- Update to 3.13.3:

* Security + Brotli and brotlicffi minimum version is now 1.2. Decompression now has a default maximum output size of 32MiB per decompress call (bsc#1256017, CVE-2025-69223, GHSA-6mq8-rvhq-8wgg) + Check for ASCII in header values (bsc#1256018, CVE-2025-69224, GHSA-69f9-5gxw-wvc2) + Forbid non-ASCII decimals in the Range header (bsc#1256019, CVE-2025-69225, GHSA-mqqc-3gqh-h2x8) + Reject static URLs that traverse outside static root (bsc#1256020, CVE-2025-69226, GHSA-54jq-c3m8-4m76) + Raise exceptions when processing a POST body (bsc#1256021, CVE-2025-69227, GHSA-jj3x-wxrx-4x23) + Enforce client_max_size over entire multipart form (bsc#1256022, CVE-2025-69228, GHSA-6jhg-hg63-jvvf) + Pause reading of chunks when it reaches a high water mark (bsc#1256023, CVE-2025-69229, GHSA-g84x-mcqj-x9qq) + Log only once per Cookie header (bsc#1256024, CVE-2025-69230, GHSA-fh55-r93g-j68g) * Bug fixes + Fixed proxy authorization headers not being passed when reusing a connection, which caused 407 (Proxy authentication required) errors + Fixed multipart reading failing when encountering an empty body part + Fixed a case where the parser wasn't raising an exception for a websocket continuation frame when there was no initial frame in context * Miscellaneous internal changes + Optimized web server performance when access logging is disabled by reducing time syscalls + Added regression test for cached logging status - Refreshed patches fix-vendoring.patch - Add patch remove-freethreading-cython-option.patch: * Drop newer Cython command line option.
2026-01-28 16:02:27 +11:00
8 changed files with 347 additions and 24 deletions
--- a/aiohttp-3.11.16.tar.gz
+++ b/aiohttp-3.11.16.tar.gz
--- a/aiohttp-3.13.3.tar.gz
+++ b/aiohttp-3.13.3.tar.gz
--- a/fix-vendoring.patch
+++ b/fix-vendoring.patch
@@ -0,0 +1,79 @@
+Index: aiohttp-3.13.3/Makefile
+===================================================================
+--- aiohttp-3.13.3.orig/Makefile
+++ aiohttp-3.13.3/Makefile
+@@ -47,10 +47,8 @@ endif
+ .SECONDARY: $(call to-hash,$(ALLS))
+ 
+ .update-pip:
+-	@python -m pip install --upgrade pip
+ 
+ .install-cython: .update-pip $(call to-hash,requirements/cython.txt)
+-	@python -m pip install -r requirements/cython.in -c requirements/cython.txt
+ 	@touch .install-cython
+ 
+ aiohttp/_find_header.c: $(call to-hash,aiohttp/hdrs.py ./tools/gen.py)
+@@ -85,7 +83,6 @@ cythonize: .install-cython $(PYXS:.pyx=.
