so the slowest tests are reported when the job hits its timeout -- by :user:aiolibsbot.

  Related issues and pull requests on GitHub:
  #​12562.

• Fixed two flakey test_middleware_uses_session_avoids_recursion_with_* tests
  that hard coded localhost in the inner middleware request; they now target
  the bound server URL so happy eyeballs cannot pick an unbound address on
  Windows runners -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  #​12571.

• Restricted the isal test dependency to CPython, since
  isal 1.8.0 stopped publishing PyPy wheels and the source
  build requires nasm, which is not available on the CI
  runners. The parametrize_zlib_backend fixture already
  calls pytest.importorskip, so PyPy continues to exercise
  the zlib and zlib_ng backends with no further
  changes -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  #​12589.

• Fixed a flakey test_tcp_connector_fingerprint_ok by aborting
  the SSL shutdown on the test's TCP connector before returning.
  The graceful TLS close was occasionally outliving the test event
  loop on one of the CI jobs, and the teardown gc.collect()
  then surfaced the still-open transport as a
  PytestUnraisableExceptionWarning -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  #​12592.

• Switched the cibuildwheel build frontend to build[uv] so
  that uv provisions every build-isolation virtual environment
  in the wheel matrix, replacing the per-ABI pip resolve with a
  roughly sub-second uv resolve
  -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  #​12595.

• Fixed flaky test_handler_returns_not_response and
  test_handler_returns_none by routing loop.set_debug(True)
  through a new loop_debug_mode fixture that disables debug
  mode before the aiohttp_client fixture finalizes. Leaving
  debug on through teardown let PyPy 3.11's asyncio slow-callback
  logger walk into Task.__repr__ during connector close,
  surfacing a spurious RuntimeWarning: coroutine was never awaited -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  #​12603.

• Reduced runtime of several of the slowest unit tests
  (decompress size-limit payloads from 64 MiB to 2 MiB,
  test_chunk_splits_after_pause chunk count from 50000
  to 20000, and test_set_cookies_max_age sleep from 2
  seconds to 1.1 seconds) without changing what they
  exercise -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  #​12606.

• Added a default 120-second per-test timeout via pytest-timeout so a
  hung test surfaces by name in CI output instead of getting hidden behind
  the job-level timeout added in :pr:12619. The autobahn and
  benchmark jobs opt out with --timeout=0 -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  #​12624.

• Switched the CI test and autobahn jobs from
  actions/setup-python to astral-sh/setup-uv for installing
  interpreters, cutting the Setup Python step from 40-58s to a
  few seconds on macos-latest and windows-latest runners for
  variants not in the hosted tool-cache (notably the free-threaded
  3.14t)
  -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  #​12629.

• Made the pip command used by the :file:Makefile configurable via a
  PIP variable; downstream consumers can now run, for example,
  make .develop PIP="uv pip" to install via uv without us
  maintaining a parallel target
  -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  #​12641.

• Allowed re-running the deploy job in .github/workflows/ci-cd.yml
  after a partial release failure: the Make Release step now skips
  when the GitHub Release already exists, and the PyPI publish step uses
  skip-existing so dists that were already uploaded on a prior
  attempt do not break the retry -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  #​12651.

• Switched the armv7l wheel builds onto GitHub's hosted ARM runners. The
  32-bit ARM build still runs under QEMU, but the host is now aarch64
  rather than x86_64, so the emulation overhead drops sharply
  -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  #​12655.

Miscellaneous internal changes

• Added win_arm64 to the wheels that gets pushed to PyPI
  -- by :user:AraHaan.

  Related issues and pull requests on GitHub:
  #​11937.

• Added cdef type declarations and inlined the upgrade check in the HTTP parser
  -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  #​12321.

• Changed zlib_executor_size default so compressed payloads are async by default -- by :user:Dreamsorcerer.

  Related issues and pull requests on GitHub:
  #​12358.

• Added THREAT_MODEL.md detailing our security stance -- by :user:Dreamsorcerer.

  Related issues and pull requests on GitHub:
  #​12512.

• Reduced payload sizes and request counts in the slowest client and URL
  dispatcher benchmarks so they no longer dominate CI runtime
  -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  #​12569.

• Improved ContentLengthError exception messages to include both expected and received byte counts. This enhancement provides better diagnostics when debugging response body size mismatches
  -- by :user:bdraco and :user:Dreamsorcerer.

