0Ry5/Posthorn
2
2
Fork 2
Code Issues 11 Pull requests 3 Projects Releases Packages Wiki Activity Actions

chore(deps): Update Python dependencies #21

Open
renovate-bot wants to merge 1 commit from renovate/python-deps into main
pull from: renovate/python-deps
merge into: 0Ry5:main
Conversation 0 Commits 1 Files changed 1 +5 -5
renovate-bot commented 2025-10-13 15:17:29 +02:00
Collaborator
Copy link

This PR contains the following updates:

Package Change Age Confidence
PyGithub ==2.8.1==2.9.1 age confidence
Requests (changelog) ==2.32.5==2.34.2 age confidence
aiohttp ==3.11.14==3.14.1 age confidence
mastodon_py ==2.1.4==2.2.1 age confidence
python_frontmatter ==1.1.0==1.3.0 age confidence

Release Notes

pygithub/pygithub (PyGithub)

v2.9.1

Compare Source

Bug Fixes

Full Changelog: https://github.com/PyGithub/PyGithub/compare/v2.9.0...v2.9.1

v2.9.0

Compare Source

Notable changes
Lazy PyGithub objects

The notion of lazy objects has been added to some PyGithub classes in version 2.6.0. This release now makes all CompletableGithubObjects optionally lazy (if useful). See PyGithub/PyGithub#3403 for a complete list.

In lazy mode, getting a PyGithub object does not send a request to the GitHub API. Only accessing methods and properties sends the necessary requests to the GitHub API:


# Use lazy mode
g = Github(auth=auth, lazy=True)

# these method calls do not send requests to the GitHub API
user = g.get_user("PyGithub")    # get the user
repo = user.get_repo("PyGithub") # get the user's repo
pull = repo.get_pull(3403)       # get a known pull request
issue = pull.as_issue()          # turn the pull request into an issue

# these method and property calls send requests to Github API
issue.create_reaction("rocket")  # create a reaction
created = repo.created_at        # get property of lazy object repo

# once a lazy object has been fetched, all properties are available (no more requests)
licence = repo.license

All PyGithub classes that implement CompletableGithubObject support lazy mode (if useful). This is only useful for classes that have methods creating, changing, or getting objects.

By default, PyGithub objects are not lazy.

PyGithub objects with a paginated property

The GitHub API has the "feature" of paginated properties. Some objects returned by the API have a property that allows for pagination. Fetching subsequent pages of that property means fetching the entire object (with all other properties) and the specified page of the paginated property. Iterating over the paginated property means fetching all other properties multiple times. Fortunately, the allowed size of each page (per_page is usually 300, in contrast to the "usual" per_page maximum of 100).

Objects with paginated properties:

  • Commit.files
  • Comparison.commits
  • EnterpriseConsumedLicenses.users

This PR makes iterating those paginated properties use the configured per_page setting.

It further allows to specify an individual per_page when either retrieving such objects, or fetching paginated properties.

See Classes with paginated properties for details.

Drop Python 3.8 support due to End-of-Life

Python 3.8 reached its end-of-life September 6, 2024. Support has been removed with this release.

Deprecations
  • Method delete of Reaction is deprecated, use IssueComment.delete_reaction,
    PullRequestComment.delete_reaction, CommitComment.delete_reaction or Issue.delete_reaction instead.
  • Method Issue.assignee and parameter Issue.edit(assignee=…) are deprecated,
    use Issue.assignees and Issue.edit(assignees=…) instead.
  • Method Organization.edit_hook is deprecated, use Organization.get_hook(id).edit(…) instead.
    If you need to avoid Organization.get_hook(id) to fetch the Hook object from Github API,
    use a lazy Github instance:
Github(, lazy=True).get_organization().get_hook(id).edit()
  • Methods Team.add_to_members and Team.remove_from_members are deprecated,
    use Team.add_membership or Team.remove_membership instead.
New Features
Improvements
Bug Fixes
Maintenance

New Contributors

Full Changelog: https://github.com/PyGithub/PyGithub/compare/v2.8.0...v2.9.0

psf/requests (Requests)

v2.34.2

Compare Source

  • Moved headers input type back to Mapping to avoid invariance issues
    with MutableMapping and inferred dict types. Users calling
    Request.headers.update() may need to narrow typing in their code. (#​7441)

v2.34.1

Compare Source

Bugfixes

  • Widened json input type from dict and list to Mapping
    and Sequence. (#​7436)
  • Changed headers input type to MutableMapping and removed None from
    Request.headers typing to improve handling for users. (#​7431)
  • Response.reason moved from str | None to str to improve handling
    for users. (#​7437)
  • Fixed a bug where some bodies with custom __getattr__ implementations
    weren't being properly detected as Iterables. (#​7433)

v2.34.0

Compare Source

Announcements

  • Requests 2.34.0 introduces inline types, replacing those provided by
    typeshed. Public API types should be fully compatible with mypy, pyright,
    and ty. We believe types are comprehensive but if you find issues, please
    report them to the pinned tracking issue.

    Special thanks to @​bastimeyer, @​cthoyt, @​edgarrmondragon, and @​srittau for
    helping review and test the types ahead of the release. (#​7272)

Improvements

  • Digest Auth hashing algorithms have added usedforsecurity=False to clarify
    security considerations. (#​7310)
  • Requests added support for Python 3.15 based on beta1. Downstream projects
    should be able to start testing prior to its release in October. (#​7422)
  • Requests added support for Python 3.14t. (#​7419)

Bugfixes

  • Response.history no longer contains a reference to itself, preventing
    accidental looping when traversing the history list. (#​7328)
  • Requests no longer performs greedy matching on no_proxy domains. The
    proxy_bypass implementation has been updated with CPython's fix from
    bpo-39057. (#​7427)
  • Requests no longer incorrectly strips duplicate leading slashes in
    URI paths. This should address user issues with specific presigned
    URLs. Note the full fix requires urllib3 2.7.0+. (#​7315)

v2.33.1

Compare Source

Bugfixes

  • Fixed test cleanup for CVE-2026-25645 to avoid leaving unnecessary
    files in the tmp directory. (#​7305)
  • Fixed Content-Type header parsing for malformed values. (#​7309)
  • Improved error consistency for malformed header values. (#​7308)

v2.33.0

Compare Source

Announcements

  • 📣 Requests is adding inline types. If you have a typed code base that
    uses Requests, please take a look at #​7271. Give it a try, and report
    any gaps or feedback you may have in the issue. 📣

Security

  • CVE-2026-25645 requests.utils.extract_zipped_paths now extracts
    contents to a non-deterministic location to prevent malicious file
    replacement. This does not affect default usage of Requests, only
    applications calling the utility function directly.

Improvements

  • Migrated to a PEP 517 build system using setuptools. (#​7012)

Bugfixes

  • Fixed an issue where an empty netrc entry could cause
    malformed authentication to be applied to Requests on
    Python 3.11+. (#​7205)

Deprecations

  • Dropped support for Python 3.9 following its end of support. (#​7196)

Documentation

  • Various typo fixes and doc improvements.
aio-libs/aiohttp (aiohttp)

v3.14.1

Compare Source

===================

Bug fixes

  • Fixed a race condition in :py:class:~aiohttp.TCPConnector where closing the connector while a DNS resolution was in-flight could raise :py:exc:AttributeError instead of :py:exc:~aiohttp.ClientConnectionError -- by :user:goingforstudying-ctrl.

    Related issues and pull requests on GitHub:
    :issue:12497.

  • Fixed CancelledError not closing a connection -- by :user:aiolibsbot.

    Related issues and pull requests on GitHub:
    :issue:12795.

  • Tightened up some websocket parser checks -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:12817.

  • Fixed :class:~aiohttp.CookieJar dropping the host-only flag of cookies when persisted with :meth:~aiohttp.CookieJar.save and reloaded with :meth:~aiohttp.CookieJar.load, so a cookie set without a Domain attribute is again scoped to the exact host that set it after a reload; the absolute expiration deadline is now persisted as well, so a reloaded cookie keeps its original lifetime instead of being rescheduled from the load time. :meth:~aiohttp.CookieJar.load now replaces the jar contents rather than merging onto prior state, and loaded cookies pass through the same acceptance rules as :meth:~aiohttp.CookieJar.update_cookies, so a cookie for an IP-address host is dropped when loaded into a jar created without unsafe=True -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:12824.

  • Scoped :class:~aiohttp.DigestAuthMiddleware credentials to the origin of the first request it handles, so a redirect to a different origin no longer triggers a digest response computed from the configured credentials; a challenge from another origin is only answered when that origin falls within a protection space advertised by the anchor origin through the RFC 7616 domain directive -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:12825.

  • Fixed the C HTTP parser not enforcing max_line_size on a request target or response reason phrase that is split across multiple reads; each fragment was checked on its own, so an accumulated line could exceed the limit without raising LineTooLong. The accumulated length is now checked, matching the pure-Python parser -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:12826.

  • Changed :class:~aiohttp.TCPConnector to reject legacy non-canonical numeric IPv4 host forms such as 2130706433, 017700000001 and 127.1 with :exc:~aiohttp.InvalidUrlClientError; only canonical dotted-quad IPv4 literals are now treated as IP address literals, while every other host is sent through the configured resolver -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:12827.

  • Fixed :meth:~aiohttp.StreamReader.readany and :meth:~aiohttp.StreamReader.read_nowait joining data fed back into the buffer during the call (when draining below the low water mark resumes reading) into a single unbounded :class:bytes; a call now returns only the chunks that were buffered when it started, keeping the drain of an unread auto-decompressed request body bounded by the read buffer -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:12828.

  • Bounded the number of parsed-but-unhandled pipelined HTTP/1 requests buffered per connection on the server; once the queue reaches an internal limit the parser stops emitting and the transport is paused, resuming as the request handler drains the queue, so a client keeping one handler busy can no longer accumulate an unbounded backlog of pipelined requests -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:12830.

  • Fixed :meth:aiohttp.web.Response.write_eof skipping Payload.close() when the body write was interrupted by an error or cancellation, for example when a client disconnects mid-response; the payload close hook now runs in a finally so a :class:~aiohttp.payload.Payload body always releases its resources -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:12831.

  • Fixed the pure-Python HTTP parser not enforcing max_line_size on a chunk-size line when the whole line arrived in a single read; the limit was only applied to chunk-size metadata split across reads. The complete-line case is now checked too, matching the split-line behavior -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:12832.

  • Included the per-request server_hostname override in the :class:~aiohttp.TCPConnector connection pool key, so a pooled TLS connection is no longer reused for a request that sets server_hostname to a different value -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:12835.

v3.14.0

Compare Source

===================

We have a new website! https://aio-libs.org
Subscribe to the news feed to find out more about what we're working on in future.

Features

  • Added RequestKey and ResponseKey classes,
    which enable static type checking for request & response
    context storages in the same way that AppKey does for Application
    -- by :user:gsoldatov.

    Related issues and pull requests on GitHub:
    :issue:11766.

  • Added :func:~aiohttp.encode_basic_auth for encoding HTTP Basic
    Authentication credentials. Replaces the now-deprecated
    aiohttp.BasicAuth -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:12499.

  • Started accepting :term:asynchronous context managers <asynchronous context manager> for cleanup contexts.
    Legacy single-yield :term:asynchronous generator cleanup contexts continue to be
    supported; async context managers are adapted internally so they are
    entered at startup and exited during cleanup.

    -- by :user:MannXo.

    Related issues and pull requests on GitHub:
    :issue:11681.

  • Added :py:attr:~aiohttp.CookieJar.cookies and :py:attr:~aiohttp.CookieJar.host_only_cookies read-only properties to :py:class:~aiohttp.CookieJar exposing the stored cookies with their full attributes -- by :user:Br1an67.

    Related issues and pull requests on GitHub:
    :issue:3951.

  • Added :py:attr:~aiohttp.web.TCPSite.port accessor for dynamic port allocations in :class:~aiohttp.web.TCPSite -- by :user:twhittock-disguise and :user:rodrigobnogueira.

    Related issues and pull requests on GitHub:
    :issue:10665.

  • Added decode_text parameter to :meth:~aiohttp.ClientSession.ws_connect and :class:~aiohttp.web.WebSocketResponse to receive WebSocket TEXT messages as raw bytes instead of decoded strings, enabling direct use with high-performance JSON parsers like orjson -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:11763, :issue:11764.

  • Large overhaul of parser/decompression code.

    The zip bomb security fix in 3.13 stopped highly compressed payloads
    from being decompressed, regardless of validity. Now aiohttp will
    decompress such payloads in chunks of 256+ KiB, allowing safe decompression
    of such payloads.

    -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:11966.

  • Added explicit APIs for bytes-returning JSON serializer:
    JSONBytesEncoder type, JsonBytesPayload,
    :func:~aiohttp.web.json_bytes_response,
    :meth:~aiohttp.web.WebSocketResponse.send_json_bytes and
    :meth:~aiohttp.ClientWebSocketResponse.send_json_bytes methods, and
    json_serialize_bytes parameter for :class:~aiohttp.ClientSession
    -- by :user:kevinpark1217.

    Related issues and pull requests on GitHub:
    :issue:11989.

  • Added :attr:~aiohttp.ClientResponse.output_size and
    :attr:~aiohttp.ClientResponse.upload_complete -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:12452.

Bug fixes

  • Fixed ZLibDecompressor silently dropping data past the first
    member when decompressing concatenated gzip/deflate streams. Each subsequent
    member is now handed to a fresh decompressor, matching the behaviour already
    implemented for ZSTD multi-frame streams.

    -- by :user:Ashutosh-177

    Related issues and pull requests on GitHub:
    :issue:7157.

  • Improved the parser error message shown when TLS handshake bytes are received on an HTTP port -- by :user:puneetdixit200.

    Related issues and pull requests on GitHub:
    :issue:10142.

  • Fixed the C parser failing to reject a response with a body when none was expected -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:10587.

  • Fixed http parser not rejecting HTTP/1.1 requests that do not have valid Host header.
    -- by :user:Cycloctane.

    Related issues and pull requests on GitHub:
    :issue:10600.

  • Fixed misleading TLS-in-TLS warning being emitted when sending HTTPS requests through an HTTP proxy. The warning now only fires when the proxy itself uses HTTPS, which is the only case where TLS-in-TLS actually applies -- by :user:wavebyrd.

    Related issues and pull requests on GitHub:
    :issue:10683.

  • Fixed AssertionError when the transport is None during WebSocket
    preparation or file response sending (e.g. when a client disconnects
    immediately after connecting). A ConnectionResetError is now raised
    instead -- by :user:agners.

    Related issues and pull requests on GitHub:
    :issue:11761.

  • Fixed ad-hoc cookies passed to individual requests not being sent when the session's cookie jar has unsafe=True and the target URL uses an IP address, by copying the unsafe setting from the session's cookie jar to the temporary cookie jar -- by :user:Krishnachaitanyakc.

    Related issues and pull requests on GitHub:
    :issue:12011.

  • Reset the WebSocket heartbeat timer on inbound data to avoid false ping/pong timeouts while receiving large frames
    -- by :user:hoffmang9.

    Related issues and pull requests on GitHub:
    :issue:12030.

  • Switched :py:meth:~aiohttp.CookieJar.save to use JSON format and
    :py:meth:~aiohttp.CookieJar.load to try JSON first with a fallback to
    a restricted pickle unpickler -- by :user:YuvalElbar6.

    Related issues and pull requests on GitHub:
    :issue:12091.

  • Fixed redirects with consumed non-rewindable request bodies to raise
    :class:aiohttp.ClientPayloadError instead of silently sending an empty body.

    Related issues and pull requests on GitHub:
    :issue:12195.

  • Fixed zstd decompression failing with ClientPayloadError when the server
    sends a response as multiple zstd frames -- by :user:josu-moreno.

    Related issues and pull requests on GitHub:
    :issue:12234.

  • Fixed spurious Future exception was never retrieved warning on disconnect during back-pressure -- by :user:availov.

    Related issues and pull requests on GitHub:
    :issue:12281.

  • Cookiejar.save() now uses 0x600 permissions to better protect them from being read by other users -- by :user:digiscrypt.

    Related issues and pull requests on GitHub:
    :issue:12312.

  • Fixed a crash (:external+python:exc:~http.cookies.CookieError) in the cookie parser when receiving cookies
    containing ASCII control characters on CPython builds with the :cve:2026-3644
    patch. The parser now gracefully skips cookies whose value contains control
    characters instead of letting the exception propagate -- by :user:rodrigobnogueira.

    Related issues and pull requests on GitHub:
    :issue:12395.

  • Fixed digest authentication failing for requests whose path or query string contains percent-encoded reserved characters; the digest signature now uses the encoded request-target that is sent on the wire instead of the decoded form -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:12436.

  • Fixed :func:aiohttp.web.run_app losing inner traceback frames when an
    exception is raised during application startup (e.g. inside
    cleanup_ctx or on_startup). Regression since 3.10.6.

    Related issues and pull requests on GitHub:
    :issue:12493.

  • Fixed per-request cookies not being dropped on cross-origin redirects -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:12550.

