* Security
+ Brotli and brotlicffi minimum version is now 1.2. Decompression now has
a default maximum output size of 32MiB per decompress call
(bsc#1256017, CVE-2025-69223, GHSA-6mq8-rvhq-8wgg)
+ Forbid non-ASCII decimals in the Range header
(bsc#1256019, CVE-2025-69225, GHSA-mqqc-3gqh-h2x8)
+ Reject static URLs that traverse outside static root
(bsc#1256020, CVE-2025-69226, GHSA-54jq-c3m8-4m76)
+ Raise exceptions when processing a POST body
(bsc#1256021, CVE-2025-69227, GHSA-jj3x-wxrx-4x23)
+ Enforce client_max_size over entire multipart form
(bsc#1256022, CVE-2025-69228, GHSA-6jhg-hg63-jvvf)
+ Pause reading of chunks when it reaches a high water mark
(bsc#1256023, CVE-2025-69229, GHSA-g84x-mcqj-x9qq)
+ Log only once per Cookie header
(bsc#1256024, CVE-2025-69230, GHSA-fh55-r93g-j68g)
* Bug fixes
+ Fixed proxy authorization headers not being passed when reusing a
connection, which caused 407 (Proxy authentication required) errors
+ Fixed multipart reading failing when encountering an empty body part
+ Fixed a case where the parser wasn't raising an exception for a
websocket continuation frame when there was no initial frame in context
* Miscellaneous internal changes
+ Optimized web server performance when access logging is disabled by
reducing time syscalls
+ Added regression test for cached logging status
- Refreshed patch fix-vendoring.patch
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-aiohttp?expand=0&rev=166
* Fixed cookie parser to continue parsing subsequent cookies
when encountering a malformed cookie that fails regex
validation, such as Google's g_state cookie with unescaped
quotes -- by :user:`bdraco`. Related issues and pull requests
on GitHub: :issue:`11632`.
* Fixed loading netrc credentials from the default
:file:`~/.netrc` (:file:`~/_netrc` on Windows) location when
the :envvar:`NETRC` environment variable is not set -- by
:user:`bdraco`. Related issues and pull requests on GitHub:
:issue:`11713`, :issue:`11714`.
* Fixed WebSocket compressed sends to be cancellation safe.
Tasks are now shielded during compression to prevent
compressor state corruption. This ensures that the stateful
compressor remains consistent even when send operations are
cancelled -- by :user:`bdraco`. Related issues and pull
requests on GitHub: :issue:`11725`.
* Make configuration options in AppRunner also available in
run_app() -- by :user:`Cycloctane`. Related issues and pull
requests on GitHub: :issue:`11633`.
* Switched to backports.zstd for Python <3.14 and fixed zstd
decompression for chunked zstd streams -- by :user:`ZhaoMJ`.
Note: Users who installed zstandard for support on Python
<3.14 will now need to install backports.zstd instead
(installing aiohttp[speedups] will do this automatically).
Related issues and pull requests on GitHub: :issue:`11623`.
* Updated Content-Type header parsing to return
application/octet-stream when header contains invalid syntax.
See RFC 9110. -- by :user:`sgaist`. Related issues and pull
requests on GitHub: :issue:`10889`.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-aiohttp?expand=0&rev=162
- Update to 3.12.15
* Fixed :class:`~aiohttp.DigestAuthMiddleware` to preserve the algorithm case
from the server's challenge in the authorization response. This improves
compatibility with servers that perform case-sensitive algorithm matching
(e.g., servers expecting ``algorithm=MD5-sess`` instead of ``algorithm=MD5-SESS``)
* Remove outdated contents of ``aiohttp-devtools`` and ``aiohttp-swagger``
from Web_advanced docs.
* Started including the ``llhttp`` :file:`LICENSE` file in wheels by adding
``vendor/llhttp/LICENSE`` to ``license-files`` in :file:`setup.cfg`
* Updated a regex in `test_aiohttp_request_coroutine` for Python 3.14.