  Related issues and pull requests on GitHub:
  #​12753.

---

v3.13.5

Compare Source

===================

Bug fixes

• Skipped the duplicate singleton header check in lax mode (the default for response
  parsing). In strict mode (request parsing, or -X dev), all RFC 9110 singletons
  are still enforced -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:12302.

---

v3.13.4

Compare Source

===================

Features

• Added max_headers parameter to limit the number of headers that should be read from a response -- by :user:Dreamsorcerer.

  Related issues and pull requests on GitHub:
  :issue:11955.

• Added a dns_cache_max_size parameter to TCPConnector to limit the size of the cache -- by :user:Dreamsorcerer.

  Related issues and pull requests on GitHub:
  :issue:12106.

Bug fixes

• Fixed server hanging indefinitely when chunked transfer encoding chunk-size
  does not match actual data length. The server now raises
  TransferEncodingError instead of waiting forever for data that will
  never arrive -- by :user:Fridayai700.

  Related issues and pull requests on GitHub:
  :issue:10596.

• Fixed access log timestamps ignoring daylight saving time (DST) changes. The
  previous implementation used :py:data:time.timezone which is a constant and
  does not reflect DST transitions -- by :user:nightcityblade.

  Related issues and pull requests on GitHub:
  :issue:11283.

• Fixed RuntimeError: An event loop is running error when using aiohttp.GunicornWebWorker
  or aiohttp.GunicornUVLoopWebWorker on Python >=3.14.
  -- by :user:Tasssadar.

  Related issues and pull requests on GitHub:
  :issue:11701.

• Fixed :exc:ValueError when creating a TLS connection with ClientTimeout(total=0) by converting 0 to None before passing to ssl_handshake_timeout in :py:meth:asyncio.loop.start_tls -- by :user:veeceey.

  Related issues and pull requests on GitHub:
  :issue:11859.

• Restored :py:meth:~aiohttp.BodyPartReader.decode as a synchronous method
  for backward compatibility. The method was inadvertently changed to async
  in 3.13.3 as part of the decompression bomb security fix. A new
  :py:meth:~aiohttp.BodyPartReader.decode_iter method is now available
  for non-blocking decompression of large payloads using an async generator.
  Internal aiohttp code uses the async variant to maintain security protections.

  Changed multipart processing chunk sizes from 64 KiB to 256KiB, to better
  match aiohttp internals
  -- by :user:bdraco and :user:Dreamsorcerer.

  Related issues and pull requests on GitHub:
  :issue:11898.

• Fixed false-positive :py:class:DeprecationWarning for passing enable_cleanup_closed=True to :py:class:~aiohttp.TCPConnector specifically on Python 3.12.7.
  -- by :user:Robsdedude.

  Related issues and pull requests on GitHub:
  :issue:11972.

• Fixed _sendfile_fallback over-reading beyond requested count -- by :user:bysiber.

  Related issues and pull requests on GitHub:
  :issue:12096.

• Fixed digest auth dropping challenge fields with empty string values -- by :user:bysiber.

  Related issues and pull requests on GitHub:
  :issue:12097.

• ClientConnectorCertificateError.os_error no longer raises :exc:AttributeError
  -- by :user:themylogin.

  Related issues and pull requests on GitHub:
  :issue:12136.

• Adjusted pure-Python request header value validation to align with RFC 9110 control-character handling, while preserving lax response parser behavior, and added regression tests for Host/header control-character cases.
  -- by :user:rodrigobnogueira.

  Related issues and pull requests on GitHub:
  :issue:12231.

• Rejected duplicate singleton headers (Host, Content-Type,
  Content-Length, etc.) in the C extension HTTP parser to match
  the pure Python parser behaviour, preventing potential host-based
  access control bypasses via parser differentials
  -- by :user:rodrigobnogueira.

  Related issues and pull requests on GitHub:
  :issue:12240.

• Aligned the pure-Python HTTP request parser with the C parser by splitting
  comma-separated and repeated Connection header values for keep-alive,
  close, and upgrade handling -- by :user:rodrigobnogueira.

  Related issues and pull requests on GitHub:
  :issue:12249.

Improved documentation

• Documented :exc:asyncio.TimeoutError for WebSocketResponse.receive()
  and related methods -- by :user:veeceey.

  Related issues and pull requests on GitHub:
  :issue:12042.