  • Fixed invalid bytes being allowed in multipart/payload headers -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:12719.

  • Fixed :py:meth:~aiohttp.FormData.add_field accepting invalid bytes in name and filename -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:12721.

  • Fixed websocket upgrade occurring when header contained a value like notupgrade -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:12723.

Deprecations (removal in next major release)

  • Deprecated aiohttp.BasicAuth and the auth / proxy_auth
    parameters. They will be removed in aiohttp 4.0. Use the new
    :func:~aiohttp.encode_basic_auth helper together with
    headers={"Authorization": ...} (or
    proxy_headers={"Proxy-Authorization": ...} for proxies) instead.
    Note that encode_basic_auth() defaults to utf-8, not latin1
    -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:12499.

  • Added deprecation warning to aiohttp.pytest_plugin, please switch to pytest-aiohttp -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:10785.

Removals and backward incompatible breaking changes

  • Stopped calling :func:socket.getfqdn as the fallback for
    :attr:aiohttp.web.BaseRequest.host. :func:socket.getfqdn
    performs blocking reverse DNS resolution on the event loop
    thread and can stall a worker for many seconds when the system
    resolver is slow, and could be triggered remotely by an HTTP/1.0
    request that omits the Host header. The fallback when no
    Host header is present is now the local socket address the
    request arrived on (transport sockname), or an empty string
    if no transport information is available. Code that relied on
    the FQDN being returned must now read it from
    :func:socket.getfqdn directly, off the event loop
    -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:9308, :issue:12597.

  • Dropped support for Python 3.9 -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:11601.

  • Tightened outbound header serialization to reject all ASCII control
    characters forbidden by :rfc:9110#section-5.5 and :rfc:9112#section-4
    (0x00-0x08, 0x0A-0x1F, 0x7F) in status lines,
    header field-names, and field-values. Previously only CR, LF and NUL were
    rejected. HTAB (0x09) remains permitted in field values. Applications
    that placed bare control characters in outbound headers will now raise
    :exc:ValueError instead of emitting non-RFC-compliant bytes -- by :user:rodrigobnogueira.

    Related issues and pull requests on GitHub:
    :issue:12689.

Improved documentation

  • Replaced the deprecated ujson library with orjson in the
    client quickstart documentation. ujson has been put into
    maintenance-only mode; orjson is the recommended alternative.
    -- by :user:indoor47

    Related issues and pull requests on GitHub:
    :issue:10795.

  • Added the :doc:threat_model to the Sphinx documentation -- by :user:omkar-334.

    Related issues and pull requests on GitHub:
    :issue:12549.

  • Removed archived and deprecated repositories from third party list -- by :user:Polandia94.

    Related issues and pull requests on GitHub:
    :issue:12726.

  • Added aiointercept to list of third-party libraries -- by :user:Polandia94.

    Related issues and pull requests on GitHub:
    :issue:12727.

Packaging updates and notes for downstreams

  • Added wheels for Android and iOS platforms -- by :user:timrid.

    Related issues and pull requests on GitHub:
    :issue:11750.

  • Parallelized the Cython extension compilation by defaulting
    build_ext.parallel to os.cpu_count(), so each module's
    gcc invocation now runs concurrently instead of one at a time
    -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:12576.

  • Submitted vendored llhttp to Github's SBOM -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:12678.

  • Updated llhttp to v9.4.1 -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:12681.

Contributor-facing changes

  • The coverage tool is now configured using the new native
    auto-discovered :file:.coveragerc.toml file
    -- by :user:webknjaz.

    It is also set up to use the ctrace core that works
    around the performance issues in the sysmon tracer
    which is default under Python 3.14.

    Related issues and pull requests on GitHub:
    :issue:11826.

  • Fixed and reworked autobahn tests -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:12173.

  • Added a CI job to measure Cython coverage -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:12349.

  • Disabled coverage and xdist by default to ease local development -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:12364.

  • Avoid installation of backports.zstd on Python 3.14 in linting dependency set
    -- by :user:seifertm.

    Related issues and pull requests on GitHub:
    :issue:12406.

  • Added --durations=30 to the benchmark CI run so the slowest tests are reported when the job hits its timeout -- by :user:aiolibsbot.

    Related issues and pull requests on GitHub:
    :issue:12562.

  • Fixed two flakey test_middleware_uses_session_avoids_recursion_with_* tests
    that hard coded localhost in the inner middleware request; they now target
    the bound server URL so happy eyeballs cannot pick an unbound address on
    Windows runners -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:12571.

  • Restricted the isal test dependency to CPython, since
    isal 1.8.0 stopped publishing PyPy wheels and the source
    build requires nasm, which is not available on the CI
    runners. The parametrize_zlib_backend fixture already
    calls pytest.importorskip, so PyPy continues to exercise
    the zlib and zlib_ng backends with no further
    changes -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:12589.

  • Fixed a flakey test_tcp_connector_fingerprint_ok by aborting
    the SSL shutdown on the test's TCP connector before returning.
    The graceful TLS close was occasionally outliving the test event
    loop on one of the CI jobs, and the teardown gc.collect()
    then surfaced the still-open transport as a
    PytestUnraisableExceptionWarning -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:12592.

  • Switched the cibuildwheel build frontend to build[uv] so
    that uv provisions every build-isolation virtual environment
    in the wheel matrix, replacing the per-ABI pip resolve with a
    roughly sub-second uv resolve
    -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:12595.

  • Fixed flaky test_handler_returns_not_response and
    test_handler_returns_none by routing loop.set_debug(True)
    through a new loop_debug_mode fixture that disables debug
    mode before the aiohttp_client fixture finalizes. Leaving
    debug on through teardown let PyPy 3.11's asyncio slow-callback
    logger walk into Task.__repr__ during connector close,
    surfacing a spurious RuntimeWarning: coroutine was never awaited -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:12603.

  • Reduced runtime of several of the slowest unit tests
    (decompress size-limit payloads from 64 MiB to 2 MiB,
    test_chunk_splits_after_pause chunk count from 50000
    to 20000, and test_set_cookies_max_age sleep from 2
    seconds to 1.1 seconds) without changing what they
    exercise -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:12606.

  • Added a default 120-second per-test timeout via pytest-timeout so a
    hung test surfaces by name in CI output instead of getting hidden behind
    the job-level timeout added in :pr:12619. The autobahn and
    benchmark jobs opt out with --timeout=0 -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:12624.

  • Switched the CI test and autobahn jobs from
    actions/setup-python to astral-sh/setup-uv for installing
    interpreters, cutting the Setup Python step from 40-58s to a
    few seconds on macos-latest and windows-latest runners for
    variants not in the hosted tool-cache (notably the free-threaded
    3.14t)
    -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:12629.

  • Made the pip command used by the :file:Makefile configurable via a
    PIP variable; downstream consumers can now run, for example,
    make .develop PIP="uv pip" to install via uv without us
    maintaining a parallel target
    -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:12641.

  • Allowed re-running the deploy job in .github/workflows/ci-cd.yml
    after a partial release failure: the Make Release step now skips
    when the GitHub Release already exists, and the PyPI publish step uses
    skip-existing so dists that were already uploaded on a prior
    attempt do not break the retry -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:12651.

  • Switched the armv7l wheel builds onto GitHub's hosted ARM runners. The
    32-bit ARM build still runs under QEMU, but the host is now aarch64
    rather than x86_64, so the emulation overhead drops sharply
    -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:12655.

Miscellaneous internal changes

  • Added win_arm64 to the wheels that gets pushed to PyPI
    -- by :user:AraHaan.

    Related issues and pull requests on GitHub:
    :issue:11937.

  • Added cdef type declarations and inlined the upgrade check in the HTTP parser
    -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:12321.

  • Changed zlib_executor_size default so compressed payloads are async by default -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:12358.

  • Added THREAT_MODEL.md detailing our security stance -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:12512.

  • Reduced payload sizes and request counts in the slowest client and URL
    dispatcher benchmarks so they no longer dominate CI runtime
    -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:12569.

  • Improved ContentLengthError exception messages to include both expected and received byte counts. This enhancement provides better diagnostics when debugging response body size mismatches
    -- by :user:bdraco and :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:12753.

v3.13.5

Compare Source

===================

Bug fixes

  • Skipped the duplicate singleton header check in lax mode (the default for response
    parsing). In strict mode (request parsing, or -X dev), all RFC 9110 singletons
    are still enforced -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:12302.

v3.13.4

Compare Source

===================

Features

  • Added max_headers parameter to limit the number of headers that should be read from a response -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:11955.

  • Added a dns_cache_max_size parameter to TCPConnector to limit the size of the cache -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:12106.

Bug fixes

  • Fixed server hanging indefinitely when chunked transfer encoding chunk-size
    does not match actual data length. The server now raises
    TransferEncodingError instead of waiting forever for data that will
    never arrive -- by :user:Fridayai700.

    Related issues and pull requests on GitHub:
    :issue:10596.

  • Fixed access log timestamps ignoring daylight saving time (DST) changes. The
    previous implementation used :py:data:time.timezone which is a constant and
    does not reflect DST transitions -- by :user:nightcityblade.

    Related issues and pull requests on GitHub:
    :issue:11283.

  • Fixed RuntimeError: An event loop is running error when using aiohttp.GunicornWebWorker
    or aiohttp.GunicornUVLoopWebWorker on Python >=3.14.
    -- by :user:Tasssadar.

    Related issues and pull requests on GitHub:
    :issue:11701.

  • Fixed :exc:ValueError when creating a TLS connection with ClientTimeout(total=0) by converting 0 to None before passing to ssl_handshake_timeout in :py:meth:asyncio.loop.start_tls -- by :user:veeceey.

    Related issues and pull requests on GitHub:
    :issue:11859.

  • Restored :py:meth:~aiohttp.BodyPartReader.decode as a synchronous method
    for backward compatibility. The method was inadvertently changed to async
    in 3.13.3 as part of the decompression bomb security fix. A new
    :py:meth:~aiohttp.BodyPartReader.decode_iter method is now available
    for non-blocking decompression of large payloads using an async generator.
    Internal aiohttp code uses the async variant to maintain security protections.

    Changed multipart processing chunk sizes from 64 KiB to 256KiB, to better
    match aiohttp internals
    -- by :user:bdraco and :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:11898.

  • Fixed false-positive :py:class:DeprecationWarning for passing enable_cleanup_closed=True to :py:class:~aiohttp.TCPConnector specifically on Python 3.12.7.
    -- by :user:Robsdedude.

    Related issues and pull requests on GitHub:
    :issue:11972.

  • Fixed _sendfile_fallback over-reading beyond requested count -- by :user:bysiber.

    Related issues and pull requests on GitHub:
    :issue:12096.

  • Fixed digest auth dropping challenge fields with empty string values -- by :user:bysiber.

    Related issues and pull requests on GitHub:
    :issue:12097.

  • ClientConnectorCertificateError.os_error no longer raises :exc:AttributeError
    -- by :user:themylogin.

    Related issues and pull requests on GitHub:
    :issue:12136.

  • Adjusted pure-Python request header value validation to align with RFC 9110 control-character handling, while preserving lax response parser behavior, and added regression tests for Host/header control-character cases.
    -- by :user:rodrigobnogueira.

    Related issues and pull requests on GitHub:
    :issue:12231.

  • Rejected duplicate singleton headers (Host, Content-Type,
    Content-Length, etc.) in the C extension HTTP parser to match
    the pure Python parser behaviour, preventing potential host-based
    access control bypasses via parser differentials
    -- by :user:rodrigobnogueira.

    Related issues and pull requests on GitHub:
    :issue:12240.

  • Aligned the pure-Python HTTP request parser with the C parser by splitting
    comma-separated and repeated Connection header values for keep-alive,
    close, and upgrade handling -- by :user:rodrigobnogueira.

    Related issues and pull requests on GitHub:
    :issue:12249.

Improved documentation

  • Documented :exc:asyncio.TimeoutError for WebSocketResponse.receive()
    and related methods -- by :user:veeceey.

    Related issues and pull requests on GitHub:
    :issue:12042.

Packaging updates and notes for downstreams

  • Upgraded llhttp to 3.9.1 -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:12069.

Contributor-facing changes

  • The benchmark CI job now runs only in the upstream repository -- by :user:Cycloctane.

    It used to always fail in forks, which this change fixed.

    Related issues and pull requests on GitHub:
    :issue:11737.

  • Fixed flaky performance tests by using appropriate fixed thresholds that account for CI variability -- by :user:rodrigobnogueira.

    Related issues and pull requests on GitHub:
    :issue:11992.

Miscellaneous internal changes

  • Fixed test_invalid_idna to work with idna 3.11 by using an invalid character (\u0080) that is rejected by yarl during URL construction -- by :user:rodrigobnogueira.

    Related issues and pull requests on GitHub:
    :issue:12027.

  • Fixed race condition in test_data_file on Python 3.14 free-threaded builds -- by :user:rodrigobnogueira.

    Related issues and pull requests on GitHub:
    :issue:12170.

v3.13.3

Compare Source

===================

This release contains fixes for several vulnerabilities. It is advised to
upgrade as soon as possible.

Bug fixes

  • Fixed proxy authorization headers not being passed when reusing a connection, which caused 407 (Proxy authentication required) errors
    -- by :user:GLeurquin.

    Related issues and pull requests on GitHub:
    :issue:2596.

  • Fixed multipart reading failing when encountering an empty body part -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:11857.

  • Fixed a case where the parser wasn't raising an exception for a websocket continuation frame when there was no initial frame in context.

    Related issues and pull requests on GitHub:
    :issue:11862.

Removals and backward incompatible breaking changes

  • Brotli and brotlicffi minimum version is now 1.2.
    Decompression now has a default maximum output size of 32MiB per decompress call -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:11898.

Packaging updates and notes for downstreams

  • Moved dependency metadata from :file:setup.cfg to :file:pyproject.toml per :pep:621
    -- by :user:cdce8p.

    Related issues and pull requests on GitHub:
    :issue:11643.

Contributor-facing changes

  • Removed unused update-pre-commit github action workflow -- by :user:Cycloctane.

    Related issues and pull requests on GitHub:
    :issue:11689.

Miscellaneous internal changes

  • Optimized web server performance when access logging is disabled by reducing time syscalls -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:10713.

  • Added regression test for cached logging status -- by :user:meehand.

    Related issues and pull requests on GitHub:
    :issue:11778.

v3.13.2

Compare Source

===================

Bug fixes

  • Fixed cookie parser to continue parsing subsequent cookies when encountering a malformed cookie that fails regex validation, such as Google's g_state cookie with unescaped quotes -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:11632.

  • Fixed loading netrc credentials from the default :file:~/.netrc (:file:~/_netrc on Windows) location when the :envvar:NETRC environment variable is not set -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:11713, :issue:11714.

  • Fixed WebSocket compressed sends to be cancellation safe. Tasks are now shielded during compression to prevent compressor state corruption. This ensures that the stateful compressor remains consistent even when send operations are cancelled -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:11725.

v3.13.1

Compare Source

===================

Features

  • Make configuration options in AppRunner also available in run_app()
    -- by :user:Cycloctane.

    Related issues and pull requests on GitHub:
    :issue:11633.

Bug fixes

  • Switched to backports.zstd for Python <3.14 and fixed zstd decompression for chunked zstd streams -- by :user:ZhaoMJ.

    Note: Users who installed zstandard for support on Python <3.14 will now need to install
    backports.zstd instead (installing aiohttp[speedups] will do this automatically).

    Related issues and pull requests on GitHub:
    :issue:11623.

  • Updated Content-Type header parsing to return application/octet-stream when header contains invalid syntax.
    See :rfc:9110#section-8.3-5.

    -- by :user:sgaist.

    Related issues and pull requests on GitHub:
    :issue:10889.

  • Fixed Python 3.14 support when built without zstd support -- by :user:JacobHenner.

    Related issues and pull requests on GitHub:
    :issue:11603.

  • Fixed blocking I/O in the event loop when using netrc authentication by moving netrc file lookup to an executor -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:11634.

  • Fixed routing to a sub-application added via .add_domain() not working
    if the same path exists on the parent app. -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:11673.

Packaging updates and notes for downstreams

  • Moved core packaging metadata from :file:setup.cfg to :file:pyproject.toml per :pep:621
    -- by :user:cdce8p.

    Related issues and pull requests on GitHub:
    :issue:9951.

v3.13.0

Compare Source

===================

Features

  • Added support for Python 3.14.

    Related issues and pull requests on GitHub:
    :issue:10851, :issue:10872.

  • Added support for free-threading in Python 3.14+ -- by :user:kumaraditya303.

    Related issues and pull requests on GitHub:
    :issue:11466, :issue:11464.

  • Added support for Zstandard (aka Zstd) compression
    -- by :user:KGuillaume-chaps.

    Related issues and pull requests on GitHub:
    :issue:11161.

  • Added StreamReader.total_raw_bytes to check the number of bytes downloaded
    -- by :user:robpats.

    Related issues and pull requests on GitHub:
    :issue:11483.

Bug fixes

  • Fixed pytest plugin to not use deprecated :py:mod:asyncio policy APIs.