OBS-URL: https://build.opensuse.org/request/show/1298128
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-aiohttp?expand=0&rev=156
* Fixed file uploads failing with HTTP 422 errors when
encountering 307/308 redirects, and 301/302 redirects for
non-POST methods, by preserving the request body when
appropriate per RFC 9110 -- by :user:`bdraco`. Related issues
and pull requests on GitHub: :issue:`11270`.
* Fixed :py:meth:`ClientSession.close()
<aiohttp.ClientSession.close>` hanging indefinitely when
using HTTPS requests through HTTP proxies -- by
:user:`bdraco`. Related issues and pull requests on GitHub:
:issue:`11273`.
* Bumped minimum version of aiosignal to 1.4+ to resolve typing
issues -- by :user:`Dreamsorcerer`. Related issues and pull
requests on GitHub: :issue:`11280`.
* Added initial trailer parsing logic to Python HTTP parser --
by :user:`Dreamsorcerer`. Related issues and pull requests on
GitHub: :issue:`11269`.
* Clarified exceptions raised by WebSocketResponse.send_frame
et al. -- by :user:`DoctorJohn`. Related issues and pull
requests on GitHub: :issue:`11234`.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-aiohttp?expand=0&rev=149
- Update to 3.12.13
* Optimized web server performance when access logging is disabled
by reducing time syscalls
* Improved performance of the WebSocket reader
* Disabled TLS in TLS warning (when using HTTPS proxies) for uvloop
and newer Python versions
* Added a comprehensive HTTP Digest Authentication client middleware
(DigestAuthMiddleware) that implements RFC 7616.
* Fixed pytest plugin to not use deprecated asyncio policy APIs.
* Allow user setting zlib compression backend
* Added host parameter to aiohttp_server fixture
* Added socket_factory to aiohttp.TCPConnector to allow specifying
custom socket options
* Upgraded to LLHTTP 9.3.0
* Optimized small HTTP requests/responses by coalescing headers and
body into a single TCP packet
* Removed non SPDX-license description from setup.cfg
* Added support for building against system llhttp library
* Fixed compatibility issue with Cython 3.1.1
* Added support for reusable request bodies to enable retries,
redirects, and digest authentication
* Improved performance of isinstance checks by using collections.abc
types instead of typing module equivalents
* Added ssl_shutdown_timeout parameter to aiohttp.ClientSession and
aiohttp.TCPConnector to control the grace period for SSL shutdown
handshake on TLS connections.
* Downgraded the logging level for connector close errors from ERROR
to DEBUG, as these are expected behavior with TLS 1.3 connections
* Fixed cookie parsing to be more lenient when handling cookies with
special characters in names or values
OBS-URL: https://build.opensuse.org/request/show/1288672
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-aiohttp?expand=0&rev=146
- Update to 3.11.16
* Replaced deprecated asyncio.iscoroutinefunction with its
counterpart from inspect
* Fixed :class:multidict.CIMultiDict being mutated when passed
to :class:aiohttp.web.Response -- by :user:bdraco.
- from version 3.11.15
* Reverted explicitly closing sockets if an exception is raised
during create_connection
This change originally appeared in aiohttp 3.11.13
* Improved performance of WebSocket buffer handling
* Improved performance of serializing headers
- from version 3.11.14
* Fixed an issue where dns queries were delayed indefinitely
when an exception occurred in a trace.send_dns_cache_miss
* Fixed DNS resolution on platforms that don't support
socket.AI_ADDRCONFIG
* The connector now raises :exc:aiohttp.ClientConnectionError
instead of :exc:OSError when failing to explicitly close the
socket after :py:meth:asyncio.loop.create_connection fails
* Break cyclic references at connection close when there was
a traceback
* Break cyclic references when there is an exception handling
a request
* Improved logging on non-overlapping WebSocket client protocols
to include the remote address
* Improved performance of parsing content types by adding a cache
in the same manner currently done with mime types
- from version 3.11.13
* Removed a break statement inside the finally block in
:py:class:~aiohttp.web.RequestHandler
OBS-URL: https://build.opensuse.org/request/show/1269515
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-aiohttp?expand=0&rev=144
- Bug fixes
- Updated :py:meth:~aiohttp.ClientSession.request to reuse
the quote_cookie setting from ClientSession._cookie_jar
when processing cookies parameter.