Packaging updates and notes for downstreams

• Upgraded llhttp to 3.9.1 -- by :user:Dreamsorcerer.

  Related issues and pull requests on GitHub:
  :issue:12069.

Contributor-facing changes

• The benchmark CI job now runs only in the upstream repository -- by :user:Cycloctane.

  It used to always fail in forks, which this change fixed.

  Related issues and pull requests on GitHub:
  :issue:11737.

• Fixed flaky performance tests by using appropriate fixed thresholds that account for CI variability -- by :user:rodrigobnogueira.

  Related issues and pull requests on GitHub:
  :issue:11992.

Miscellaneous internal changes

• Fixed test_invalid_idna to work with idna 3.11 by using an invalid character (\u0080) that is rejected by yarl during URL construction -- by :user:rodrigobnogueira.

  Related issues and pull requests on GitHub:
  :issue:12027.

• Fixed race condition in test_data_file on Python 3.14 free-threaded builds -- by :user:rodrigobnogueira.

  Related issues and pull requests on GitHub:
  :issue:12170.

---

v3.13.3

Compare Source

===================

This release contains fixes for several vulnerabilities. It is advised to
upgrade as soon as possible.

Bug fixes

• Fixed proxy authorization headers not being passed when reusing a connection, which caused 407 (Proxy authentication required) errors
  -- by :user:GLeurquin.

  Related issues and pull requests on GitHub:
  :issue:2596.

• Fixed multipart reading failing when encountering an empty body part -- by :user:Dreamsorcerer.

  Related issues and pull requests on GitHub:
  :issue:11857.

• Fixed a case where the parser wasn't raising an exception for a websocket continuation frame when there was no initial frame in context.

  Related issues and pull requests on GitHub:
  :issue:11862.

Removals and backward incompatible breaking changes

• Brotli and brotlicffi minimum version is now 1.2.
  Decompression now has a default maximum output size of 32MiB per decompress call -- by :user:Dreamsorcerer.

  Related issues and pull requests on GitHub:
  :issue:11898.

Packaging updates and notes for downstreams

• Moved dependency metadata from :file:setup.cfg to :file:pyproject.toml per :pep:621
  -- by :user:cdce8p.

  Related issues and pull requests on GitHub:
  :issue:11643.

Contributor-facing changes

• Removed unused update-pre-commit github action workflow -- by :user:Cycloctane.

  Related issues and pull requests on GitHub:
  :issue:11689.

Miscellaneous internal changes

• Optimized web server performance when access logging is disabled by reducing time syscalls -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:10713.

• Added regression test for cached logging status -- by :user:meehand.

  Related issues and pull requests on GitHub:
  :issue:11778.

---

v3.13.2: 3.13.2

Compare Source

Bug fixes

• Fixed cookie parser to continue parsing subsequent cookies when encountering a malformed cookie that fails regex validation, such as Google's g_state cookie with unescaped quotes -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  #​11632.

• Fixed loading netrc credentials from the default :file:~/.netrc (:file:~/_netrc on Windows) location when the :envvar:NETRC environment variable is not set -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  #​11713, #​11714.

• Fixed WebSocket compressed sends to be cancellation safe. Tasks are now shielded during compression to prevent compressor state corruption. This ensures that the stateful compressor remains consistent even when send operations are cancelled -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  #​11725.

---

v3.13.1

Compare Source

===================

Features

• Make configuration options in AppRunner also available in run_app()
  -- by :user:Cycloctane.

  Related issues and pull requests on GitHub:
  :issue:11633.

Bug fixes

• Switched to backports.zstd for Python <3.14 and fixed zstd decompression for chunked zstd streams -- by :user:ZhaoMJ.

  Note: Users who installed zstandard for support on Python <3.14 will now need to install
  backports.zstd instead (installing aiohttp[speedups] will do this automatically).

  Related issues and pull requests on GitHub:
  :issue:11623.

• Updated Content-Type header parsing to return application/octet-stream when header contains invalid syntax.
  See :rfc:9110#section-8.3-5.

  -- by :user:sgaist.

  Related issues and pull requests on GitHub:
  :issue:10889.

• Fixed Python 3.14 support when built without zstd support -- by :user:JacobHenner.

  Related issues and pull requests on GitHub:
  :issue:11603.

• Fixed blocking I/O in the event loop when using netrc authentication by moving netrc file lookup to an executor -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:11634.