    Related issues and pull requests on GitHub:
    :issue:10851.

  • Updated Content-Disposition header parsing to handle trailing semicolons and empty parts
    -- by :user:PLPeeters.

    Related issues and pull requests on GitHub:
    :issue:11243.

  • Fixed saved CookieJar failing to be loaded if cookies have partitioned flag when
    http.cookie does not have partitioned cookies supports. -- by :user:Cycloctane.

    Related issues and pull requests on GitHub:
    :issue:11523.

Improved documentation

  • Added Wireup to third-party libraries -- by :user:maldoinc.

    Related issues and pull requests on GitHub:
    :issue:11233.

Packaging updates and notes for downstreams

  • The blockbuster test dependency is now optional; the corresponding test fixture is disabled when it is unavailable
    -- by :user:musicinybrain.

    Related issues and pull requests on GitHub:
    :issue:11363.

  • Added riscv64 build to releases -- by :user:eshattow.

    Related issues and pull requests on GitHub:
    :issue:11425.

Contributor-facing changes

  • Fixed test_send_compress_text failing when alternative zlib implementation
    is used. (zlib-ng in python 3.14 windows build) -- by :user:Cycloctane.

    Related issues and pull requests on GitHub:
    :issue:11546.

v3.12.15

Compare Source

====================

Bug fixes

  • Fixed :class:~aiohttp.DigestAuthMiddleware to preserve the algorithm case from the server's challenge in the authorization response. This improves compatibility with servers that perform case-sensitive algorithm matching (e.g., servers expecting algorithm=MD5-sess instead of algorithm=MD5-SESS)
    -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:11352.

Improved documentation

  • Remove outdated contents of aiohttp-devtools and aiohttp-swagger
    from Web_advanced docs.
    -- by :user:Cycloctane

    Related issues and pull requests on GitHub:
    :issue:11347.

Packaging updates and notes for downstreams

  • Started including the llhttp :file:LICENSE file in wheels by adding vendor/llhttp/LICENSE to license-files in :file:setup.cfg -- by :user:threexc.

    Related issues and pull requests on GitHub:
    :issue:11226.

Contributor-facing changes

  • Updated a regex in test_aiohttp_request_coroutine for Python 3.14.

    Related issues and pull requests on GitHub:
    :issue:11271.

v3.12.14

Compare Source

====================

Bug fixes

  • Fixed file uploads failing with HTTP 422 errors when encountering 307/308 redirects, and 301/302 redirects for non-POST methods, by preserving the request body when appropriate per :rfc:9110#section-15.4.3-3.1 -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:11270.

  • Fixed :py:meth:ClientSession.close() <aiohttp.ClientSession.close> hanging indefinitely when using HTTPS requests through HTTP proxies -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:11273.

  • Bumped minimum version of aiosignal to 1.4+ to resolve typing issues -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:11280.

Features

  • Added initial trailer parsing logic to Python HTTP parser -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:11269.

Improved documentation

  • Clarified exceptions raised by WebSocketResponse.send_frame et al.
    -- by :user:DoctorJohn.

    Related issues and pull requests on GitHub:
    :issue:11234.

v3.12.13

Compare Source

====================

Bug fixes

  • Fixed auto-created :py:class:~aiohttp.TCPConnector not using the session's event loop when :py:class:~aiohttp.ClientSession is created without an explicit connector -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:11147.

v3.12.12

Compare Source

====================

Bug fixes

  • Fixed cookie unquoting to properly handle octal escape sequences in cookie values (e.g., \012 for newline) by vendoring the correct _unquote implementation from Python's http.cookies module -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:11173.

  • Fixed Cookie header parsing to treat attribute names as regular cookies per :rfc:6265#section-5.4 -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:11178.

v3.12.11

Compare Source

====================

Features

  • Improved SSL connection handling by changing the default ssl_shutdown_timeout
    from 0.1 to 0 seconds. SSL connections now use Python's default graceful
    shutdown during normal operation but are aborted immediately when the connector
    is closed, providing optimal behavior for both cases. Also added support for
    ssl_shutdown_timeout=0 on all Python versions. Previously, this value was
    rejected on Python 3.11+ and ignored on earlier versions. Non-zero values on
    Python < 3.11 now trigger a RuntimeWarning -- by :user:bdraco.

    The ssl_shutdown_timeout parameter is now deprecated and will be removed in
    aiohttp 4.0 as there is no clear use case for changing the default.

    Related issues and pull requests on GitHub:
    :issue:11148.

Deprecations (removal in next major release)

  • Improved SSL connection handling by changing the default ssl_shutdown_timeout
    from 0.1 to 0 seconds. SSL connections now use Python's default graceful
    shutdown during normal operation but are aborted immediately when the connector
    is closed, providing optimal behavior for both cases. Also added support for
    ssl_shutdown_timeout=0 on all Python versions. Previously, this value was
    rejected on Python 3.11+ and ignored on earlier versions. Non-zero values on
    Python < 3.11 now trigger a RuntimeWarning -- by :user:bdraco.

    The ssl_shutdown_timeout parameter is now deprecated and will be removed in
    aiohttp 4.0 as there is no clear use case for changing the default.

    Related issues and pull requests on GitHub:
    :issue:11148.

v3.12.10

Compare Source

====================

Bug fixes

  • Fixed leak of aiodns.DNSResolver when :py:class:~aiohttp.TCPConnector is closed and no resolver was passed when creating the connector -- by :user:Tasssadar.

    This was a regression introduced in version 3.12.0 (:pr:10897).

    Related issues and pull requests on GitHub:
    :issue:11150.

v3.12.9

Compare Source

===================

Bug fixes

  • Fixed IOBasePayload and TextIOPayload reading entire files into memory when streaming large files -- by :user:bdraco.

    When using file-like objects with the aiohttp client, the entire file would be read into memory if the file size was provided in the Content-Length header. This could cause out-of-memory errors when uploading large files. The payload classes now correctly read data in chunks of READ_SIZE (64KB) regardless of the total content length.

    Related issues and pull requests on GitHub:
    :issue:11138.

v3.12.8

Compare Source

===================

Features

  • Added preemptive digest authentication to :class:~aiohttp.DigestAuthMiddleware -- by :user:bdraco.

    The middleware now reuses authentication credentials for subsequent requests to the same
    protection space, improving efficiency by avoiding extra authentication round trips.
    This behavior matches how web browsers handle digest authentication and follows
    :rfc:7616#section-3.6.

    Preemptive authentication is enabled by default but can be disabled by passing
    preemptive=False to the middleware constructor.

    Related issues and pull requests on GitHub:
    :issue:11128, :issue:11129.

v3.12.7

Compare Source

===================

.. warning::

This release fixes an issue where the quote_cookie parameter was not being properly
respected for shared cookies (domain="", path=""). If your server does not handle quoted
cookies correctly, you may need to disable cookie quoting by setting quote_cookie=False
when creating your :class:~aiohttp.ClientSession or :class:~aiohttp.CookieJar.
See :ref:aiohttp-client-cookie-quoting-routine for details.

Bug fixes

  • Fixed cookie parsing to be more lenient when handling cookies with special characters
    in names or values. Cookies with characters like {, }, and / in names are now
    accepted instead of causing a :exc:~http.cookies.CookieError and 500 errors. Additionally,
    cookies with mismatched quotes in values are now parsed correctly, and quoted cookie
    values are now handled consistently whether or not they include special attributes
    like Domain. Also fixed :class:~aiohttp.CookieJar to ensure shared cookies (domain="", path="")
    respect the quote_cookie parameter, making cookie quoting behavior consistent for
    all cookies -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:2683, :issue:5397, :issue:7993, :issue:11112.

  • Fixed an issue where cookies with duplicate names but different domains or paths
    were lost when updating the cookie jar. The :class:~aiohttp.ClientSession
    cookie jar now correctly stores all cookies even if they have the same name but
    different domain or path, following the :rfc:6265#section-5.3 storage model -- by :user:bdraco.

    Note that :attr:ClientResponse.cookies <aiohttp.ClientResponse.cookies> returns
    a :class:~http.cookies.SimpleCookie which uses the cookie name as a key, so
    only the last cookie with each name is accessible via this interface. All cookies
    can be accessed via :meth:ClientResponse.headers.getall('Set-Cookie') <multidict.MultiDictProxy.getall> if needed.

    Related issues and pull requests on GitHub:
    :issue:4486, :issue:11105, :issue:11106.

Miscellaneous internal changes

  • Avoided creating closed futures in ResponseHandler that will never be awaited -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:11107.

  • Downgraded the logging level for connector close errors from ERROR to DEBUG, as these are expected behavior with TLS 1.3 connections -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:11114.

v3.12.6

Compare Source

===================

Bug fixes

  • Fixed spurious "Future exception was never retrieved" warnings for connection lost errors when the connector is not closed -- by :user:bdraco.

    When connections are lost, the exception is now marked as retrieved since it is always propagated through other means, preventing unnecessary warnings in logs.

    Related issues and pull requests on GitHub:
    :issue:11100.

v3.12.4

Compare Source

===================

Bug fixes

  • Fixed connector not waiting for connections to close before returning from :meth:~aiohttp.BaseConnector.close (partial backport of :pr:3733) -- by :user:atemate and :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:1925, :issue:11074.

v3.12.3

Compare Source

===================

Bug fixes

  • Fixed memory leak in :py:meth:~aiohttp.CookieJar.filter_cookies that caused unbounded memory growth
    when making requests to different URL paths -- by :user:bdraco and :user:Cycloctane.

    Related issues and pull requests on GitHub:
    :issue:11052, :issue:11054.

v3.12.2

Compare Source

===================

Bug fixes

  • Fixed Content-Length header not being set to 0 for non-GET requests with None body -- by :user:bdraco.

    Non-GET requests (POST, PUT, PATCH, DELETE) with None as the body now correctly set the Content-Length header to 0, matching the behavior of requests with empty bytes (b""). This regression was introduced in aiohttp 3.12.1.

    Related issues and pull requests on GitHub:
    :issue:11035.

v3.12.1

Compare Source

====================

Bug fixes

  • Fixed :class:~aiohttp.DigestAuthMiddleware to preserve the algorithm case from the server's challenge in the authorization response. This improves compatibility with servers that perform case-sensitive algorithm matching (e.g., servers expecting algorithm=MD5-sess instead of algorithm=MD5-SESS)
    -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:11352.

Improved documentation

  • Remove outdated contents of aiohttp-devtools and aiohttp-swagger
    from Web_advanced docs.
    -- by :user:Cycloctane

    Related issues and pull requests on GitHub:
    :issue:11347.

Packaging updates and notes for downstreams

  • Started including the llhttp :file:LICENSE file in wheels by adding vendor/llhttp/LICENSE to license-files in :file:setup.cfg -- by :user:threexc.

    Related issues and pull requests on GitHub:
    :issue:11226.

Contributor-facing changes

  • Updated a regex in test_aiohttp_request_coroutine for Python 3.14.

    Related issues and pull requests on GitHub:
    :issue:11271.

v3.12.0

Compare Source

===================

Bug fixes

  • Fixed :py:attr:~aiohttp.web.WebSocketResponse.prepared property to correctly reflect the prepared state, especially during timeout scenarios -- by :user:bdraco

    Related issues and pull requests on GitHub:
    :issue:6009, :issue:10988.

  • Response is now always True, instead of using MutableMapping behaviour (False when map is empty)

    Related issues and pull requests on GitHub:
    :issue:10119.

  • Fixed connection reuse for file-like data payloads by ensuring buffer
    truncation respects content-length boundaries and preventing premature
    connection closure race -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:10325, :issue:10915, :issue:10941, :issue:10943.

  • Fixed pytest plugin to not use deprecated :py:mod:asyncio policy APIs.

    Related issues and pull requests on GitHub:
    :issue:10851.

  • Fixed :py:class:~aiohttp.resolver.AsyncResolver not using the loop argument in versions 3.x where it should still be supported -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:10951.

Features

  • Added a comprehensive HTTP Digest Authentication client middleware (DigestAuthMiddleware)
    that implements RFC 7616. The middleware supports all standard hash algorithms
    (MD5, SHA, SHA-256, SHA-512) with session variants, handles both 'auth' and
    'auth-int' quality of protection options, and automatically manages the
    authentication flow by intercepting 401 responses and retrying with proper
    credentials -- by :user:feus4177, :user:TimMenninger, and :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:2213, :issue:10725.

  • Added client middleware support -- by :user:bdraco and :user:Dreamsorcerer.

    This change allows users to add middleware to the client session and requests, enabling features like
    authentication, logging, and request/response modification without modifying the core
    request logic. Additionally, the session attribute was added to ClientRequest,
    allowing middleware to access the session for making additional requests.

    Related issues and pull requests on GitHub:
    :issue:9732, :issue:10902, :issue:10945, :issue:10952, :issue:10959, :issue:10968.

  • Allow user setting zlib compression backend -- by :user:TimMenninger

    This change allows the user to call :func:aiohttp.set_zlib_backend() with the
    zlib compression module of their choice. Default behavior continues to use
    the builtin zlib library.

    Related issues and pull requests on GitHub:
    :issue:9798.

  • Added support for overriding the base URL with an absolute one in client sessions
    -- by :user:vivodi.

    Related issues and pull requests on GitHub:
    :issue:10074.

  • Added host parameter to aiohttp_server fixture -- by :user:christianwbrock.

    Related issues and pull requests on GitHub:
    :issue:10120.

  • Detect blocking calls in coroutines using BlockBuster -- by :user:cbornet.

    Related issues and pull requests on GitHub:
    :issue:10433.

  • Added socket_factory to :py:class:aiohttp.TCPConnector to allow specifying custom socket options
    -- by :user:TimMenninger.

    Related issues and pull requests on GitHub:
    :issue:10474, :issue:10520, :issue:10961, :issue:10962.

  • Started building armv7l manylinux wheels -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:10797.

  • Implemented shared DNS resolver management to fix excessive resolver object creation
    when using multiple client sessions. The new _DNSResolverManager singleton ensures
    only one DNSResolver object is created for default configurations, significantly
    reducing resource usage and improving performance for applications using multiple
    client sessions simultaneously -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:10847, :issue:10923, :issue:10946.

  • Upgraded to LLHTTP 9.3.0 -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:10972.

  • Optimized small HTTP requests/responses by coalescing headers and body into a single TCP packet -- by :user:bdraco.

    This change enhances network efficiency by reducing the number of packets sent for small HTTP payloads, improving latency and reducing overhead. Most importantly, this fixes compatibility with memory-constrained IoT devices that can only perform a single read operation and expect HTTP requests in one packet. The optimization uses zero-copy writelines when coalescing data and works with both regular and chunked transfer encoding.

    When aiohttp uses client middleware to communicate with an aiohttp server, connection reuse is more likely to occur since complete responses arrive in a single packet for small payloads.

    This aligns aiohttp with other popular HTTP clients that already coalesce small requests.

    Related issues and pull requests on GitHub:
    :issue:10991.

Improved documentation

  • Improved documentation for middleware by adding warnings and examples about
    request body stream consumption. The documentation now clearly explains that
    request body streams can only be read once and provides best practices for
    sharing parsed request data between middleware and handlers -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:2914.

Packaging updates and notes for downstreams

  • Removed non SPDX-license description from setup.cfg -- by :user:devanshu-ziphq.

    Related issues and pull requests on GitHub:
    :issue:10662.

  • Added support for building against system llhttp library -- by :user:mgorny.

    This change adds support for :envvar:AIOHTTP_USE_SYSTEM_DEPS environment variable that
    can be used to build aiohttp against the system install of the llhttp library rather
    than the vendored one.

    Related issues and pull requests on GitHub:
    :issue:10759.

  • aiodns is now installed on Windows with speedups extra -- by :user:bdraco.

    As of aiodns 3.3.0, SelectorEventLoop is no longer required when using pycares 4.7.0 or later.

    Related issues and pull requests on GitHub:
    :issue:10823.

  • Fixed compatibility issue with Cython 3.1.1 -- by :user:bdraco

    Related issues and pull requests on GitHub:
    :issue:10877.

Contributor-facing changes

  • Sped up tests by disabling blockbuster fixture for test_static_file_huge and test_static_file_huge_cancel tests -- by :user:dikos1337.

    Related issues and pull requests on GitHub:
    :issue:9705, :issue:10761.

  • Updated tests to avoid using deprecated :py:mod:asyncio policy APIs and
    make it compatible with Python 3.14.

    Related issues and pull requests on GitHub:
    :issue:10851.

  • Added Winloop to test suite to support in the future -- by :user:Vizonex.

    Related issues and pull requests on GitHub:
    :issue:10922.

Miscellaneous internal changes

  • Added support for the partitioned attribute in the set_cookie method.

    Related issues and pull requests on GitHub:
    :issue:9870.

  • Setting :attr:aiohttp.web.StreamResponse.last_modified to an unsupported type will now raise :exc:TypeError instead of silently failing -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:10146.

v3.11.18

Compare Source

====================

Bug fixes

  • Disabled TLS in TLS warning (when using HTTPS proxies) for uvloop and newer Python versions -- by :user:lezgomatt.