+ cythonize-nodeps: $(PYXS:.pyx=.c) aiohttp/_websocket/reader_c.c
+ 
+ .install-deps: .install-cython $(PYXS:.pyx=.c) aiohttp/_websocket/reader_c.c $(call to-hash,$(CYS) $(REQS))
+-	@python -m pip install -r requirements/dev.in -c requirements/dev.txt
+ 	@touch .install-deps
+ 
+ .PHONY: lint
+@@ -100,7 +97,6 @@ mypy:
+ 	mypy
+ 
+ .develop: .install-deps generate-llhttp $(call to-hash,$(PYS) $(CYS) $(CS))
+-	python -m pip install -e . -c requirements/runtime-deps.txt
+ 	@touch .develop
+ 
+ .PHONY: test
+@@ -110,12 +106,12 @@ test: .develop
+ .PHONY: vtest
+ vtest: .develop
+ 	@pytest -s -v
+-	@python -X dev -m pytest -s -v -m dev_mode
+	python3 -X dev -m pytest -s -v -m dev_mode
+ 
+ .PHONY: vvtest
+ vvtest: .develop
+ 	@pytest -vv
+-	@python -X dev -m pytest -s -v -m dev_mode
+	python3 -X dev -m pytest -s -v -m dev_mode
+ 
+ 
+ define run_tests_in_docker
+@@ -151,7 +147,7 @@ clean:
+ 	@rm -rf build
+ 	@rm -rf cover
+ 	@make -C docs clean
+-	@python setup.py clean
+	python3 setup.py clean
+ 	@rm -f aiohttp/*.so
+ 	@rm -f aiohttp/*.pyd
+ 	@rm -f aiohttp/*.html
+@@ -182,7 +178,6 @@ doc-spelling:
+ 
+ .PHONY: install
+ install: .update-pip
+-	@python -m pip install -r requirements/dev.in -c requirements/dev.txt
+ 
+ .PHONY: install-dev
+ install-dev: .develop
+@@ -190,4 +185,4 @@ install-dev: .develop
+ .PHONY: sync-direct-runtime-deps
+ sync-direct-runtime-deps:
+ 	@echo Updating 'requirements/runtime-deps.in' from 'pyproject.toml'... >&2
+-	@python requirements/sync-direct-runtime-deps.py
+	python3 requirements/sync-direct-runtime-deps.py
+Index: aiohttp-3.13.3/tools/gen.py
+===================================================================
+--- aiohttp-3.13.3.orig/tools/gen.py
+++ aiohttp-3.13.3/tools/gen.py
+@@ -1,4 +1,4 @@
+-#!/usr/bin/env python
+#!/usr/bin/python3
+ 
+ import io
+ import pathlib
--- a/python-aiohttp.changes
+++ b/python-aiohttp.changes
@@ -1,3 +1,198 @@
+-------------------------------------------------------------------
+Wed Jan 28 04:50:29 UTC 2026 - Steve Kowalik <steven.kowalik@suse.com>
+
+- Update to 3.13.3:
+  * Security
+    + Brotli and brotlicffi minimum version is now 1.2. Decompression now has
+      a default maximum output size of 32MiB per decompress call
+      (bsc#1256017, CVE-2025-69223, GHSA-6mq8-rvhq-8wgg)
+    + Check for ASCII in header values
+      (bsc#1256018, CVE-2025-69224, GHSA-69f9-5gxw-wvc2)
+    + Forbid non-ASCII decimals in the Range header
+      (bsc#1256019, CVE-2025-69225, GHSA-mqqc-3gqh-h2x8)
+    + Reject static URLs that traverse outside static root
+      (bsc#1256020, CVE-2025-69226, GHSA-54jq-c3m8-4m76)
+    + Raise exceptions when processing a POST body
+      (bsc#1256021, CVE-2025-69227, GHSA-jj3x-wxrx-4x23)
+    + Enforce client_max_size over entire multipart form
+      (bsc#1256022, CVE-2025-69228, GHSA-6jhg-hg63-jvvf)
+    + Pause reading of chunks when it reaches a high water mark
+      (bsc#1256023, CVE-2025-69229, GHSA-g84x-mcqj-x9qq)
+    + Log only once per Cookie header
+      (bsc#1256024, CVE-2025-69230, GHSA-fh55-r93g-j68g)
+  * Bug fixes
+    + Fixed proxy authorization headers not being passed when reusing a
+      connection, which caused 407 (Proxy authentication required) errors
+    + Fixed multipart reading failing when encountering an empty body part
+    + Fixed a case where the parser wasn't raising an exception for a
+      websocket continuation frame when there was no initial frame in context
+  * Miscellaneous internal changes
+    + Optimized web server performance when access logging is disabled by
+      reducing time syscalls
+    + Added regression test for cached logging status
+- Refreshed patches fix-vendoring.patch
+- Add patch remove-freethreading-cython-option.patch:
+  * Drop newer Cython command line option.
+
+-------------------------------------------------------------------
+Fri Nov 14 03:13:57 UTC 2025 - Steve Kowalik <steven.kowalik@suse.com>
+
+- Skip a test broken by idna 3.11.