• Fixed routing to a sub-application added via .add_domain() not working
  if the same path exists on the parent app. -- by :user:Dreamsorcerer.

  Related issues and pull requests on GitHub:
  :issue:11673.

Packaging updates and notes for downstreams

• Moved core packaging metadata from :file:setup.cfg to :file:pyproject.toml per :pep:621
  -- by :user:cdce8p.

  Related issues and pull requests on GitHub:
  :issue:9951.

---

v3.13.0

Compare Source

===================

Features

• Added support for Python 3.14.

  Related issues and pull requests on GitHub:
  :issue:10851, :issue:10872.

• Added support for free-threading in Python 3.14+ -- by :user:kumaraditya303.

  Related issues and pull requests on GitHub:
  :issue:11466, :issue:11464.

• Added support for Zstandard (aka Zstd) compression
  -- by :user:KGuillaume-chaps.

  Related issues and pull requests on GitHub:
  :issue:11161.

• Added StreamReader.total_raw_bytes to check the number of bytes downloaded
  -- by :user:robpats.

  Related issues and pull requests on GitHub:
  :issue:11483.

Bug fixes

• Fixed pytest plugin to not use deprecated :py:mod:asyncio policy APIs.

  Related issues and pull requests on GitHub:
  :issue:10851.

• Updated Content-Disposition header parsing to handle trailing semicolons and empty parts
  -- by :user:PLPeeters.

  Related issues and pull requests on GitHub:
  :issue:11243.

• Fixed saved CookieJar failing to be loaded if cookies have partitioned flag when
  http.cookie does not have partitioned cookies supports. -- by :user:Cycloctane.

  Related issues and pull requests on GitHub:
  :issue:11523.

Improved documentation

• Added Wireup to third-party libraries -- by :user:maldoinc.

  Related issues and pull requests on GitHub:
  :issue:11233.

Packaging updates and notes for downstreams

• The blockbuster test dependency is now optional; the corresponding test fixture is disabled when it is unavailable
  -- by :user:musicinybrain.

  Related issues and pull requests on GitHub:
  :issue:11363.

• Added riscv64 build to releases -- by :user:eshattow.

  Related issues and pull requests on GitHub:
  :issue:11425.

Contributor-facing changes

• Fixed test_send_compress_text failing when alternative zlib implementation
  is used. (zlib-ng in python 3.14 windows build) -- by :user:Cycloctane.

  Related issues and pull requests on GitHub:
  :issue:11546.

---

v3.12.15

Compare Source

====================

Bug fixes

• Fixed :class:~aiohttp.DigestAuthMiddleware to preserve the algorithm case from the server's challenge in the authorization response. This improves compatibility with servers that perform case-sensitive algorithm matching (e.g., servers expecting algorithm=MD5-sess instead of algorithm=MD5-SESS)
  -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:11352.

Improved documentation

• Remove outdated contents of aiohttp-devtools and aiohttp-swagger
  from Web_advanced docs.
  -- by :user:Cycloctane

  Related issues and pull requests on GitHub:
  :issue:11347.

Packaging updates and notes for downstreams

• Started including the llhttp :file:LICENSE file in wheels by adding vendor/llhttp/LICENSE to license-files in :file:setup.cfg -- by :user:threexc.

  Related issues and pull requests on GitHub:
  :issue:11226.

Contributor-facing changes

• Updated a regex in test_aiohttp_request_coroutine for Python 3.14.

  Related issues and pull requests on GitHub:
  :issue:11271.

---

v3.12.14

Compare Source

====================

Bug fixes

• Fixed file uploads failing with HTTP 422 errors when encountering 307/308 redirects, and 301/302 redirects for non-POST methods, by preserving the request body when appropriate per :rfc:9110#section-15.4.3-3.1 -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:11270.

• Fixed :py:meth:ClientSession.close() <aiohttp.ClientSession.close> hanging indefinitely when using HTTPS requests through HTTP proxies -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:11273.

• Bumped minimum version of aiosignal to 1.4+ to resolve typing issues -- by :user:Dreamsorcerer.

  Related issues and pull requests on GitHub:
  :issue:11280.

Features

• Added initial trailer parsing logic to Python HTTP parser -- by :user:Dreamsorcerer.

  Related issues and pull requests on GitHub:
  :issue:11269.

Improved documentation

• Clarified exceptions raised by WebSocketResponse.send_frame et al.
  -- by :user:DoctorJohn.