    Related issues and pull requests on GitHub:
    :issue:7686.

  • Fixed reading fragmented WebSocket messages when the payload was masked -- by :user:bdraco.

    The problem first appeared in 3.11.17

    Related issues and pull requests on GitHub:
    :issue:10764.

v3.11.17

Compare Source

====================

Miscellaneous internal changes

  • Optimized web server performance when access logging is disabled by reducing time syscalls -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:10713.

  • Improved web server performance when connection can be reused -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:10714.

  • Improved performance of the WebSocket reader -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:10740.

  • Improved performance of the WebSocket reader with large messages -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:10744.

v3.11.16

Compare Source

====================

Bug fixes

  • Replaced deprecated asyncio.iscoroutinefunction with its counterpart from inspect
    -- by :user:layday.

    Related issues and pull requests on GitHub:
    :issue:10634.

  • Fixed :class:multidict.CIMultiDict being mutated when passed to :class:aiohttp.web.Response -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:10672.

v3.11.15

Compare Source

====================

Bug fixes

  • Reverted explicitly closing sockets if an exception is raised during create_connection -- by :user:bdraco.

    This change originally appeared in aiohttp 3.11.13

    Related issues and pull requests on GitHub:
    :issue:10464, :issue:10617, :issue:10656.

Miscellaneous internal changes

  • Improved performance of WebSocket buffer handling -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:10601.

  • Improved performance of serializing headers -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:10625.

halcy/Mastodon.py (mastodon_py)

v2.2.1

Compare Source

v2.2.0

Compare Source

  • Bumped support level to 4.5.0
  • Switch from grapheme to graphemeu package, which is more maintained (thanks @​CyberTailor for the report).
  • Fix a crash due to unbound local in stream_public (Thanks @​elnikkis for the report and fix)
  • Fix invalid event error in heartbeats (Thanks @​tribela for the report and fix)
  • Add several missing parameters to account_update_credentials
  • Add quote support (Several new endpoints and entities)
  • Fix a bug in push subscriptions for status push subscriptions
  • Fix a bug in Pleroma ID parsing
  • Samples: Make samples work on Windows (Thanks @​AllynH for the report and fix)
  • Add support for async refreshes
  • Fix various other bugs and documentation issues
eyeseast/python-frontmatter (python_frontmatter)

v1.3.0: - Now using uv

Compare Source

What's Changed

Full Changelog: https://github.com/eyeseast/python-frontmatter/compare/v1.2.0...v1.3.0

v1.2.0: - Fix type issues and support newer Python versions

Compare Source

What's Changed

New Contributors

This version drops support for Python 3.9.

Full Changelog: https://github.com/eyeseast/python-frontmatter/compare/v1.1.0...v1.2.0

Configuration

📅 Schedule: (in timezone UTC)