- Fixed type of SSLContext for some static type checkers
(e.g. pyright).
- Updated :meth:aiohttp.web.StreamResponse.write annotation
to also allow :class:bytearray and :class:memoryview as
inputs
- Fixed a hang where a connection previously used for a
streaming download could be returned to the pool in a
paused state.
- Features
- Enabled ALPN on default SSL contexts. This improves
compatibility with some proxies which don't work without
this extension.
- Miscellaneous internal changes
- Fixed an infinite loop that can occur when using aiohttp in
combination with async-solipsism
- Update to 3.11.10:
- Fixed race condition in :class:aiohttp.web.FileResponse
that could have resulted in an incorrect response if the
file was replaced on the file system during prepare
- Replaced deprecated call to :func:mimetypes.guess_type with
:func:mimetypes.guess_file_type when using Python 3.13+
- Disabled zero copy writes in the StreamWriter
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-aiohttp?expand=0&rev=142
- Update to 3.11.9:
* Fixed invalid method logging unexpected being logged at exception
level on subsequent connections -- by :user:`bdraco`.
* Improved performance of parsing headers when using the C parser --
by :user:`bdraco`.
- 3.11.8:
* Improved performance of creating :class:`aiohttp.ClientResponse`
objects when there are no cookies -- by :user:`bdraco`.
* Improved performance of creating :class:`aiohttp.ClientResponse`
objects -- by :user:`bdraco`.
* Improved performances of creating objects during the HTTP request
lifecycle -- by :user:`bdraco`.
* Improved performance of constructing :class:`aiohttp.web.Response`
with headers -- by :user:`bdraco`.
* Improved performance of making requests when there are no auto
headers to skip -- by :user:`bdraco`.
* Downgraded logging of invalid HTTP method exceptions on the first
request to debug level -- by :user:`bdraco`.
OBS-URL: https://build.opensuse.org/request/show/1228520
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-aiohttp?expand=0&rev=140
* Fixed the HTTP client not considering the connector's
force_close value when setting the Connection header -- by
:user:`bdraco`. Related issues and pull requests on GitHub:
:issue:`10003`.
* Improved performance of serializing HTTP headers -- by
:user:`bdraco`. Related issues and pull requests on GitHub:
:issue:`10014`.
* Restored the force_close method to the ResponseHandler -- by
:user:`bdraco`. Related issues and pull requests on GitHub:
:issue:`9997`.
* Fixed the ANY method not appearing in
:meth:`~aiohttp.web.UrlDispatcher.routes` -- by
:user:`bdraco`. Related issues and pull requests on GitHub:
:issue:`9899`, :issue:`9987`.
* Fixed StaticResource not allowing the OPTIONS method after
calling set_options_route -- by :user:`bdraco`. Related
issues and pull requests on GitHub: :issue:`9972`,
:issue:`9975`, :issue:`9976`.
* Improved performance of creating web responses when there are
no cookies -- by :user:`bdraco`. Related issues and pull
requests on GitHub: :issue:`9895`.
* Removed non-existing __author__ from dir(aiohttp) -- by
:user:`Dreamsorcerer`. Related issues and pull requests on
GitHub: :issue:`9918`.
* Restored the FlowControlDataQueue class -- by :user:`bdraco`.
This class is no longer used internally, and will be
permanently removed in the next major version. Related issues
and pull requests on GitHub: :issue:`9963`.