  Related issues and pull requests on GitHub:
  :issue:11234.

---

v3.12.13

Compare Source

====================

Bug fixes

• Fixed auto-created :py:class:~aiohttp.TCPConnector not using the session's event loop when :py:class:~aiohttp.ClientSession is created without an explicit connector -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:11147.

---

v3.12.12

Compare Source

====================

Bug fixes

• Fixed cookie unquoting to properly handle octal escape sequences in cookie values (e.g., \012 for newline) by vendoring the correct _unquote implementation from Python's http.cookies module -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:11173.

• Fixed Cookie header parsing to treat attribute names as regular cookies per :rfc:6265#section-5.4 -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:11178.

---

v3.12.11

Compare Source

====================

Features

• Improved SSL connection handling by changing the default ssl_shutdown_timeout
  from 0.1 to 0 seconds. SSL connections now use Python's default graceful
  shutdown during normal operation but are aborted immediately when the connector
  is closed, providing optimal behavior for both cases. Also added support for
  ssl_shutdown_timeout=0 on all Python versions. Previously, this value was
  rejected on Python 3.11+ and ignored on earlier versions. Non-zero values on
  Python < 3.11 now trigger a RuntimeWarning -- by :user:bdraco.

  The ssl_shutdown_timeout parameter is now deprecated and will be removed in
  aiohttp 4.0 as there is no clear use case for changing the default.

  Related issues and pull requests on GitHub:
  :issue:11148.

Deprecations (removal in next major release)

• Improved SSL connection handling by changing the default ssl_shutdown_timeout
  from 0.1 to 0 seconds. SSL connections now use Python's default graceful
  shutdown during normal operation but are aborted immediately when the connector
  is closed, providing optimal behavior for both cases. Also added support for
  ssl_shutdown_timeout=0 on all Python versions. Previously, this value was
  rejected on Python 3.11+ and ignored on earlier versions. Non-zero values on
  Python < 3.11 now trigger a RuntimeWarning -- by :user:bdraco.

  The ssl_shutdown_timeout parameter is now deprecated and will be removed in
  aiohttp 4.0 as there is no clear use case for changing the default.

  Related issues and pull requests on GitHub:
  :issue:11148.

---

v3.12.10

Compare Source

====================

Bug fixes

• Fixed leak of aiodns.DNSResolver when :py:class:~aiohttp.TCPConnector is closed and no resolver was passed when creating the connector -- by :user:Tasssadar.

  This was a regression introduced in version 3.12.0 (:pr:10897).

  Related issues and pull requests on GitHub:
  :issue:11150.

---

v3.12.9

Compare Source

===================

Bug fixes

• Fixed IOBasePayload and TextIOPayload reading entire files into memory when streaming large files -- by :user:bdraco.

  When using file-like objects with the aiohttp client, the entire file would be read into memory if the file size was provided in the Content-Length header. This could cause out-of-memory errors when uploading large files. The payload classes now correctly read data in chunks of READ_SIZE (64KB) regardless of the total content length.

  Related issues and pull requests on GitHub:
  :issue:11138.

---

v3.12.8

Compare Source

===================

Features

• Added preemptive digest authentication to :class:~aiohttp.DigestAuthMiddleware -- by :user:bdraco.

  The middleware now reuses authentication credentials for subsequent requests to the same
  protection space, improving efficiency by avoiding extra authentication round trips.
  This behavior matches how web browsers handle digest authentication and follows
  :rfc:7616#section-3.6.

  Preemptive authentication is enabled by default but can be disabled by passing
  preemptive=False to the middleware constructor.

  Related issues and pull requests on GitHub:
  :issue:11128, :issue:11129.

---

v3.12.7

Compare Source

===================

.. warning::

This release fixes an issue where the quote_cookie parameter was not being properly
respected for shared cookies (domain="", path=""). If your server does not handle quoted
cookies correctly, you may need to disable cookie quoting by setting quote_cookie=False
when creating your :class:~aiohttp.ClientSession or :class:~aiohttp.CookieJar.
See :ref:aiohttp-client-cookie-quoting-routine for details.