  • Branch creation
    • "after 9am on monday"
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [PyGithub](https://github.com/pygithub/pygithub) | `==2.8.1` → `==2.9.1` | ![age](https://developer.mend.io/api/mc/badges/age/pypi/pygithub/2.9.1?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/pygithub/2.8.1/2.9.1?slim=true) | | [Requests](https://github.com/psf/requests) ([changelog](https://github.com/psf/requests/blob/master/HISTORY.md)) | `==2.32.5` → `==2.34.2` | ![age](https://developer.mend.io/api/mc/badges/age/pypi/requests/2.34.2?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/requests/2.32.5/2.34.2?slim=true) | | [aiohttp](https://github.com/aio-libs/aiohttp) | `==3.11.14` → `==3.14.1` | ![age](https://developer.mend.io/api/mc/badges/age/pypi/aiohttp/3.14.1?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/aiohttp/3.11.14/3.14.1?slim=true) | | [mastodon_py](https://github.com/halcy/Mastodon.py) | `==2.1.4` → `==2.2.1` | ![age](https://developer.mend.io/api/mc/badges/age/pypi/mastodon-py/2.2.1?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/mastodon-py/2.1.4/2.2.1?slim=true) | | [python_frontmatter](https://github.com/eyeseast/python-frontmatter) | `==1.1.0` → `==1.3.0` | ![age](https://developer.mend.io/api/mc/badges/age/pypi/python-frontmatter/1.3.0?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/python-frontmatter/1.1.0/1.3.0?slim=true) | --- ### Release Notes <details> <summary>pygithub/pygithub (PyGithub)</summary> ### [`v2.9.1`](https://github.com/PyGithub/PyGithub/releases/tag/v2.9.1) [Compare Source](https://github.com/pygithub/pygithub/compare/v2.9.0...v2.9.1) ##### Bug Fixes - Fix getting release by tag in lazy mode by [@&#8203;EnricoMi](https://github.com/EnricoMi) in [PyGithub/PyGithub#3469](https://github.com/PyGithub/PyGithub/pull/3469) **Full Changelog**: <https://github.com/PyGithub/PyGithub/compare/v2.9.0...v2.9.1> ### [`v2.9.0`](https://github.com/PyGithub/PyGithub/releases/tag/v2.9.0) [Compare Source](https://github.com/pygithub/pygithub/compare/v2.8.1...v2.9.0) ##### Notable changes ##### Lazy PyGithub objects The notion of lazy objects has been added to some PyGithub classes in version 2.6.0. This release now makes all `CompletableGithubObject`s optionally lazy (if useful). See [PyGithub/PyGithub#3403](https://github.com/PyGithub/PyGithub/pull/3403) for a complete list. In lazy mode, getting a PyGithub object does not send a request to the GitHub API. Only accessing methods and properties sends the necessary requests to the GitHub API: ```python # Use lazy mode g = Github(auth=auth, lazy=True) # these method calls do not send requests to the GitHub API user = g.get_user("PyGithub") # get the user repo = user.get_repo("PyGithub") # get the user's repo pull = repo.get_pull(3403) # get a known pull request issue = pull.as_issue() # turn the pull request into an issue # these method and property calls send requests to Github API issue.create_reaction("rocket") # create a reaction created = repo.created_at # get property of lazy object repo # once a lazy object has been fetched, all properties are available (no more requests) licence = repo.license ``` All PyGithub classes that implement `CompletableGithubObject` support lazy mode (if useful). This is only useful for classes that have methods creating, changing, or getting objects. By default, PyGithub objects are not lazy. ##### PyGithub objects with a paginated property The GitHub API has the "feature" of paginated properties. Some objects returned by the API have a property that allows for pagination. Fetching subsequent pages of that property means fetching the entire object (with all other properties) and the specified page of the paginated property. Iterating over the paginated property means fetching all other properties multiple times. Fortunately, the allowed size of each page (`per_page` is usually 300, in contrast to the "usual" `per_page` maximum of 100). Objects with paginated properties: - Commit.files - Comparison.commits - EnterpriseConsumedLicenses.users This PR makes iterating those paginated properties use the configured `per_page` setting. It further allows to specify an individual `per_page` when either retrieving such objects, or fetching paginated properties. See [Classes with paginated properties](https://pygithub.readthedocs.io/en/stable/utilities.html#utilities-classes-with-paginated-properties) for details. ##### Drop Python 3.8 support due to End-of-Life Python 3.8 reached its end-of-life September 6, 2024. Support has been removed with this release. ##### Deprecations - Method `delete` of `Reaction` is deprecated, use `IssueComment.delete_reaction`, `PullRequestComment.delete_reaction`, `CommitComment.delete_reaction` or `Issue.delete_reaction` instead. - Method `Issue.assignee` and parameter `Issue.edit(assignee=…)` are deprecated, use `Issue.assignees` and `Issue.edit(assignees=…)` instead. - Method `Organization.edit_hook` is deprecated, use `Organization.get_hook(id).edit(…)` instead. If you need to avoid `Organization.get_hook(id)` to fetch the `Hook` object from Github API, use a lazy Github instance: ```python Github(…, lazy=True).get_organization(…).get_hook(id).edit(…) ``` - Methods `Team.add_to_members` and `Team.remove_from_members` are deprecated, use `Team.add_membership` or `Team.remove_membership` instead. ##### New Features - Consider per-page settings when iterating paginated properties by [@&#8203;EnricoMi](https://github.com/EnricoMi) in [PyGithub/PyGithub#3377](https://github.com/PyGithub/PyGithub/pull/3377) - Add Secret Scanning Alerts and Improve Code Scan Alerts by [@&#8203;matt-davis27](https://github.com/matt-davis27) in [PyGithub/PyGithub#3307](https://github.com/PyGithub/PyGithub/pull/3307) ##### Improvements - More lazy objects by [@&#8203;EnricoMi](https://github.com/EnricoMi) in [PyGithub/PyGithub#3403](https://github.com/PyGithub/PyGithub/pull/3403) - Allow for enterprise base url prefixed with `api.` by [@&#8203;EnricoMi](https://github.com/EnricoMi) in [PyGithub/PyGithub#3419](https://github.com/PyGithub/PyGithub/pull/3419) - Add `throw` option to `Workflow.create_dispatch` to raise exceptions by [@&#8203;dblanchette](https://github.com/dblanchette) in [PyGithub/PyGithub#2966](https://github.com/PyGithub/PyGithub/pull/2966) - Use `GET` url or `_links.self` as object url by [@&#8203;EnricoMi](https://github.com/EnricoMi) in [PyGithub/PyGithub#3421](https://github.com/PyGithub/PyGithub/pull/3421) - Add support for `type` parameter to get\_issues by [@&#8203;nrysk](https://github.com/nrysk) in [PyGithub/PyGithub#3381](https://github.com/PyGithub/PyGithub/pull/3381) - Align implemented paths with OpenAPI spec by [@&#8203;EnricoMi](https://github.com/EnricoMi) in [PyGithub/PyGithub#3413](https://github.com/PyGithub/PyGithub/pull/3413) - Add suggested OpenAPI schemas by [@&#8203;EnricoMi](https://github.com/EnricoMi) in [PyGithub/PyGithub#3411](https://github.com/PyGithub/PyGithub/pull/3411) - Apply OpenAPI schemas by [@&#8203;EnricoMi](https://github.com/EnricoMi) in [PyGithub/PyGithub#3412](https://github.com/PyGithub/PyGithub/pull/3412) ##### Bug Fixes - Fix `PaginatedList.totalCount` returning 0 with GitHub deprecation notices by [@&#8203;odedperezcodes](https://github.com/odedperezcodes) in [PyGithub/PyGithub#3382](https://github.com/PyGithub/PyGithub/pull/3382) - Use default type if known type is not supported by [@&#8203;EnricoMi](https://github.com/EnricoMi) in [PyGithub/PyGithub#3365](https://github.com/PyGithub/PyGithub/pull/3365) ##### Maintenance - Deprecate `Reaction.delete` by [@&#8203;iarspider](https://github.com/iarspider) in [PyGithub/PyGithub#3435](https://github.com/PyGithub/PyGithub/pull/3435) - Deprecate `Issue.assignee` by [@&#8203;EnricoMi](https://github.com/EnricoMi) in [PyGithub/PyGithub#3366](https://github.com/PyGithub/PyGithub/pull/3366) - Deprecate `Orginization.edit_hook` by [@&#8203;EnricoMi](https://github.com/EnricoMi) in [PyGithub/PyGithub#3404](https://github.com/PyGithub/PyGithub/pull/3404) - Deprecate `Team.add_to_members` and `Team.remove_from_members` by [@&#8203;EnricoMi](https://github.com/EnricoMi) in [PyGithub/PyGithub#3368](https://github.com/PyGithub/PyGithub/pull/3368) - Various minor OpenAPI fixes by [@&#8203;EnricoMi](https://github.com/EnricoMi) in [PyGithub/PyGithub#3375](https://github.com/PyGithub/PyGithub/pull/3375) - Update test key pair by [@&#8203;EnricoMi](https://github.com/EnricoMi) in [PyGithub/PyGithub#3453](https://github.com/PyGithub/PyGithub/pull/3453) - Pin CI lint Python version to 3.13 by [@&#8203;EnricoMi](https://github.com/EnricoMi) in [PyGithub/PyGithub#3406](https://github.com/PyGithub/PyGithub/pull/3406) - Improve error message on replay data mismatch by [@&#8203;EnricoMi](https://github.com/EnricoMi) in [PyGithub/PyGithub#3385](https://github.com/PyGithub/PyGithub/pull/3385) and [PyGithub/PyGithub#3386](https://github.com/PyGithub/PyGithub/pull/3386) - Disable sleeps in tests by [@&#8203;EnricoMi](https://github.com/EnricoMi) in [PyGithub/PyGithub#3383](https://github.com/PyGithub/PyGithub/pull/3383) - Update autodoc defaults by [@&#8203;Aidan-McNay](https://github.com/Aidan-McNay) in [PyGithub/PyGithub#3369](https://github.com/PyGithub/PyGithub/pull/3369) - Add Python 3.14 to CI and tox by [@&#8203;EnricoMi](https://github.com/EnricoMi) in [PyGithub/PyGithub#3429](https://github.com/PyGithub/PyGithub/pull/3429) - Restrict PyPi release workflow permissions by [@&#8203;JLLeitschuh](https://github.com/JLLeitschuh) in [PyGithub/PyGithub#3418](https://github.com/PyGithub/PyGithub/pull/3418) - Fix OpenApi workflow by [@&#8203;EnricoMi](https://github.com/EnricoMi) in [PyGithub/PyGithub#3389](https://github.com/PyGithub/PyGithub/pull/3389) - Bump codecov/codecov-action from 3 to 5 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [PyGithub/PyGithub#3284](https://github.com/PyGithub/PyGithub/pull/3284) - Bump actions/setup-python from 5 to 6 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [PyGithub/PyGithub#3370](https://github.com/PyGithub/PyGithub/pull/3370) - Bump dawidd6/action-download-artifact from 3.0.0 to 3.1.4 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [PyGithub/PyGithub#3282](https://github.com/PyGithub/PyGithub/pull/3282) - Bump github/codeql-action from 3 to 4 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [PyGithub/PyGithub#3391](https://github.com/PyGithub/PyGithub/pull/3391) - Bump actions/upload-artifact from 4 to 5 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [PyGithub/PyGithub#3394](https://github.com/PyGithub/PyGithub/pull/3394) - Bump actions/download-artifact from 5 to 6 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [PyGithub/PyGithub#3393](https://github.com/PyGithub/PyGithub/pull/3393) - Drop Python 3.8 support due to EOL by [@&#8203;hugovk](https://github.com/hugovk) in [PyGithub/PyGithub#3191](https://github.com/PyGithub/PyGithub/pull/3191) - Merge changelog updates from v2.8 release branch by [@&#8203;EnricoMi](https://github.com/EnricoMi) in [PyGithub/PyGithub#3367](https://github.com/PyGithub/PyGithub/pull/3367) #### New Contributors - [@&#8203;odedperezcodes](https://github.com/odedperezcodes) made their first contribution in [PyGithub/PyGithub#3382](https://github.com/PyGithub/PyGithub/pull/3382) - [@&#8203;Aidan-McNay](https://github.com/Aidan-McNay) made their first contribution in [PyGithub/PyGithub#3369](https://github.com/PyGithub/PyGithub/pull/3369) - [@&#8203;nrysk](https://github.com/nrysk) made their first contribution in [PyGithub/PyGithub#3381](https://github.com/PyGithub/PyGithub/pull/3381) - [@&#8203;matt-davis27](https://github.com/matt-davis27) made their first contribution in [PyGithub/PyGithub#3307](https://github.com/PyGithub/PyGithub/pull/3307) **Full Changelog**: <https://github.com/PyGithub/PyGithub/compare/v2.8.0...v2.9.0> </details> <details> <summary>psf/requests (Requests)</summary> ### [`v2.34.2`](https://github.com/psf/requests/blob/HEAD/HISTORY.md#2342-2026-05-14) [Compare Source](https://github.com/psf/requests/compare/v2.34.1...v2.34.2) - Moved `headers` input type back to `Mapping` to avoid invariance issues with `MutableMapping` and inferred dict types. Users calling `Request.headers.update()` may need to narrow typing in their code. ([#&#8203;7441](https://github.com/psf/requests/issues/7441)) ### [`v2.34.1`](https://github.com/psf/requests/blob/HEAD/HISTORY.md#2341-2026-05-13) [Compare Source](https://github.com/psf/requests/compare/v2.34.0...v2.34.1) **Bugfixes** - Widened `json` input type from `dict` and `list` to `Mapping` and `Sequence`. ([#&#8203;7436](https://github.com/psf/requests/issues/7436)) - Changed `headers` input type to MutableMapping and removed `None` from `Request.headers` typing to improve handling for users. ([#&#8203;7431](https://github.com/psf/requests/issues/7431)) - `Response.reason` moved from `str | None` to `str` to improve handling for users. ([#&#8203;7437](https://github.com/psf/requests/issues/7437)) - Fixed a bug where some bodies with custom `__getattr__` implementations weren't being properly detected as Iterables. ([#&#8203;7433](https://github.com/psf/requests/issues/7433)) ### [`v2.34.0`](https://github.com/psf/requests/blob/HEAD/HISTORY.md#2340-2026-05-11) [Compare Source](https://github.com/psf/requests/compare/v2.33.1...v2.34.0) **Announcements** - Requests 2.34.0 introduces inline types, replacing those provided by typeshed. Public API types should be fully compatible with mypy, pyright, and ty. We believe types are comprehensive but if you find issues, please report them to the pinned tracking issue. Special thanks to [@&#8203;bastimeyer](https://github.com/bastimeyer), [@&#8203;cthoyt](https://github.com/cthoyt), [@&#8203;edgarrmondragon](https://github.com/edgarrmondragon), and [@&#8203;srittau](https://github.com/srittau) for helping review and test the types ahead of the release. ([#&#8203;7272](https://github.com/psf/requests/issues/7272)) **Improvements** - Digest Auth hashing algorithms have added `usedforsecurity=False` to clarify security considerations. ([#&#8203;7310](https://github.com/psf/requests/issues/7310)) - Requests added support for Python 3.15 based on beta1. Downstream projects should be able to start testing prior to its release in October. ([#&#8203;7422](https://github.com/psf/requests/issues/7422)) - Requests added support for Python 3.14t. ([#&#8203;7419](https://github.com/psf/requests/issues/7419)) **Bugfixes** - `Response.history` no longer contains a reference to itself, preventing accidental looping when traversing the history list. ([#&#8203;7328](https://github.com/psf/requests/issues/7328)) - Requests no longer performs greedy matching on no\_proxy domains. The proxy\_bypass implementation has been updated with CPython's fix from bpo-39057. ([#&#8203;7427](https://github.com/psf/requests/issues/7427)) - Requests no longer incorrectly strips duplicate leading slashes in URI paths. This should address user issues with specific presigned URLs. Note the full fix requires urllib3 2.7.0+. ([#&#8203;7315](https://github.com/psf/requests/issues/7315)) ### [`v2.33.1`](https://github.com/psf/requests/blob/HEAD/HISTORY.md#2331-2026-03-30) [Compare Source](https://github.com/psf/requests/compare/v2.33.0...v2.33.1) **Bugfixes** - Fixed test cleanup for CVE-2026-25645 to avoid leaving unnecessary files in the tmp directory. ([#&#8203;7305](https://github.com/psf/requests/issues/7305)) - Fixed Content-Type header parsing for malformed values. ([#&#8203;7309](https://github.com/psf/requests/issues/7309)) - Improved error consistency for malformed header values. ([#&#8203;7308](https://github.com/psf/requests/issues/7308)) ### [`v2.33.0`](https://github.com/psf/requests/blob/HEAD/HISTORY.md#2330-2026-03-25) [Compare Source](https://github.com/psf/requests/compare/v2.32.5...v2.33.0) **Announcements** - 📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at [#&#8203;7271](https://github.com/psf/requests/issues/7271). Give it a try, and report any gaps or feedback you may have in the issue. 📣 **Security** - CVE-2026-25645 `requests.utils.extract_zipped_paths` now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly. **Improvements** - Migrated to a PEP 517 build system using setuptools. ([#&#8203;7012](https://github.com/psf/requests/issues/7012)) **Bugfixes** - Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+. ([#&#8203;7205](https://github.com/psf/requests/issues/7205)) **Deprecations** - Dropped support for Python 3.9 following its end of support. ([#&#8203;7196](https://github.com/psf/requests/issues/7196)) **Documentation** - Various typo fixes and doc improvements. </details> <details> <summary>aio-libs/aiohttp (aiohttp)</summary> ### [`v3.14.1`](https://github.com/aio-libs/aiohttp/blob/HEAD/CHANGES.rst#3141-2026-06-07) [Compare Source](https://github.com/aio-libs/aiohttp/compare/v3.14.0...v3.14.1) \=================== ## Bug fixes - Fixed a race condition in :py:class:`~aiohttp.TCPConnector` where closing the connector while a DNS resolution was in-flight could raise :py:exc:`AttributeError` instead of :py:exc:`~aiohttp.ClientConnectionError` -- by :user:`goingforstudying-ctrl`. *Related issues and pull requests on GitHub:* :issue:`12497`. - Fixed `CancelledError` not closing a connection -- by :user:`aiolibsbot`. *Related issues and pull requests on GitHub:* :issue:`12795`. - Tightened up some websocket parser checks -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`12817`. - Fixed :class:`~aiohttp.CookieJar` dropping the host-only flag of cookies when persisted with :meth:`~aiohttp.CookieJar.save` and reloaded with :meth:`~aiohttp.CookieJar.load`, so a cookie set without a `Domain` attribute is again scoped to the exact host that set it after a reload; the absolute expiration deadline is now persisted as well, so a reloaded cookie keeps its original lifetime instead of being rescheduled from the load time. :meth:`~aiohttp.CookieJar.load` now replaces the jar contents rather than merging onto prior state, and loaded cookies pass through the same acceptance rules as :meth:`~aiohttp.CookieJar.update_cookies`, so a cookie for an IP-address host is dropped when loaded into a jar created without `unsafe=True` -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`12824`. - Scoped :class:`~aiohttp.DigestAuthMiddleware` credentials to the origin of the first request it handles, so a redirect to a different origin no longer triggers a digest response computed from the configured credentials; a challenge from another origin is only answered when that origin falls within a protection space advertised by the anchor origin through the RFC 7616 `domain` directive -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`12825`. - Fixed the C HTTP parser not enforcing `max_line_size` on a request target or response reason phrase that is split across multiple reads; each fragment was checked on its own, so an accumulated line could exceed the limit without raising `LineTooLong`. The accumulated length is now checked, matching the pure-Python parser -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`12826`. - Changed :class:`~aiohttp.TCPConnector` to reject legacy non-canonical numeric IPv4 host forms such as `2130706433`, `017700000001` and `127.1` with :exc:`~aiohttp.InvalidUrlClientError`; only canonical dotted-quad IPv4 literals are now treated as IP address literals, while every other host is sent through the configured resolver -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`12827`. - Fixed :meth:`~aiohttp.StreamReader.readany` and :meth:`~aiohttp.StreamReader.read_nowait` joining data fed back into the buffer during the call (when draining below the low water mark resumes reading) into a single unbounded :class:`bytes`; a call now returns only the chunks that were buffered when it started, keeping the drain of an unread auto-decompressed request body bounded by the read buffer -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`12828`. - Bounded the number of parsed-but-unhandled pipelined HTTP/1 requests buffered per connection on the server; once the queue reaches an internal limit the parser stops emitting and the transport is paused, resuming as the request handler drains the queue, so a client keeping one handler busy can no longer accumulate an unbounded backlog of pipelined requests -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`12830`. - Fixed :meth:`aiohttp.web.Response.write_eof` skipping `Payload.close()` when the body write was interrupted by an error or cancellation, for example when a client disconnects mid-response; the payload close hook now runs in a `finally` so a :class:`~aiohttp.payload.Payload` body always releases its resources -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`12831`. - Fixed the pure-Python HTTP parser not enforcing `max_line_size` on a chunk-size line when the whole line arrived in a single read; the limit was only applied to chunk-size metadata split across reads. The complete-line case is now checked too, matching the split-line behavior -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`12832`. - Included the per-request `server_hostname` override in the :class:`~aiohttp.TCPConnector` connection pool key, so a pooled TLS connection is no longer reused for a request that sets `server_hostname` to a different value -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`12835`. *** ### [`v3.14.0`](https://github.com/aio-libs/aiohttp/blob/HEAD/CHANGES.rst#3140-2026-06-01) [Compare Source](https://github.com/aio-libs/aiohttp/compare/v3.13.5...v3.14.0) \=================== We have a new website! <https://aio-libs.org> Subscribe to the news feed to find out more about what we're working on in future. ## Features - Added `RequestKey` and `ResponseKey` classes, which enable static type checking for request & response context storages in the same way that `AppKey` does for `Application` \-- by :user:`gsoldatov`. *Related issues and pull requests on GitHub:* :issue:`11766`. - Added :func:`~aiohttp.encode_basic_auth` for encoding HTTP Basic Authentication credentials. Replaces the now-deprecated `aiohttp.BasicAuth` -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`12499`. - Started accepting :term:`asynchronous context managers <asynchronous context manager>` for cleanup contexts. Legacy single-yield :term:`asynchronous generator` cleanup contexts continue to be supported; async context managers are adapted internally so they are entered at startup and exited during cleanup. \-- by :user:`MannXo`. *Related issues and pull requests on GitHub:* :issue:`11681`. - Added :py:attr:`~aiohttp.CookieJar.cookies` and :py:attr:`~aiohttp.CookieJar.host_only_cookies` read-only properties to :py:class:`~aiohttp.CookieJar` exposing the stored cookies with their full attributes -- by :user:`Br1an67`. *Related issues and pull requests on GitHub:* :issue:`3951`. - Added :py:attr:`~aiohttp.web.TCPSite.port` accessor for dynamic port allocations in :class:`~aiohttp.web.TCPSite` -- by :user:`twhittock-disguise` and :user:`rodrigobnogueira`. *Related issues and pull requests on GitHub:* :issue:`10665`. - Added `decode_text` parameter to :meth:`~aiohttp.ClientSession.ws_connect` and :class:`~aiohttp.web.WebSocketResponse` to receive WebSocket TEXT messages as raw bytes instead of decoded strings, enabling direct use with high-performance JSON parsers like `orjson` -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`11763`, :issue:`11764`. - Large overhaul of parser/decompression code. The zip bomb security fix in 3.13 stopped highly compressed payloads from being decompressed, regardless of validity. Now aiohttp will decompress such payloads in chunks of 256+ KiB, allowing safe decompression of such payloads. \-- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`11966`. - Added explicit APIs for bytes-returning JSON serializer: `JSONBytesEncoder` type, `JsonBytesPayload`, :func:`~aiohttp.web.json_bytes_response`, :meth:`~aiohttp.web.WebSocketResponse.send_json_bytes` and :meth:`~aiohttp.ClientWebSocketResponse.send_json_bytes` methods, and `json_serialize_bytes` parameter for :class:`~aiohttp.ClientSession` \-- by :user:`kevinpark1217`. *Related issues and pull requests on GitHub:* :issue:`11989`. - Added :attr:`~aiohttp.ClientResponse.output_size` and :attr:`~aiohttp.ClientResponse.upload_complete` -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`12452`. ## Bug fixes - Fixed `ZLibDecompressor` silently dropping data past the first member when decompressing concatenated gzip/deflate streams. Each subsequent member is now handed to a fresh decompressor, matching the behaviour already implemented for ZSTD multi-frame streams. \-- by :user:`Ashutosh-177` *Related issues and pull requests on GitHub:* :issue:`7157`. - Improved the parser error message shown when TLS handshake bytes are received on an HTTP port -- by :user:`puneetdixit200`. *Related issues and pull requests on GitHub:* :issue:`10142`. - Fixed the C parser failing to reject a response with a body when none was expected -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`10587`. - Fixed http parser not rejecting HTTP/1.1 requests that do not have valid Host header. \-- by :user:`Cycloctane`. *Related issues and pull requests on GitHub:* :issue:`10600`. - Fixed misleading TLS-in-TLS warning being emitted when sending HTTPS requests through an HTTP proxy. The warning now only fires when the proxy itself uses HTTPS, which is the only case where TLS-in-TLS actually applies -- by :user:`wavebyrd`. *Related issues and pull requests on GitHub:* :issue:`10683`. - Fixed `AssertionError` when the transport is `None` during WebSocket preparation or file response sending (e.g. when a client disconnects immediately after connecting). A `ConnectionResetError` is now raised instead -- by :user:`agners`. *Related issues and pull requests on GitHub:* :issue:`11761`. - Fixed ad-hoc cookies passed to individual requests not being sent when the session's cookie jar has `unsafe=True` and the target URL uses an IP address, by copying the `unsafe` setting from the session's cookie jar to the temporary cookie jar -- by :user:`Krishnachaitanyakc`. *Related issues and pull requests on GitHub:* :issue:`12011`. - Reset the WebSocket heartbeat timer on inbound data to avoid false ping/pong timeouts while receiving large frames \-- by :user:`hoffmang9`. *Related issues and pull requests on GitHub:* :issue:`12030`. - Switched :py:meth:`~aiohttp.CookieJar.save` to use JSON format and :py:meth:`~aiohttp.CookieJar.load` to try JSON first with a fallback to a restricted pickle unpickler -- by :user:`YuvalElbar6`. *Related issues and pull requests on GitHub:* :issue:`12091`. - Fixed redirects with consumed non-rewindable request bodies to raise :class:`aiohttp.ClientPayloadError` instead of silently sending an empty body. *Related issues and pull requests on GitHub:* :issue:`12195`. - Fixed zstd decompression failing with `ClientPayloadError` when the server sends a response as multiple zstd frames -- by :user:`josu-moreno`. *Related issues and pull requests on GitHub:* :issue:`12234`. - Fixed spurious `Future exception was never retrieved` warning on disconnect during back-pressure -- by :user:`availov`. *Related issues and pull requests on GitHub:* :issue:`12281`. - `Cookiejar.save()` now uses `0x600` permissions to better protect them from being read by other users -- by :user:`digiscrypt`. *Related issues and pull requests on GitHub:* :issue:`12312`. - Fixed a crash (:external+python:exc:`~http.cookies.CookieError`) in the cookie parser when receiving cookies containing ASCII control characters on CPython builds with the :cve:`2026-3644` patch. The parser now gracefully skips cookies whose value contains control characters instead of letting the exception propagate -- by :user:`rodrigobnogueira`. *Related issues and pull requests on GitHub:* :issue:`12395`. - Fixed digest authentication failing for requests whose path or query string contains percent-encoded reserved characters; the digest signature now uses the encoded request-target that is sent on the wire instead of the decoded form -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`12436`. - Fixed :func:`aiohttp.web.run_app` losing inner traceback frames when an exception is raised during application startup (e.g. inside `cleanup_ctx` or `on_startup`). Regression since 3.10.6. *Related issues and pull requests on GitHub:* :issue:`12493`. - Fixed per-request `cookies` not being dropped on cross-origin redirects -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`12550`. - Fixed invalid bytes being allowed in multipart/payload headers -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`12719`. - Fixed :py:meth:`~aiohttp.FormData.add_field` accepting invalid bytes in `name` and `filename` -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`12721`. - Fixed websocket upgrade occurring when header contained a value like `notupgrade` -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`12723`. ## Deprecations (removal in next major release) - Deprecated `aiohttp.BasicAuth` and the `auth` / `proxy_auth` parameters. They will be removed in aiohttp 4.0. Use the new :func:`~aiohttp.encode_basic_auth` helper together with `headers={"Authorization": ...}` (or `proxy_headers={"Proxy-Authorization": ...}` for proxies) instead. Note that `encode_basic_auth()` defaults to `utf-8`, not `latin1` \-- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`12499`. - Added deprecation warning to `aiohttp.pytest_plugin`, please switch to `pytest-aiohttp` -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`10785`. ## Removals and backward incompatible breaking changes - Stopped calling :func:`socket.getfqdn` as the fallback for :attr:`aiohttp.web.BaseRequest.host`. :func:`socket.getfqdn` performs blocking reverse DNS resolution on the event loop thread and can stall a worker for many seconds when the system resolver is slow, and could be triggered remotely by an HTTP/1.0 request that omits the `Host` header. The fallback when no `Host` header is present is now the local socket address the request arrived on (transport `sockname`), or an empty string if no transport information is available. Code that relied on the FQDN being returned must now read it from :func:`socket.getfqdn` directly, off the event loop \-- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`9308`, :issue:`12597`. - Dropped support for Python 3.9 -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`11601`. - Tightened outbound header serialization to reject all ASCII control characters forbidden by :rfc:`9110#section-5.5` and :rfc:`9112#section-4` (`0x00`-`0x08`, `0x0A`-`0x1F`, `0x7F`) in status lines, header field-names, and field-values. Previously only CR, LF and NUL were rejected. HTAB (`0x09`) remains permitted in field values. Applications that placed bare control characters in outbound headers will now raise :exc:`ValueError` instead of emitting non-RFC-compliant bytes -- by :user:`rodrigobnogueira`. *Related issues and pull requests on GitHub:* :issue:`12689`. ## Improved documentation - Replaced the deprecated `ujson` library with `orjson` in the client quickstart documentation. `ujson` has been put into maintenance-only mode; `orjson` is the recommended alternative. \-- by :user:`indoor47` *Related issues and pull requests on GitHub:* :issue:`10795`. - Added the :doc:`threat_model` to the Sphinx documentation -- by :user:`omkar-334`. *Related issues and pull requests on GitHub:* :issue:`12549`. - Removed archived and deprecated repositories from third party list -- by :user:`Polandia94`. *Related issues and pull requests on GitHub:* :issue:`12726`. - Added `aiointercept` to list of third-party libraries -- by :user:`Polandia94`. *Related issues and pull requests on GitHub:* :issue:`12727`. ## Packaging updates and notes for downstreams - Added wheels for Android and iOS platforms -- by :user:`timrid`. *Related issues and pull requests on GitHub:* :issue:`11750`. - Parallelized the Cython extension compilation by defaulting `build_ext.parallel` to `os.cpu_count()`, so each module's `gcc` invocation now runs concurrently instead of one at a time \-- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`12576`. - Submitted vendored `llhttp` to Github's SBOM -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`12678`. - Updated `llhttp` to v9.4.1 -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`12681`. ## Contributor-facing changes - The coverage tool is now configured using the new native auto-discovered :file:`.coveragerc.toml` file \-- by :user:`webknjaz`. It is also set up to use the `ctrace` core that works around the performance issues in the `sysmon` tracer which is default under Python 3.14. *Related issues and pull requests on GitHub:* :issue:`11826`. - Fixed and reworked `autobahn` tests -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`12173`. - Added a CI job to measure Cython coverage -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`12349`. - Disabled `coverage` and `xdist` by default to ease local development -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`12364`. - Avoid installation of backports.zstd on Python 3.14 in linting dependency set \-- by :user:`seifertm`. *Related issues and pull requests on GitHub:* :issue:`12406`. - Added `--durations=30` to the benchmark CI run so the slowest tests are reported when the job hits its timeout -- by :user:`aiolibsbot`. *Related issues and pull requests on GitHub:* :issue:`12562`. - Fixed two flakey `test_middleware_uses_session_avoids_recursion_with_*` tests that hard coded `localhost` in the inner middleware request; they now target the bound server URL so happy eyeballs cannot pick an unbound address on Windows runners -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`12571`. - Restricted the `isal` test dependency to CPython, since `isal` 1.8.0 stopped publishing PyPy wheels and the source build requires `nasm`, which is not available on the CI runners. The `parametrize_zlib_backend` fixture already calls `pytest.importorskip`, so PyPy continues to exercise the `zlib` and `zlib_ng` backends with no further changes -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`12589`. - Fixed a flakey `test_tcp_connector_fingerprint_ok` by aborting the SSL shutdown on the test's TCP connector before returning. The graceful TLS close was occasionally outliving the test event loop on one of the CI jobs, and the teardown `gc.collect()` then surfaced the still-open transport as a `PytestUnraisableExceptionWarning` -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`12592`. - Switched the `cibuildwheel` build frontend to `build[uv]` so that `uv` provisions every build-isolation virtual environment in the wheel matrix, replacing the per-ABI `pip` resolve with a roughly sub-second `uv` resolve \-- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`12595`. - Fixed flaky `test_handler_returns_not_response` and `test_handler_returns_none` by routing `loop.set_debug(True)` through a new `loop_debug_mode` fixture that disables debug mode before the `aiohttp_client` fixture finalizes. Leaving debug on through teardown let PyPy 3.11's asyncio slow-callback logger walk into `Task.__repr__` during connector close, surfacing a spurious `RuntimeWarning: coroutine was never awaited` -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`12603`. - Reduced runtime of several of the slowest unit tests (decompress size-limit payloads from 64 MiB to 2 MiB, `test_chunk_splits_after_pause` chunk count from 50000 to 20000, and `test_set_cookies_max_age` sleep from 2 seconds to 1.1 seconds) without changing what they exercise -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`12606`. - Added a default 120-second per-test timeout via `pytest-timeout` so a hung test surfaces by name in CI output instead of getting hidden behind the job-level timeout added in :pr:`12619`. The `autobahn` and benchmark jobs opt out with `--timeout=0` -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`12624`. - Switched the CI `test` and `autobahn` jobs from `actions/setup-python` to `astral-sh/setup-uv` for installing interpreters, cutting the `Setup Python` step from 40-58s to a few seconds on `macos-latest` and `windows-latest` runners for variants not in the hosted tool-cache (notably the free-threaded `3.14t`) \-- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`12629`. - Made the `pip` command used by the :file:`Makefile` configurable via a `PIP` variable; downstream consumers can now run, for example, `make .develop PIP="uv pip"` to install via `uv` without us maintaining a parallel target \-- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`12641`. - Allowed re-running the `deploy` job in `.github/workflows/ci-cd.yml` after a partial release failure: the `Make Release` step now skips when the GitHub Release already exists, and the PyPI publish step uses `skip-existing` so dists that were already uploaded on a prior attempt do not break the retry -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`12651`. - Switched the armv7l wheel builds onto GitHub's hosted ARM runners. The 32-bit ARM build still runs under QEMU, but the host is now aarch64 rather than x86\_64, so the emulation overhead drops sharply \-- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`12655`. ## Miscellaneous internal changes - Added win\_arm64 to the wheels that gets pushed to PyPI \-- by :user:`AraHaan`. *Related issues and pull requests on GitHub:* :issue:`11937`. - Added `cdef` type declarations and inlined the upgrade check in the HTTP parser \-- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`12321`. - Changed `zlib_executor_size` default so compressed payloads are async by default -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`12358`. - Added `THREAT_MODEL.md` detailing our security stance -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`12512`. - Reduced payload sizes and request counts in the slowest client and URL dispatcher benchmarks so they no longer dominate CI runtime \-- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`12569`. - Improved `ContentLengthError` exception messages to include both expected and received byte counts. This enhancement provides better diagnostics when debugging response body size mismatches \-- by :user:`bdraco` and :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`12753`. *** ### [`v3.13.5`](https://github.com/aio-libs/aiohttp/blob/HEAD/CHANGES.rst#3135-2026-03-31) [Compare Source](https://github.com/aio-libs/aiohttp/compare/v3.13.4...v3.13.5) \=================== ## Bug fixes - Skipped the duplicate singleton header check in lax mode (the default for response parsing). In strict mode (request parsing, or `-X dev`), all RFC 9110 singletons are still enforced -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`12302`. *** ### [`v3.13.4`](https://github.com/aio-libs/aiohttp/blob/HEAD/CHANGES.rst#3134-2026-03-28) [Compare Source](https://github.com/aio-libs/aiohttp/compare/v3.13.3...v3.13.4) \=================== ## Features - Added `max_headers` parameter to limit the number of headers that should be read from a response -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`11955`. - Added a `dns_cache_max_size` parameter to `TCPConnector` to limit the size of the cache -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`12106`. ## Bug fixes - Fixed server hanging indefinitely when chunked transfer encoding chunk-size does not match actual data length. The server now raises `TransferEncodingError` instead of waiting forever for data that will never arrive -- by :user:`Fridayai700`. *Related issues and pull requests on GitHub:* :issue:`10596`. - Fixed access log timestamps ignoring daylight saving time (DST) changes. The previous implementation used :py:data:`time.timezone` which is a constant and does not reflect DST transitions -- by :user:`nightcityblade`. *Related issues and pull requests on GitHub:* :issue:`11283`. - Fixed `RuntimeError: An event loop is running` error when using `aiohttp.GunicornWebWorker` or `aiohttp.GunicornUVLoopWebWorker` on Python >=3.14. \-- by :user:`Tasssadar`. *Related issues and pull requests on GitHub:* :issue:`11701`. - Fixed :exc:`ValueError` when creating a TLS connection with `ClientTimeout(total=0)` by converting `0` to `None` before passing to `ssl_handshake_timeout` in :py:meth:`asyncio.loop.start_tls` -- by :user:`veeceey`. *Related issues and pull requests on GitHub:* :issue:`11859`. - Restored :py:meth:`~aiohttp.BodyPartReader.decode` as a synchronous method for backward compatibility. The method was inadvertently changed to async in 3.13.3 as part of the decompression bomb security fix. A new :py:meth:`~aiohttp.BodyPartReader.decode_iter` method is now available for non-blocking decompression of large payloads using an async generator. Internal aiohttp code uses the async variant to maintain security protections. Changed multipart processing chunk sizes from 64 KiB to 256KiB, to better match aiohttp internals \-- by :user:`bdraco` and :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`11898`. - Fixed false-positive :py:class:`DeprecationWarning` for passing `enable_cleanup_closed=True` to :py:class:`~aiohttp.TCPConnector` specifically on Python 3.12.7. \-- by :user:`Robsdedude`. *Related issues and pull requests on GitHub:* :issue:`11972`. - Fixed \_sendfile\_fallback over-reading beyond requested count -- by :user:`bysiber`. *Related issues and pull requests on GitHub:* :issue:`12096`. - Fixed digest auth dropping challenge fields with empty string values -- by :user:`bysiber`. *Related issues and pull requests on GitHub:* :issue:`12097`. - `ClientConnectorCertificateError.os_error` no longer raises :exc:`AttributeError` \-- by :user:`themylogin`. *Related issues and pull requests on GitHub:* :issue:`12136`. - Adjusted pure-Python request header value validation to align with RFC 9110 control-character handling, while preserving lax response parser behavior, and added regression tests for Host/header control-character cases. \-- by :user:`rodrigobnogueira`. *Related issues and pull requests on GitHub:* :issue:`12231`. - Rejected duplicate singleton headers (`Host`, `Content-Type`, `Content-Length`, etc.) in the C extension HTTP parser to match the pure Python parser behaviour, preventing potential host-based access control bypasses via parser differentials \-- by :user:`rodrigobnogueira`. *Related issues and pull requests on GitHub:* :issue:`12240`. - Aligned the pure-Python HTTP request parser with the C parser by splitting comma-separated and repeated `Connection` header values for keep-alive, close, and upgrade handling -- by :user:`rodrigobnogueira`. *Related issues and pull requests on GitHub:* :issue:`12249`. ## Improved documentation - Documented :exc:`asyncio.TimeoutError` for `WebSocketResponse.receive()` and related methods -- by :user:`veeceey`. *Related issues and pull requests on GitHub:* :issue:`12042`. ## Packaging updates and notes for downstreams - Upgraded llhttp to 3.9.1 -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`12069`. ## Contributor-facing changes - The benchmark CI job now runs only in the upstream repository -- by :user:`Cycloctane`. It used to always fail in forks, which this change fixed. *Related issues and pull requests on GitHub:* :issue:`11737`. - Fixed flaky performance tests by using appropriate fixed thresholds that account for CI variability -- by :user:`rodrigobnogueira`. *Related issues and pull requests on GitHub:* :issue:`11992`. ## Miscellaneous internal changes - Fixed `test_invalid_idna` to work with `idna` 3.11 by using an invalid character (`\u0080`) that is rejected by `yarl` during URL construction -- by :user:`rodrigobnogueira`. *Related issues and pull requests on GitHub:* :issue:`12027`. - Fixed race condition in `test_data_file` on Python 3.14 free-threaded builds -- by :user:`rodrigobnogueira`. *Related issues and pull requests on GitHub:* :issue:`12170`. *** ### [`v3.13.3`](https://github.com/aio-libs/aiohttp/blob/HEAD/CHANGES.rst#3133-2026-01-03) [Compare Source](https://github.com/aio-libs/aiohttp/compare/v3.13.2...v3.13.3) \=================== This release contains fixes for several vulnerabilities. It is advised to upgrade as soon as possible. ## Bug fixes - Fixed proxy authorization headers not being passed when reusing a connection, which caused 407 (Proxy authentication required) errors \-- by :user:`GLeurquin`. *Related issues and pull requests on GitHub:* :issue:`2596`. - Fixed multipart reading failing when encountering an empty body part -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`11857`. - Fixed a case where the parser wasn't raising an exception for a websocket continuation frame when there was no initial frame in context. *Related issues and pull requests on GitHub:* :issue:`11862`. ## Removals and backward incompatible breaking changes - `Brotli` and `brotlicffi` minimum version is now 1.2. Decompression now has a default maximum output size of 32MiB per decompress call -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`11898`. ## Packaging updates and notes for downstreams - Moved dependency metadata from :file:`setup.cfg` to :file:`pyproject.toml` per :pep:`621` \-- by :user:`cdce8p`. *Related issues and pull requests on GitHub:* :issue:`11643`. ## Contributor-facing changes - Removed unused `update-pre-commit` github action workflow -- by :user:`Cycloctane`. *Related issues and pull requests on GitHub:* :issue:`11689`. ## Miscellaneous internal changes - Optimized web server performance when access logging is disabled by reducing time syscalls -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`10713`. - Added regression test for cached logging status -- by :user:`meehand`. *Related issues and pull requests on GitHub:* :issue:`11778`. *** ### [`v3.13.2`](https://github.com/aio-libs/aiohttp/blob/HEAD/CHANGES.rst#3132-2025-10-28) [Compare Source](https://github.com/aio-libs/aiohttp/compare/v3.13.1...v3.13.2) \=================== ## Bug fixes - Fixed cookie parser to continue parsing subsequent cookies when encountering a malformed cookie that fails regex validation, such as Google's `g_state` cookie with unescaped quotes -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`11632`. - Fixed loading netrc credentials from the default :file:`~/.netrc` (:file:`~/_netrc` on Windows) location when the :envvar:`NETRC` environment variable is not set -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`11713`, :issue:`11714`. - Fixed WebSocket compressed sends to be cancellation safe. Tasks are now shielded during compression to prevent compressor state corruption. This ensures that the stateful compressor remains consistent even when send operations are cancelled -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`11725`. *** ### [`v3.13.1`](https://github.com/aio-libs/aiohttp/blob/HEAD/CHANGES.rst#3131-2025-10-17) [Compare Source](https://github.com/aio-libs/aiohttp/compare/v3.13.0...v3.13.1) \=================== ## Features - Make configuration options in `AppRunner` also available in `run_app()` \-- by :user:`Cycloctane`. *Related issues and pull requests on GitHub:* :issue:`11633`. ## Bug fixes - Switched to `backports.zstd` for Python <3.14 and fixed zstd decompression for chunked zstd streams -- by :user:`ZhaoMJ`. Note: Users who installed `zstandard` for support on Python <3.14 will now need to install `backports.zstd` instead (installing `aiohttp[speedups]` will do this automatically). *Related issues and pull requests on GitHub:* :issue:`11623`. - Updated `Content-Type` header parsing to return `application/octet-stream` when header contains invalid syntax. See :rfc:`9110#section-8.3-5`. \-- by :user:`sgaist`. *Related issues and pull requests on GitHub:* :issue:`10889`. - Fixed Python 3.14 support when built without `zstd` support -- by :user:`JacobHenner`. *Related issues and pull requests on GitHub:* :issue:`11603`. - Fixed blocking I/O in the event loop when using netrc authentication by moving netrc file lookup to an executor -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`11634`. - Fixed routing to a sub-application added via `.add_domain()` not working if the same path exists on the parent app. -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`11673`. ## Packaging updates and notes for downstreams - Moved core packaging metadata from :file:`setup.cfg` to :file:`pyproject.toml` per :pep:`621` \-- by :user:`cdce8p`. *Related issues and pull requests on GitHub:* :issue:`9951`. *** ### [`v3.13.0`](https://github.com/aio-libs/aiohttp/blob/HEAD/CHANGES.rst#3130-2025-10-06) [Compare Source](https://github.com/aio-libs/aiohttp/compare/v3.12.15...v3.13.0) \=================== ## Features - Added support for Python 3.14. *Related issues and pull requests on GitHub:* :issue:`10851`, :issue:`10872`. - Added support for free-threading in Python 3.14+ -- by :user:`kumaraditya303`. *Related issues and pull requests on GitHub:* :issue:`11466`, :issue:`11464`. - Added support for Zstandard (aka Zstd) compression \-- by :user:`KGuillaume-chaps`. *Related issues and pull requests on GitHub:* :issue:`11161`. - Added `StreamReader.total_raw_bytes` to check the number of bytes downloaded \-- by :user:`robpats`. *Related issues and pull requests on GitHub:* :issue:`11483`. ## Bug fixes - Fixed pytest plugin to not use deprecated :py:mod:`asyncio` policy APIs. *Related issues and pull requests on GitHub:* :issue:`10851`. - Updated `Content-Disposition` header parsing to handle trailing semicolons and empty parts \-- by :user:`PLPeeters`. *Related issues and pull requests on GitHub:* :issue:`11243`. - Fixed saved `CookieJar` failing to be loaded if cookies have `partitioned` flag when `http.cookie` does not have partitioned cookies supports. -- by :user:`Cycloctane`. *Related issues and pull requests on GitHub:* :issue:`11523`. ## Improved documentation - Added `Wireup` to third-party libraries -- by :user:`maldoinc`. *Related issues and pull requests on GitHub:* :issue:`11233`. ## Packaging updates and notes for downstreams - The `blockbuster` test dependency is now optional; the corresponding test fixture is disabled when it is unavailable \-- by :user:`musicinybrain`. *Related issues and pull requests on GitHub:* :issue:`11363`. - Added `riscv64` build to releases -- by :user:`eshattow`. *Related issues and pull requests on GitHub:* :issue:`11425`. ## Contributor-facing changes - Fixed `test_send_compress_text` failing when alternative zlib implementation is used. (`zlib-ng` in python 3.14 windows build) -- by :user:`Cycloctane`. *Related issues and pull requests on GitHub:* :issue:`11546`. *** ### [`v3.12.15`](https://github.com/aio-libs/aiohttp/blob/HEAD/CHANGES.rst#31215-2025-07-28) [Compare Source](https://github.com/aio-libs/aiohttp/compare/v3.12.14...v3.12.15) \==================== ## Bug fixes - Fixed :class:`~aiohttp.DigestAuthMiddleware` to preserve the algorithm case from the server's challenge in the authorization response. This improves compatibility with servers that perform case-sensitive algorithm matching (e.g., servers expecting `algorithm=MD5-sess` instead of `algorithm=MD5-SESS`) \-- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`11352`. ## Improved documentation - Remove outdated contents of `aiohttp-devtools` and `aiohttp-swagger` from Web\_advanced docs. \-- by :user:`Cycloctane` *Related issues and pull requests on GitHub:* :issue:`11347`. ## Packaging updates and notes for downstreams - Started including the `llhttp` :file:`LICENSE` file in wheels by adding `vendor/llhttp/LICENSE` to `license-files` in :file:`setup.cfg` -- by :user:`threexc`. *Related issues and pull requests on GitHub:* :issue:`11226`. ## Contributor-facing changes - Updated a regex in `test_aiohttp_request_coroutine` for Python 3.14. *Related issues and pull requests on GitHub:* :issue:`11271`. *** ### [`v3.12.14`](https://github.com/aio-libs/aiohttp/blob/HEAD/CHANGES.rst#31214-2025-07-10) [Compare Source](https://github.com/aio-libs/aiohttp/compare/v3.12.13...v3.12.14) \==================== ## Bug fixes - Fixed file uploads failing with HTTP 422 errors when encountering 307/308 redirects, and 301/302 redirects for non-POST methods, by preserving the request body when appropriate per :rfc:`9110#section-15.4.3-3.1` -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`11270`. - Fixed :py:meth:`ClientSession.close() <aiohttp.ClientSession.close>` hanging indefinitely when using HTTPS requests through HTTP proxies -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`11273`. - Bumped minimum version of aiosignal to 1.4+ to resolve typing issues -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`11280`. ## Features - Added initial trailer parsing logic to Python HTTP parser -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`11269`. ## Improved documentation - Clarified exceptions raised by `WebSocketResponse.send_frame` et al. \-- by :user:`DoctorJohn`. *Related issues and pull requests on GitHub:* :issue:`11234`. *** ### [`v3.12.13`](https://github.com/aio-libs/aiohttp/blob/HEAD/CHANGES.rst#31213-2025-06-14) [Compare Source](https://github.com/aio-libs/aiohttp/compare/v3.12.12...v3.12.13) \==================== ## Bug fixes - Fixed auto-created :py:class:`~aiohttp.TCPConnector` not using the session's event loop when :py:class:`~aiohttp.ClientSession` is created without an explicit connector -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`11147`. *** ### [`v3.12.12`](https://github.com/aio-libs/aiohttp/blob/HEAD/CHANGES.rst#31212-2025-06-09) [Compare Source](https://github.com/aio-libs/aiohttp/compare/v3.12.11...v3.12.12) \==================== ## Bug fixes - Fixed cookie unquoting to properly handle octal escape sequences in cookie values (e.g., `\012` for newline) by vendoring the correct `_unquote` implementation from Python's `http.cookies` module -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`11173`. - Fixed `Cookie` header parsing to treat attribute names as regular cookies per :rfc:`6265#section-5.4` -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`11178`. *** ### [`v3.12.11`](https://github.com/aio-libs/aiohttp/blob/HEAD/CHANGES.rst#31211-2025-06-07) [Compare Source](https://github.com/aio-libs/aiohttp/compare/v3.12.10...v3.12.11) \==================== ## Features - Improved SSL connection handling by changing the default `ssl_shutdown_timeout` from `0.1` to `0` seconds. SSL connections now use Python's default graceful shutdown during normal operation but are aborted immediately when the connector is closed, providing optimal behavior for both cases. Also added support for `ssl_shutdown_timeout=0` on all Python versions. Previously, this value was rejected on Python 3.11+ and ignored on earlier versions. Non-zero values on Python < 3.11 now trigger a `RuntimeWarning` -- by :user:`bdraco`. The `ssl_shutdown_timeout` parameter is now deprecated and will be removed in aiohttp 4.0 as there is no clear use case for changing the default. *Related issues and pull requests on GitHub:* :issue:`11148`. ## Deprecations (removal in next major release) - Improved SSL connection handling by changing the default `ssl_shutdown_timeout` from `0.1` to `0` seconds. SSL connections now use Python's default graceful shutdown during normal operation but are aborted immediately when the connector is closed, providing optimal behavior for both cases. Also added support for `ssl_shutdown_timeout=0` on all Python versions. Previously, this value was rejected on Python 3.11+ and ignored on earlier versions. Non-zero values on Python < 3.11 now trigger a `RuntimeWarning` -- by :user:`bdraco`. The `ssl_shutdown_timeout` parameter is now deprecated and will be removed in aiohttp 4.0 as there is no clear use case for changing the default. *Related issues and pull requests on GitHub:* :issue:`11148`. *** ### [`v3.12.10`](https://github.com/aio-libs/aiohttp/blob/HEAD/CHANGES.rst#31210-2025-06-07) [Compare Source](https://github.com/aio-libs/aiohttp/compare/v3.12.9...v3.12.10) \==================== ## Bug fixes - Fixed leak of `aiodns.DNSResolver` when :py:class:`~aiohttp.TCPConnector` is closed and no resolver was passed when creating the connector -- by :user:`Tasssadar`. This was a regression introduced in version 3.12.0 (:pr:`10897`). *Related issues and pull requests on GitHub:* :issue:`11150`. *** ### [`v3.12.9`](https://github.com/aio-libs/aiohttp/blob/HEAD/CHANGES.rst#3129-2025-06-04) [Compare Source](https://github.com/aio-libs/aiohttp/compare/v3.12.8...v3.12.9) \=================== ## Bug fixes - Fixed `IOBasePayload` and `TextIOPayload` reading entire files into memory when streaming large files -- by :user:`bdraco`. When using file-like objects with the aiohttp client, the entire file would be read into memory if the file size was provided in the `Content-Length` header. This could cause out-of-memory errors when uploading large files. The payload classes now correctly read data in chunks of `READ_SIZE` (64KB) regardless of the total content length. *Related issues and pull requests on GitHub:* :issue:`11138`. *** ### [`v3.12.8`](https://github.com/aio-libs/aiohttp/blob/HEAD/CHANGES.rst#3128-2025-06-04) [Compare Source](https://github.com/aio-libs/aiohttp/compare/v3.12.7...v3.12.8) \=================== ## Features - Added preemptive digest authentication to :class:`~aiohttp.DigestAuthMiddleware` -- by :user:`bdraco`. The middleware now reuses authentication credentials for subsequent requests to the same protection space, improving efficiency by avoiding extra authentication round trips. This behavior matches how web browsers handle digest authentication and follows :rfc:`7616#section-3.6`. Preemptive authentication is enabled by default but can be disabled by passing `preemptive=False` to the middleware constructor. *Related issues and pull requests on GitHub:* :issue:`11128`, :issue:`11129`. *** ### [`v3.12.7`](https://github.com/aio-libs/aiohttp/blob/HEAD/CHANGES.rst#3127-2025-06-02) [Compare Source](https://github.com/aio-libs/aiohttp/compare/v3.12.6...v3.12.7) \=================== .. warning:: This release fixes an issue where the `quote_cookie` parameter was not being properly respected for shared cookies (domain="", path=""). If your server does not handle quoted cookies correctly, you may need to disable cookie quoting by setting `quote_cookie=False` when creating your :class:`~aiohttp.ClientSession` or :class:`~aiohttp.CookieJar`. See :ref:`aiohttp-client-cookie-quoting-routine` for details. ## Bug fixes - Fixed cookie parsing to be more lenient when handling cookies with special characters in names or values. Cookies with characters like `{`, `}`, and `/` in names are now accepted instead of causing a :exc:`~http.cookies.CookieError` and 500 errors. Additionally, cookies with mismatched quotes in values are now parsed correctly, and quoted cookie values are now handled consistently whether or not they include special attributes like `Domain`. Also fixed :class:`~aiohttp.CookieJar` to ensure shared cookies (domain="", path="") respect the `quote_cookie` parameter, making cookie quoting behavior consistent for all cookies -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`2683`, :issue:`5397`, :issue:`7993`, :issue:`11112`. - Fixed an issue where cookies with duplicate names but different domains or paths were lost when updating the cookie jar. The :class:`~aiohttp.ClientSession` cookie jar now correctly stores all cookies even if they have the same name but different domain or path, following the :rfc:`6265#section-5.3` storage model -- by :user:`bdraco`. Note that :attr:`ClientResponse.cookies <aiohttp.ClientResponse.cookies>` returns a :class:`~http.cookies.SimpleCookie` which uses the cookie name as a key, so only the last cookie with each name is accessible via this interface. All cookies can be accessed via :meth:`ClientResponse.headers.getall('Set-Cookie') <multidict.MultiDictProxy.getall>` if needed. *Related issues and pull requests on GitHub:* :issue:`4486`, :issue:`11105`, :issue:`11106`. ## Miscellaneous internal changes - Avoided creating closed futures in `ResponseHandler` that will never be awaited -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`11107`. - Downgraded the logging level for connector close errors from ERROR to DEBUG, as these are expected behavior with TLS 1.3 connections -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`11114`. *** ### [`v3.12.6`](https://github.com/aio-libs/aiohttp/blob/HEAD/CHANGES.rst#3126-2025-05-31) [Compare Source](https://github.com/aio-libs/aiohttp/compare/v3.12.4...v3.12.6) \=================== ## Bug fixes - Fixed spurious "Future exception was never retrieved" warnings for connection lost errors when the connector is not closed -- by :user:`bdraco`. When connections are lost, the exception is now marked as retrieved since it is always propagated through other means, preventing unnecessary warnings in logs. *Related issues and pull requests on GitHub:* :issue:`11100`. *** ### [`v3.12.4`](https://github.com/aio-libs/aiohttp/blob/HEAD/CHANGES.rst#3124-2025-05-28) [Compare Source](https://github.com/aio-libs/aiohttp/compare/v3.12.3...v3.12.4) \=================== ## Bug fixes - Fixed connector not waiting for connections to close before returning from :meth:`~aiohttp.BaseConnector.close` (partial backport of :pr:`3733`) -- by :user:`atemate` and :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`1925`, :issue:`11074`. *** ### [`v3.12.3`](https://github.com/aio-libs/aiohttp/blob/HEAD/CHANGES.rst#3123-2025-05-28) [Compare Source](https://github.com/aio-libs/aiohttp/compare/v3.12.2...v3.12.3) \=================== ## Bug fixes - Fixed memory leak in :py:meth:`~aiohttp.CookieJar.filter_cookies` that caused unbounded memory growth when making requests to different URL paths -- by :user:`bdraco` and :user:`Cycloctane`. *Related issues and pull requests on GitHub:* :issue:`11052`, :issue:`11054`. *** ### [`v3.12.2`](https://github.com/aio-libs/aiohttp/blob/HEAD/CHANGES.rst#3122-2025-05-26) [Compare Source](https://github.com/aio-libs/aiohttp/compare/v3.12.1...v3.12.2) \=================== ## Bug fixes - Fixed `Content-Length` header not being set to `0` for non-GET requests with `None` body -- by :user:`bdraco`. Non-GET requests (`POST`, `PUT`, `PATCH`, `DELETE`) with `None` as the body now correctly set the `Content-Length` header to `0`, matching the behavior of requests with empty bytes (`b""`). This regression was introduced in aiohttp 3.12.1. *Related issues and pull requests on GitHub:* :issue:`11035`. *** ### [`v3.12.1`](https://github.com/aio-libs/aiohttp/blob/HEAD/CHANGES.rst#31215-2025-07-28) [Compare Source](https://github.com/aio-libs/aiohttp/compare/v3.12.0...v3.12.1) \==================== ## Bug fixes - Fixed :class:`~aiohttp.DigestAuthMiddleware` to preserve the algorithm case from the server's challenge in the authorization response. This improves compatibility with servers that perform case-sensitive algorithm matching (e.g., servers expecting `algorithm=MD5-sess` instead of `algorithm=MD5-SESS`) \-- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`11352`. ## Improved