+
+-------------------------------------------------------------------
+Mon Nov  3 11:51:55 UTC 2025 - Dirk Müller <dmueller@suse.com>
+
+- update to 3.13.2:
+  * Fixed cookie parser to continue parsing subsequent cookies
+    when encountering a malformed cookie that fails regex
+    validation, such as Google's g_state cookie with unescaped
+    quotes -- by :user:`bdraco`. Related issues and pull requests
+    on GitHub: :issue:`11632`.
+  * Fixed loading netrc credentials from the default
+    :file:`~/.netrc` (:file:`~/_netrc` on Windows) location when
+    the :envvar:`NETRC` environment variable is not set -- by
+    :user:`bdraco`. Related issues and pull requests on GitHub:
+    :issue:`11713`, :issue:`11714`.
+  * Fixed WebSocket compressed sends to be cancellation safe.
+    Tasks are now shielded during compression to prevent
+    compressor state corruption. This ensures that the stateful
+    compressor remains consistent even when send operations are
+    cancelled -- by :user:`bdraco`. Related issues and pull
+    requests on GitHub: :issue:`11725`.
+  * Make configuration options in AppRunner also available in
+    run_app() -- by :user:`Cycloctane`. Related issues and pull
+    requests on GitHub: :issue:`11633`.
+  * Switched to backports.zstd for Python <3.14 and fixed zstd
+    decompression for chunked zstd streams -- by :user:`ZhaoMJ`.
+    Note: Users who installed zstandard for support on Python
+    <3.14 will now need to install backports.zstd instead
+    (installing aiohttp[speedups] will do this automatically).
+    Related issues and pull requests on GitHub: :issue:`11623`.
+  * Updated Content-Type header parsing to return
+    application/octet-stream when header contains invalid syntax.
+    See RFC 9110. -- by :user:`sgaist`. Related issues and pull
+    requests on GitHub: :issue:`10889`.
+  * Fixed Python 3.14 support when built without zstd support --
+    by :user:`JacobHenner`. Related issues and pull requests on
+    GitHub: :issue:`11603`.
+  * Fixed blocking I/O in the event loop when using netrc
+    authentication by moving netrc file lookup to an executor --
+    by :user:`bdraco`. Related issues and pull requests on
+    GitHub: :issue:`11634`.
+  * Fixed routing to a sub-application added via .add_domain()
+    not working if the same path exists on the parent app. -- by
+    :user:`Dreamsorcerer`. Related issues and pull requests on
+    GitHub: :issue:`11673`.
+  * Moved core packaging metadata from :file:`setup.cfg` to
+    :file:`pyproject.toml` per PEP 621 -- by :user:`cdce8p`.
+    Related issues and pull requests on GitHub: :issue:`9951`.
+
+-------------------------------------------------------------------
+Thu Oct 16 21:40:07 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
+
+- Add fix-vendoring.patch
+
+-------------------------------------------------------------------
+Thu Oct 16 14:06:37 UTC 2025 - Adrian Schröter <adrian@suse.de>
+
+- Update to 3.13.0
+  Details: https://github.com/aio-libs/aiohttp/releases/tag/v3.13.0
+  * python 3.14 support
+  * zstd support
+- drop remove-isal-test-dep.patch
+- "make cythonize" is required as poetry is not supporting cython
+- add vendor-llhttp.tar.gz of new git submodule. 
+  added downloaded nodejs modules
+
+-------------------------------------------------------------------
+Thu Aug  7 11:36:47 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
+
+- Update to 3.12.15
+  * Fixed :class:`~aiohttp.DigestAuthMiddleware` to preserve the algorithm case
+    from the server's challenge in the authorization response. This improves
+    compatibility with servers that perform case-sensitive algorithm matching
+    (e.g., servers expecting ``algorithm=MD5-sess`` instead of ``algorithm=MD5-SESS``)
+  * Remove outdated contents of ``aiohttp-devtools`` and ``aiohttp-swagger``
+    from Web_advanced docs.
+  * Started including the ``llhttp`` :file:`LICENSE` file in wheels by adding
+    ``vendor/llhttp/LICENSE`` to ``license-files`` in :file:`setup.cfg`
+  * Updated a regex in `test_aiohttp_request_coroutine` for Python 3.14.