Bug fixes

• Fixed cookie parsing to be more lenient when handling cookies with special characters
  in names or values. Cookies with characters like {, }, and / in names are now
  accepted instead of causing a :exc:~http.cookies.CookieError and 500 errors. Additionally,
  cookies with mismatched quotes in values are now parsed correctly, and quoted cookie
  values are now handled consistently whether or not they include special attributes
  like Domain. Also fixed :class:~aiohttp.CookieJar to ensure shared cookies (domain="", path="")
  respect the quote_cookie parameter, making cookie quoting behavior consistent for
  all cookies -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:2683, :issue:5397, :issue:7993, :issue:11112.

• Fixed an issue where cookies with duplicate names but different domains or paths
  were lost when updating the cookie jar. The :class:~aiohttp.ClientSession
  cookie jar now correctly stores all cookies even if they have the same name but
  different domain or path, following the :rfc:6265#section-5.3 storage model -- by :user:bdraco.

  Note that :attr:ClientResponse.cookies <aiohttp.ClientResponse.cookies> returns
  a :class:~http.cookies.SimpleCookie which uses the cookie name as a key, so
  only the last cookie with each name is accessible via this interface. All cookies
  can be accessed via :meth:ClientResponse.headers.getall('Set-Cookie') <multidict.MultiDictProxy.getall> if needed.

  Related issues and pull requests on GitHub:
  :issue:4486, :issue:11105, :issue:11106.

Miscellaneous internal changes

• Avoided creating closed futures in ResponseHandler that will never be awaited -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:11107.

• Downgraded the logging level for connector close errors from ERROR to DEBUG, as these are expected behavior with TLS 1.3 connections -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:11114.

---

v3.12.6

Compare Source

===================

Bug fixes

• Fixed spurious "Future exception was never retrieved" warnings for connection lost errors when the connector is not closed -- by :user:bdraco.

  When connections are lost, the exception is now marked as retrieved since it is always propagated through other means, preventing unnecessary warnings in logs.

  Related issues and pull requests on GitHub:
  :issue:11100.

---

v3.12.4

Compare Source

===================

Bug fixes

• Fixed connector not waiting for connections to close before returning from :meth:~aiohttp.BaseConnector.close (partial backport of :pr:3733) -- by :user:atemate and :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:1925, :issue:11074.

---

v3.12.3

Compare Source

===================

Bug fixes

• Fixed memory leak in :py:meth:~aiohttp.CookieJar.filter_cookies that caused unbounded memory growth
  when making requests to different URL paths -- by :user:bdraco and :user:Cycloctane.

  Related issues and pull requests on GitHub:
  :issue:11052, :issue:11054.

---

v3.12.2

Compare Source

===================

Bug fixes

• Fixed Content-Length header not being set to 0 for non-GET requests with None body -- by :user:bdraco.

  Non-GET requests (POST, PUT, PATCH, DELETE) with None as the body now correctly set the Content-Length header to 0, matching the behavior of requests with empty bytes (b""). This regression was introduced in aiohttp 3.12.1.

  Related issues and pull requests on GitHub:
  :issue:11035.

---

v3.12.1

Compare Source

====================

Bug fixes

• Fixed :class:~aiohttp.DigestAuthMiddleware to preserve the algorithm case from the server's challenge in the authorization response. This improves compatibility with servers that perform case-sensitive algorithm matching (e.g., servers expecting algorithm=MD5-sess instead of algorithm=MD5-SESS)
  -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:11352.

Improved documentation

• Remove outdated contents of aiohttp-devtools and aiohttp-swagger
  from Web_advanced docs.
  -- by :user:Cycloctane

  Related issues and pull requests on GitHub:
  :issue:11347.

Packaging updates and notes for downstreams

• Started including the llhttp :file:LICENSE file in wheels by adding vendor/llhttp/LICENSE to license-files in :file:setup.cfg -- by :user:threexc.

  Related issues and pull requests on GitHub:
  :issue:11226.

Contributor-facing changes

• Updated a regex in test_aiohttp_request_coroutine for Python 3.14.

  Related issues and pull requests on GitHub:
  :issue:11271.

---

v3.12.0

Compare Source

===================

Bug fixes

• Fixed :py:attr:~aiohttp.web.WebSocketResponse.prepared property to correctly reflect the prepared state, especially during timeout scenarios -- by :user:bdraco

  Related issues and pull requests on GitHub:
  :issue:6009, :issue:10988.

• Response is now always True, instead of using MutableMapping behaviour (False when map is empty)

  Related issues and pull requests on GitHub:
  :issue:10119.

• Fixed connection reuse for file-like data payloads

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}