documentation - Remove outdated contents of `aiohttp-devtools` and `aiohttp-swagger` from Web\_advanced docs. \-- by :user:`Cycloctane` *Related issues and pull requests on GitHub:* :issue:`11347`. ## Packaging updates and notes for downstreams - Started including the `llhttp` :file:`LICENSE` file in wheels by adding `vendor/llhttp/LICENSE` to `license-files` in :file:`setup.cfg` -- by :user:`threexc`. *Related issues and pull requests on GitHub:* :issue:`11226`. ## Contributor-facing changes - Updated a regex in `test_aiohttp_request_coroutine` for Python 3.14. *Related issues and pull requests on GitHub:* :issue:`11271`. *** ### [`v3.12.0`](https://github.com/aio-libs/aiohttp/blob/HEAD/CHANGES.rst#3120-2025-05-24) [Compare Source](https://github.com/aio-libs/aiohttp/compare/v3.11.18...v3.12.0) \=================== ## Bug fixes - Fixed :py:attr:`~aiohttp.web.WebSocketResponse.prepared` property to correctly reflect the prepared state, especially during timeout scenarios -- by :user:`bdraco` *Related issues and pull requests on GitHub:* :issue:`6009`, :issue:`10988`. - Response is now always True, instead of using MutableMapping behaviour (False when map is empty) *Related issues and pull requests on GitHub:* :issue:`10119`. - Fixed connection reuse for file-like data payloads by ensuring buffer truncation respects content-length boundaries and preventing premature connection closure race -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`10325`, :issue:`10915`, :issue:`10941`, :issue:`10943`. - Fixed pytest plugin to not use deprecated :py:mod:`asyncio` policy APIs. *Related issues and pull requests on GitHub:* :issue:`10851`. - Fixed :py:class:`~aiohttp.resolver.AsyncResolver` not using the `loop` argument in versions 3.x where it should still be supported -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`10951`. ## Features - Added a comprehensive HTTP Digest Authentication client middleware (DigestAuthMiddleware) that implements RFC 7616. The middleware supports all standard hash algorithms (MD5, SHA, SHA-256, SHA-512) with session variants, handles both 'auth' and 'auth-int' quality of protection options, and automatically manages the authentication flow by intercepting 401 responses and retrying with proper credentials -- by :user:`feus4177`, :user:`TimMenninger`, and :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`2213`, :issue:`10725`. - Added client middleware support -- by :user:`bdraco` and :user:`Dreamsorcerer`. This change allows users to add middleware to the client session and requests, enabling features like authentication, logging, and request/response modification without modifying the core request logic. Additionally, the `session` attribute was added to `ClientRequest`, allowing middleware to access the session for making additional requests. *Related issues and pull requests on GitHub:* :issue:`9732`, :issue:`10902`, :issue:`10945`, :issue:`10952`, :issue:`10959`, :issue:`10968`. - Allow user setting zlib compression backend -- by :user:`TimMenninger` This change allows the user to call :func:`aiohttp.set_zlib_backend()` with the zlib compression module of their choice. Default behavior continues to use the builtin `zlib` library. *Related issues and pull requests on GitHub:* :issue:`9798`. - Added support for overriding the base URL with an absolute one in client sessions \-- by :user:`vivodi`. *Related issues and pull requests on GitHub:* :issue:`10074`. - Added `host` parameter to `aiohttp_server` fixture -- by :user:`christianwbrock`. *Related issues and pull requests on GitHub:* :issue:`10120`. - Detect blocking calls in coroutines using BlockBuster -- by :user:`cbornet`. *Related issues and pull requests on GitHub:* :issue:`10433`. - Added `socket_factory` to :py:class:`aiohttp.TCPConnector` to allow specifying custom socket options \-- by :user:`TimMenninger`. *Related issues and pull requests on GitHub:* :issue:`10474`, :issue:`10520`, :issue:`10961`, :issue:`10962`. - Started building armv7l manylinux wheels -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`10797`. - Implemented shared DNS resolver management to fix excessive resolver object creation when using multiple client sessions. The new `_DNSResolverManager` singleton ensures only one `DNSResolver` object is created for default configurations, significantly reducing resource usage and improving performance for applications using multiple client sessions simultaneously -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`10847`, :issue:`10923`, :issue:`10946`. - Upgraded to LLHTTP 9.3.0 -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`10972`. - Optimized small HTTP requests/responses by coalescing headers and body into a single TCP packet -- by :user:`bdraco`. This change enhances network efficiency by reducing the number of packets sent for small HTTP payloads, improving latency and reducing overhead. Most importantly, this fixes compatibility with memory-constrained IoT devices that can only perform a single read operation and expect HTTP requests in one packet. The optimization uses zero-copy `writelines` when coalescing data and works with both regular and chunked transfer encoding. When `aiohttp` uses client middleware to communicate with an `aiohttp` server, connection reuse is more likely to occur since complete responses arrive in a single packet for small payloads. This aligns `aiohttp` with other popular HTTP clients that already coalesce small requests. *Related issues and pull requests on GitHub:* :issue:`10991`. ## Improved documentation - Improved documentation for middleware by adding warnings and examples about request body stream consumption. The documentation now clearly explains that request body streams can only be read once and provides best practices for sharing parsed request data between middleware and handlers -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`2914`. ## Packaging updates and notes for downstreams - Removed non SPDX-license description from `setup.cfg` -- by :user:`devanshu-ziphq`. *Related issues and pull requests on GitHub:* :issue:`10662`. - Added support for building against system `llhttp` library -- by :user:`mgorny`. This change adds support for :envvar:`AIOHTTP_USE_SYSTEM_DEPS` environment variable that can be used to build aiohttp against the system install of the `llhttp` library rather than the vendored one. *Related issues and pull requests on GitHub:* :issue:`10759`. - `aiodns` is now installed on Windows with speedups extra -- by :user:`bdraco`. As of `aiodns` 3.3.0, `SelectorEventLoop` is no longer required when using `pycares` 4.7.0 or later. *Related issues and pull requests on GitHub:* :issue:`10823`. - Fixed compatibility issue with Cython 3.1.1 -- by :user:`bdraco` *Related issues and pull requests on GitHub:* :issue:`10877`. ## Contributor-facing changes - Sped up tests by disabling `blockbuster` fixture for `test_static_file_huge` and `test_static_file_huge_cancel` tests -- by :user:`dikos1337`. *Related issues and pull requests on GitHub:* :issue:`9705`, :issue:`10761`. - Updated tests to avoid using deprecated :py:mod:`asyncio` policy APIs and make it compatible with Python 3.14. *Related issues and pull requests on GitHub:* :issue:`10851`. - Added Winloop to test suite to support in the future -- by :user:`Vizonex`. *Related issues and pull requests on GitHub:* :issue:`10922`. ## Miscellaneous internal changes - Added support for the `partitioned` attribute in the `set_cookie` method. *Related issues and pull requests on GitHub:* :issue:`9870`. - Setting :attr:`aiohttp.web.StreamResponse.last_modified` to an unsupported type will now raise :exc:`TypeError` instead of silently failing -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`10146`. *** ### [`v3.11.18`](https://github.com/aio-libs/aiohttp/blob/HEAD/CHANGES.rst#31118-2025-04-20) [Compare Source](https://github.com/aio-libs/aiohttp/compare/v3.11.17...v3.11.18) \==================== ## Bug fixes - Disabled TLS in TLS warning (when using HTTPS proxies) for uvloop and newer Python versions -- by :user:`lezgomatt`. *Related issues and pull requests on GitHub:* :issue:`7686`. - Fixed reading fragmented WebSocket messages when the payload was masked -- by :user:`bdraco`. The problem first appeared in 3.11.17 *Related issues and pull requests on GitHub:* :issue:`10764`. *** ### [`v3.11.17`](https://github.com/aio-libs/aiohttp/blob/HEAD/CHANGES.rst#31117-2025-04-19) [Compare Source](https://github.com/aio-libs/aiohttp/compare/v3.11.16...v3.11.17) \==================== ## Miscellaneous internal changes - Optimized web server performance when access logging is disabled by reducing time syscalls -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`10713`. - Improved web server performance when connection can be reused -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`10714`. - Improved performance of the WebSocket reader -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`10740`. - Improved performance of the WebSocket reader with large messages -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`10744`. *** ### [`v3.11.16`](https://github.com/aio-libs/aiohttp/blob/HEAD/CHANGES.rst#31116-2025-04-01) [Compare Source](https://github.com/aio-libs/aiohttp/compare/v3.11.15...v3.11.16) \==================== ## Bug fixes - Replaced deprecated `asyncio.iscoroutinefunction` with its counterpart from `inspect` \-- by :user:`layday`. *Related issues and pull requests on GitHub:* :issue:`10634`. - Fixed :class:`multidict.CIMultiDict` being mutated when passed to :class:`aiohttp.web.Response` -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`10672`. *** ### [`v3.11.15`](https://github.com/aio-libs/aiohttp/blob/HEAD/CHANGES.rst#31115-2025-03-31) [Compare Source](https://github.com/aio-libs/aiohttp/compare/v3.11.14...v3.11.15) \==================== ## Bug fixes - Reverted explicitly closing sockets if an exception is raised during `create_connection` -- by :user:`bdraco`. This change originally appeared in aiohttp 3.11.13 *Related issues and pull requests on GitHub:* :issue:`10464`, :issue:`10617`, :issue:`10656`. ## Miscellaneous internal changes - Improved performance of WebSocket buffer handling -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`10601`. - Improved performance of serializing headers -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`10625`. *** </details> <details> <summary>halcy/Mastodon.py (mastodon_py)</summary> ### [`v2.2.1`](https://github.com/halcy/Mastodon.py/blob/HEAD/CHANGELOG.rst#v221) [Compare Source](https://github.com/halcy/Mastodon.py/compare/v2.2.0...v2.2.1) - Updated citation information to match the new JOSS publication (Thanks [@&#8203;dataspider](https://github.com/dataspider) and [@&#8203;professornaite](https://github.com/professornaite) for reviewing and [@&#8203;danielskatz](https://github.com/danielskatz) for editing) ### [`v2.2.0`](https://github.com/halcy/Mastodon.py/blob/HEAD/CHANGELOG.rst#v220) [Compare Source](https://github.com/halcy/Mastodon.py/compare/v2.1.4...v2.2.0) - Bumped support level to 4.5.0 - Switch from `grapheme` to `graphemeu` package, which is more maintained (thanks [@&#8203;CyberTailor](https://github.com/CyberTailor) for the report). - Fix a crash due to unbound local in stream\_public (Thanks [@&#8203;elnikkis](https://github.com/elnikkis) for the report and fix) - Fix invalid event error in heartbeats (Thanks [@&#8203;tribela](https://github.com/tribela) for the report and fix) - Add several missing parameters to `account_update_credentials` - Add quote support (Several new endpoints and entities) - Fix a bug in push subscriptions for status push subscriptions - Fix a bug in Pleroma ID parsing - Samples: Make samples work on Windows (Thanks [@&#8203;AllynH](https://github.com/AllynH) for the report and fix) - Add support for async refreshes - Fix various other bugs and documentation issues </details> <details> <summary>eyeseast/python-frontmatter (python_frontmatter)</summary> ### [`v1.3.0`](https://github.com/eyeseast/python-frontmatter/releases/tag/v1.3.0): - Now using uv [Compare Source](https://github.com/eyeseast/python-frontmatter/compare/v1.2.0...v1.3.0) #### What's Changed - Test on Python 3.14 and upgrade actions by [@&#8203;eyeseast](https://github.com/eyeseast) in [#&#8203;128](https://github.com/eyeseast/python-frontmatter/pull/128) - Remove codecs from tests by [@&#8203;eyeseast](https://github.com/eyeseast) in [#&#8203;129](https://github.com/eyeseast/python-frontmatter/pull/129) - Migrate to uv and pyproject.toml by [@&#8203;eyeseast](https://github.com/eyeseast) in [#&#8203;131](https://github.com/eyeseast/python-frontmatter/pull/131) **Full Changelog**: <https://github.com/eyeseast/python-frontmatter/compare/v1.2.0...v1.3.0> ### [`v1.2.0`](https://github.com/eyeseast/python-frontmatter/releases/tag/v1.2.0): - Fix type issues and support newer Python versions [Compare Source](https://github.com/eyeseast/python-frontmatter/compare/v1.1.0...v1.2.0) #### What's Changed - Solve all the type issues by [@&#8203;eyeseast](https://github.com/eyeseast) in [#&#8203;120](https://github.com/eyeseast/python-frontmatter/pull/120) - Include py.typed marker in package distribution by [@&#8203;giuse-boccia](https://github.com/giuse-boccia) in [#&#8203;125](https://github.com/eyeseast/python-frontmatter/pull/125) #### New Contributors - [@&#8203;giuse-boccia](https://github.com/giuse-boccia) made their first contribution in [#&#8203;125](https://github.com/eyeseast/python-frontmatter/pull/125) This version drops support for Python 3.9. **Full Changelog**: <https://github.com/eyeseast/python-frontmatter/compare/v1.1.0...v1.2.0> </details> --- ### Configuration 📅 **Schedule**: (in timezone UTC) - Branch creation - "after 9am on monday" - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xNDQuMSIsInVwZGF0ZWRJblZlciI6IjQzLjE2MC40IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiLCJweXRob24iXX0=-->
renovate-bot force-pushed renovate/python-deps from 54a99b43f8 to 6bb13ad370 2025-10-14 07:17:24 +02:00 Compare
renovate-bot force-pushed renovate/python-deps from 6bb13ad370 to 50f5c2c8aa 2025-10-16 01:17:24 +02:00 Compare
renovate-bot force-pushed renovate/python-deps from 50f5c2c8aa to 7c1d8cc157 2025-10-17 16:17:23 +02:00 Compare
renovate-bot force-pushed renovate/python-deps from 7c1d8cc157 to 352bb2c6ad 2025-10-20 02:17:27 +02:00 Compare
renovate-bot force-pushed renovate/python-deps from 352bb2c6ad to bf32eb7fe6 2025-10-26 15:17:23 +01:00 Compare
renovate-bot force-pushed renovate/python-deps from bf32eb7fe6 to b6a3ec7707 2025-10-26 16:17:24 +01:00 Compare
renovate-bot force-pushed renovate/python-deps from b6a3ec7707 to 88e9f56eea 2025-10-28 22:17:26 +01:00 Compare
renovate-bot force-pushed renovate/python-deps from 88e9f56eea to a1509d2cd4 2025-10-29 17:17:25 +01:00 Compare
renovate-bot force-pushed renovate/python-deps from a1509d2cd4 to 9d255fea09 2025-10-30 10:17:25 +01:00 Compare
renovate-bot force-pushed renovate/python-deps from 9d255fea09 to 7699f69532 2025-11-07 02:17:25 +01:00 Compare
renovate-bot force-pushed renovate/python-deps from 7699f69532 to 512a9beb9b 2025-11-10 17:17:24 +01:00 Compare
renovate-bot force-pushed renovate/python-deps from 512a9beb9b to ec27e34cb9 2025-11-12 04:17:25 +01:00 Compare
renovate-bot force-pushed renovate/python-deps from ec27e34cb9 to 43397a454f 2025-12-05 16:17:26 +01:00 Compare
renovate-bot force-pushed renovate/python-deps from 43397a454f to 0c05a88d47 2025-12-08 17:17:28 +01:00 Compare
renovate-bot force-pushed renovate/python-deps from 0c05a88d47 to 5238e20221 2025-12-11 17:17:29 +01:00 Compare
renovate-bot force-pushed renovate/python-deps from 5238e20221 to 9c4a7ca4ff 2026-01-01 19:17:25 +01:00 Compare
renovate-bot force-pushed renovate/python-deps from 9c4a7ca4ff to 3b3b7cbae5 2026-01-03 19:17:26 +01:00 Compare
renovate-bot force-pushed renovate/python-deps from 3b3b7cbae5 to a562a60d20 2026-01-04 04:17:26 +01:00 Compare
renovate-bot force-pushed renovate/python-deps from a562a60d20 to 0252433f55 2026-01-07 18:17:25 +01:00 Compare
renovate-bot force-pushed renovate/python-deps from 0252433f55 to cf8e874066 2026-01-21 16:17:25 +01:00 Compare
renovate-bot force-pushed renovate/python-deps from cf8e874066 to bdc4af7387 2026-01-26 04:17:28 +01:00 Compare
renovate-bot force-pushed renovate/python-deps from bdc4af7387 to 7e69c7e113 2026-01-28 02:17:26 +01:00 Compare
renovate-bot force-pushed renovate/python-deps from 7e69c7e113 to f8b3dffc65 2026-01-30 21:17:24 +01:00 Compare
renovate-bot force-pushed renovate/python-deps from f8b3dffc65 to 08944b9a91 2026-02-01 01:17:24 +01:00 Compare
renovate-bot force-pushed renovate/python-deps from 08944b9a91 to 76eeaa8811 2026-02-03 03:17:25 +01:00 Compare
renovate-bot force-pushed renovate/python-deps from 76eeaa8811 to 131b95ef0a 2026-02-10 20:17:27 +01:00 Compare
renovate-bot force-pushed renovate/python-deps from 131b95ef0a to 938f283c96 2026-02-25 04:17:26 +01:00 Compare
renovate-bot force-pushed renovate/python-deps from 938f283c96 to eb0bc2f846 2026-02-27 20:17:27 +01:00 Compare
renovate-bot force-pushed renovate/python-deps from eb0bc2f846 to 2579be3fac 2026-03-01 17:17:26 +01:00 Compare
renovate-bot force-pushed renovate/python-deps from 2579be3fac to ebc64ca0ce 2026-03-01 23:17:27 +01:00 Compare
renovate-bot force-pushed renovate/python-deps from ebc64ca0ce to e51450935b 2026-03-03 20:17:27 +01:00 Compare
renovate-bot force-pushed renovate/python-deps from e51450935b to c80045b62d 2026-03-06 04:17:26 +01:00 Compare
renovate-bot force-pushed renovate/python-deps from c80045b62d to 32961c351c 2026-03-06 07:17:27 +01:00 Compare
renovate-bot force-pushed renovate/python-deps from 32961c351c to 5554c41307 2026-03-12 18:17:27 +01:00 Compare
renovate-bot force-pushed renovate/python-deps from 5554c41307 to b1c3901e91 2026-03-13 21:17:25 +01:00 Compare
renovate-bot force-pushed renovate/python-deps from b1c3901e91 to e1002ac451 2026-03-15 20:17:31 +01:00 Compare
renovate-bot force-pushed renovate/python-deps from e1002ac451 to 0499712ad5 2026-03-17 23:17:21 +01:00 Compare
renovate-bot changed title from chore(deps): Update Python dependencies to chore(deps): Update dependency aiohttp to v3.13.3 2026-03-17 23:17:26 +01:00
renovate-bot force-pushed renovate/python-deps from 0499712ad5 to ae4c006335 2026-03-20 16:17:22 +01:00 Compare
renovate-bot force-pushed renovate/python-deps from ae4c006335 to 35eab669bd 2026-03-22 22:17:19 +01:00 Compare
renovate-bot changed title from chore(deps): Update dependency aiohttp to v3.13.3 to chore(deps): Update Python dependencies 2026-03-22 22:17:26 +01:00
renovate-bot force-pushed renovate/python-deps from 35eab669bd to fd25ebbc08 2026-03-25 16:17:20 +01:00 Compare
renovate-bot force-pushed renovate/python-deps from fd25ebbc08 to a054ec6080 2026-03-28 18:17:20 +01:00 Compare
renovate-bot force-pushed renovate/python-deps from a054ec6080 to 53fdcac109 2026-03-30 18:17:23 +02:00 Compare
renovate-bot force-pushed renovate/python-deps from 53fdcac109 to 766de27075 2026-04-01 00:17:20 +02:00 Compare
renovate-bot force-pushed renovate/python-deps from 766de27075 to a9c3fa6700 2026-04-12 12:17:22 +02:00 Compare
renovate-bot force-pushed renovate/python-deps from a9c3fa6700 to cf4471e3c5 2026-04-12 15:17:20 +02:00 Compare
renovate-bot force-pushed renovate/python-deps from cf4471e3c5 to 5148055758 2026-04-14 10:17:20 +02:00 Compare
renovate-bot force-pushed renovate/python-deps from 5148055758 to 31f15047c1 2026-05-05 10:17:22 +02:00 Compare
renovate-bot force-pushed renovate/python-deps from 31f15047c1 to c67f1f0deb 2026-05-11 22:17:21 +02:00 Compare
renovate-bot force-pushed renovate/python-deps from c67f1f0deb to e59848c5db 2026-05-13 22:17:23 +02:00 Compare
renovate-bot force-pushed renovate/python-deps from e59848c5db to 4763c6b6ee 2026-05-14 22:17:20 +02:00 Compare
renovate-bot force-pushed renovate/python-deps from 4763c6b6ee to ec68acf6a3 2026-05-18 02:17:23 +02:00 Compare
renovate-bot force-pushed renovate/python-deps from ec68acf6a3 to 38a5fccc09 2026-05-20 22:17:22 +02:00 Compare
renovate-bot force-pushed renovate/python-deps from 38a5fccc09 to 2f9c36bc81 2026-06-01 22:17:23 +02:00 Compare
renovate-bot force-pushed renovate/python-deps from 2f9c36bc81 to 5b001966fe 2026-06-07 23:17:21 +02:00 Compare
This pull request can be merged automatically.
You are not authorized to merge this pull request.
View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.
git fetch -u origin renovate/python-deps:renovate/python-deps
git switch renovate/python-deps
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
bug
Something is not working

  
duplicate
This issue or pull request already exists

  
enhancement
New feature

  
help wanted
Need some help

  
invalid
Something is wrong

  
question
More information is needed

  
refactor

   
wontfix
This won't be fixed

No labels
bug
duplicate
enhancement
help wanted
invalid
question
refactor
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
0Ry5/Posthorn!21
No description provided.