* Improved performance of resolving resources when multiple
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-aiohttp?expand=0&rev=139
(bsc#1233446, CVE-2024-52303, bsc#1233447, CVE-2024-52304)
- Authentication provided by a redirect now takes precedence over
provided auth when making requests with the client -- by
:user:`PLPeeters`.
- Fixed :py:meth:`WebSocketResponse.close()
<aiohttp.web.WebSocketResponse.close>` to discard non-close
messages within its timeout window after sending close -- by
:user:`lenard-mosys`.
- Fixed a deadlock that could occur while attempting to get a new
connection slot after a timeout -- by :user:`bdraco`.
- Fixed the WebSocket flow control calculation undercounting with
multi-byte data -- by :user:`bdraco`.
- Fixed incorrect parsing of chunk extensions with the pure Python
parser -- by :user:`bdraco`.
- Fixed system routes polluting the middleware cache -- by
:user:`bdraco`.
- Improved performance of the connector when a connection can be
reused -- by :user:`bdraco`.
- Improved performance of the client request lifecycle when there
are no cookies -- by :user:`bdraco`.
- Improved performance of sending client requests when the writer
can finish synchronously -- by :user:`bdraco`.
- Improved performance of serializing HTTP headers -- by
:user:`bdraco`.
- Passing enable_cleanup_closed to :py:class:`aiohttp.TCPConnector`
is now ignored on Python 3.12.7+ and 3.13.1+ since the underlying
bug that caused asyncio to leak SSL connections has been fixed
upstream -- by :user:`bdraco`.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-aiohttp?expand=0&rev=138
* Fixed error messages from
:py:class:`~aiohttp.resolver.AsyncResolver` being swallowed
-- by :user:`bdraco`. Related issues and pull requests on
GitHub: :issue:`9451`, :issue:`9455`.
* Added :exc:`aiohttp.ClientConnectorDNSError` for
differentiating DNS resolution errors from other connector
errors -- by :user:`mstojcevich`. Related issues and pull
requests on GitHub: :issue:`8455`.
* Simplified DNS resolution throttling code to reduce chance of
race conditions -- by :user:`bdraco`. Related issues and pull
requests on GitHub: :issue:`9454`.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-aiohttp?expand=0&rev=136
- Update to 3.10.9
* Fixed proxy headers being used in the ``ConnectionKey`` hash
when a proxy was not being used
* Widened the type of the ``trace_request_ctx`` parameter of
:meth:`ClientSession.request() <aiohttp.ClientSession.request>`
and friends
* Fixed failure to try next host after single-host connection timeout
* Improved performance of resolving hosts with Python 3.12+
* Reduced memory required for timer objects
created during the client request lifecycle
- from version 3.10.8
* Fixed cancellation leaking upwards on timeout
- from version 3.10.7
* Fixed assembling the :class:`~yarl.URL` for web requests when
the host contains a non-default port or IPv6 address
* Improved performance of determining if a URL is absolute
* Replaced code that can now be handled by ``yarl``
- Add patch to increase timeout for import time test
* test_relax_import_time.patch
- Update BuildRequires and Requires from setup.py
OBS-URL: https://build.opensuse.org/request/show/1206475
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-aiohttp?expand=0&rev=134
* Fixed aiohttp.ClientResponse.json() not setting status when
aiohttp.ContentTypeError is raised
* Improved performance of the WebSocket reader
* Fixed decoding base64 chunk in BodyPartReader
* Fixed a race closing the server-side WebSocket where the close code would
not reach the client
* Fixed unconsumed exceptions raised by the WebSocket heartbeat
* Fixed an edge case in the Python parser when chunk separators happen to
align with network chunks
* Fixed multipart reading when stream buffer splits the boundary over
several read() calls
* Fixed aiohttp.TCPConnector doing blocking I/O in the event loop to create
the SSLContext
* Improved performance of aiohttp.ClientWebSocketResponse.receive and
aiohttp.web.WebSocketResponse.receive when there is no timeout.
* Improved performance of starting request handlers with Python 3.12+
* Improved performance of HTTP keep-alive checks
* Fixed server checks for circular symbolic links to be compatible with
Python 3.13
* Fixed request body not being read when ignoring an Upgrade request
* Fixed an edge case where shutdown would wait for timeout when the handler
was already completed
* Fixed connecting to npipe://, tcp://, and unix:// urls
* Fixed WebSocket ping tasks being prematurely garbage collected
* Fixed incorrectly following symlinks for compressed file variants
(bsc#1229226, CVE-2024-42367)
* Fixed monkey patches for Path.stat() and Path.is_dir() for Python 3.13
compatibility
* Fixed url dispatcher index not matching when a variable is preceded by a
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-aiohttp?expand=0&rev=129
* Fixed "Unclosed client session" when initialization of
:py:class:`~aiohttp.ClientSession` fails
* Fixed regression (from :pr:`8280`) with adding Content-
Disposition to the form-data part after appending to writer
* Added default Content-Disposition in multipart/form-data
responses to avoid broken form-data responses
* The asynchronous internals now set the underlying causes when
assigning exceptions to the future objects
* Treated values of Accept-Encoding header as case-insensitive
when checking for gzip files
* Improved the DNS resolution performance on cache hit
* Changed the type annotations to allow dict on
:meth:`aiohttp.MultipartWriter.append`,
:meth:`aiohttp.MultipartWriter.append_json` and
:meth:`aiohttp.MultipartWriter.append_form` -- by
:user:`cakemanny` Related issues and pull requests on GitHub:
:issue:`7741`.
* Ensure websocket transport is closed when client does not
close it
* Leave websocket transport open if receive times out or is
cancelled
* Fixed content not being read when an upgrade request was not
supported with the pure Python implementation.
* Fixed a race condition with incoming connections during
server shutdown
* Fixed multipart/form-data compliance with RFC 7578
* Fixed blocking I/O in the event loop while processing files
in a POST request
* Escaped filenames in static view
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-aiohttp?expand=0&rev=123
- Update to version 3.9.3
* Fixed backwards compatibility breakage (in 3.9.2) of ``ssl`` parameter
when set outside of ``ClientSession`` (e.g. directly in ``TCPConnector``)
* Improved test suite handling of paths and temp files to consistently
use pathlib and pytest fixtures.
- from version 3.9.2 (bsc#1219341, CVE-2024-23334, bsc#1219342, CVE-2024-23829)
* Fixed server-side websocket connection leak.
* Fixed ``web.FileResponse`` doing blocking I/O in the event loop.
* Fixed double compress when compression enabled and compressed file
exists in server file responses.
* Added runtime type check for ``ClientSession`` ``timeout`` parameter.
* Fixed an unhandled exception in the Python HTTP parser on header lines
starting with a colon.
* Improved validation of paths for static resources requests to the server.
* Added support for passing :py:data:`True` to ``ssl`` parameter in
``ClientSession`` while deprecating :py:data:`None`.
* Fixed an unhandled exception in the Python HTTP parser on header lines
starting with a colon.
* Fixed examples of ``fallback_charset_resolver`` function in the
:doc:`client_advanced` document.
* The Sphinx setup was updated to avoid showing the empty
changelog draft section in the tagged release documentation
builds on Read The Docs.
* The changelog categorization was made clearer. The contributors can
now mark their fragment files more accurately.
* Updated :ref:`contributing/Tests coverage <aiohttp-contributing>`
section to show how we use ``codecov``.
* Replaced all ``tmpdir`` fixtures with ``tmp_path`` in test suite.
- Refresh patches for new version
* remove-re-assert.patch
OBS-URL: https://build.opensuse.org/request/show/1142747
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-aiohttp?expand=0&rev=116
* Fixed importing aiohttp under PyPy on Windows.
* Fixed async concurrency safety in websocket compressor.
* Fixed ``ClientResponse.close()`` releasing the connection
instead of closing.
* Fixed a regression where connection may get closed during
upgrade. -- by :user:`Dreamsorcerer`
* Fixed messages being reported as upgraded without an Upgrade
header in Python parser. -- by :user:`Dreamsorcerer`
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-aiohttp?expand=0&rev=109
* Introduced ``AppKey`` for static typing support of
``Application`` storage.
* Added a graceful shutdown period which allows pending tasks
to complete before the application's cleanup is called.
* Added `handler_cancellation`_ parameter to cancel web handler on
client disconnection.
* This (optionally) reintroduces a feature removed in a
previous release.
* Recommended for those looking for an extra level of
protection against denial-of-service attacks.
* Added support for setting response header parameters
``max_line_size`` and ``max_field_size``.
* Added ``auto_decompress`` parameter to
``ClientSession.request`` to override
``ClientSession._auto_decompress``.
* Changed ``raise_for_status`` to allow a coroutine.
* Added client brotli compression support (optional with
runtime check).
* Added ``client_max_size`` to ``BaseRequest.clone()`` to allow
overriding the request body size. -- :user:`anesabml`.
* Added a middleware type alias
``aiohttp.typedefs.Middleware``.
* Exported ``HTTPMove`` which can be used to catch any
redirection request that has a location -- :user:`dreamsorcerer`.
* Changed the ``path`` parameter in ``web.run_app()`` to accept
a ``pathlib.Path`` object.
* Performance: Skipped filtering ``CookieJar`` when the jar is
empty or all cookies have expired.
* Performance: Only check origin if insecure scheme and there
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-aiohttp?expand=0&rev=106
* Security bugfixes
* Upgraded the vendored copy of llhttp_ to v9.1.3
* https://github.com/aio-libs/aiohttp/security/advisories/GHSA-
pjjw-qhg8-p2p9.
* Updated Python parser to comply with RFCs 9110/9112
* https://github.com/aio-libs/aiohttp/security/advisories/GHSA-
gfw2-4jvh-wgfg.
* Added ``fallback_charset_resolver`` parameter in
``ClientSession`` to allow a user-supplied
character set detection function.
Character set detection will no longer be included in 3.9 as
a default. If this feature is needed,
please use `fallback_charset_resolver
* Enabled lenient response parsing for more flexible parsing in
the client
* Fixed ``PermissionError`` when ``.netrc`` is unreadable due
to permissions.
* Fixed output of parsing errors
* Fixed ``GunicornWebWorker`` max_requests_jitter not working.
* Fixed sorting in ``filter_cookies`` to use cookie with
longest path.
* Fixed display of ``BadStatusLine`` messages from llhttp_.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-aiohttp?expand=0&rev=104
- skip more tests
- Drop python39-failures.patch, no longer required.
- Update python39-failures.patch to only fire with Python 3.9.7.
* Made exceptions pickleable. Also changed the repr of
some exceptions. #4077
* Raise a ClientResponseError instead of an AssertionError for a
* Fix web_middlewares.normalize_path_middleware behavior for
* Fix overshadowing of overlapped sub-applications prefixes.
* Make BaseConnector.close() a coroutine and wait until the
client closes all connections. Drop deprecated "with
* Reset the sock_read timeout each time data is received for a
* Fixed type annotation for add_view method of UrlDispatcher to
* Fixed querying the address families from DNS that the current
* Change return type of MultipartReader.__aiter__() and
- Fix python 3.6 build
* Response headers are now prepared prior to running
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-aiohttp?expand=0&rev=100
problems with latest python-yarl
- Delete aiohttp-pr7057-bump-charset-normalizer.patch not needed
anymore
- Update to 3.8.4:
* Fixed incorrectly overwriting cookies with the same name and
domain, but different path. (#6638)
* Fixed ConnectionResetError not being raised after client
disconnection in SSL environments. (#7180)
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-aiohttp?expand=0&rev=90