+
+-------------------------------------------------------------------
+Mon Jul 28 08:16:17 UTC 2025 - Nico Krapp <nico.krapp@suse.com>
+
+- Add remove-zlib-ng-test-dep.patch to remove python-zlib-ng test
+  dependency
+- enable test_leaks again, works with limited threads
+
+-------------------------------------------------------------------
+Mon Jul 14 15:17:06 UTC 2025 - Dirk Müller <dmueller@suse.com>
+
+- update to 3.12.14:
+  * Fixed file uploads failing with HTTP 422 errors when
+    encountering 307/308 redirects, and 301/302 redirects for
+    non-POST methods, by preserving the request body when
+    appropriate per RFC 9110 -- by :user:`bdraco`. Related issues
+    and pull requests on GitHub: :issue:`11270`.
+  * Fixed :py:meth:`ClientSession.close()
+    <aiohttp.ClientSession.close>` hanging indefinitely when
+    using HTTPS requests through HTTP proxies -- by
+    :user:`bdraco`. Related issues and pull requests on GitHub:
+    :issue:`11273`.
+  * Bumped minimum version of aiosignal to 1.4+ to resolve typing
+    issues -- by :user:`Dreamsorcerer`. Related issues and pull
+    requests on GitHub: :issue:`11280`.
+  * Added initial trailer parsing logic to Python HTTP parser --
+    by :user:`Dreamsorcerer`. Related issues and pull requests on
+    GitHub: :issue:`11269`.
+  * Clarified exceptions raised by WebSocketResponse.send_frame
+    et al. -- by :user:`DoctorJohn`. Related issues and pull
+    requests on GitHub: :issue:`11234`.
+
+-------------------------------------------------------------------
+Mon Jun 30 06:00:18 UTC 2025 - Daniel Garcia <daniel.garcia@suse.com>
+
+- Add remove-isal-test-dep.patch to remove python-isal test
+  dependency, that's not part of Factory yet.
+
+-------------------------------------------------------------------
+Fri Jun 20 05:53:30 UTC 2025 - Markéta Machová <mmachova@suse.com>
+
+- Update to 3.12.13
+  * Optimized web server performance when access logging is disabled
+    by reducing time syscalls
+  * Improved performance of the WebSocket reader
+  * Disabled TLS in TLS warning (when using HTTPS proxies) for uvloop
+    and newer Python versions
+  * Added a comprehensive HTTP Digest Authentication client middleware
+    (DigestAuthMiddleware) that implements RFC 7616.
+  * Fixed pytest plugin to not use deprecated asyncio policy APIs.
+  * Allow user setting zlib compression backend
+  * Added host parameter to aiohttp_server fixture
+  * Added socket_factory to aiohttp.TCPConnector to allow specifying
+    custom socket options
+  * Upgraded to LLHTTP 9.3.0
+  * Optimized small HTTP requests/responses by coalescing headers and
+    body into a single TCP packet
+  * Removed non SPDX-license description from setup.cfg
+  * Added support for building against system llhttp library
+  * Fixed compatibility issue with Cython 3.1.1
+  * Added support for reusable request bodies to enable retries,
+    redirects, and digest authentication
+  * Improved performance of isinstance checks by using collections.abc
+    types instead of typing module equivalents
+  * Added ssl_shutdown_timeout parameter to aiohttp.ClientSession and
+    aiohttp.TCPConnector to control the grace period for SSL shutdown
+    handshake on TLS connections.
+  * Downgraded the logging level for connector close errors from ERROR
+    to DEBUG, as these are expected behavior with TLS 1.3 connections
+  * Fixed cookie parsing to be more lenient when handling cookies with
+    special characters in names or values
+  * Improved SSL connection handling by changing the default ssl_shutdown_timeout
+    from 0.1 to 0 seconds. The ssl_shutdown_timeout parameter is now deprecated
+    and will be removed in aiohttp 4.0
+- Review tests
+
 -------------------------------------------------------------------
 Tue Apr 15 09:18:21 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>

--- a/python-aiohttp.spec
+++ b/python-aiohttp.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package python-aiohttp
 #
-# Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2026 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -19,24 +19,32 @@
 %bcond_with docs
 %{?sle15_python_module_pythons}
 Name:           python-aiohttp
-Version:        3.11.16
+Version:        3.13.3
 Release:        0
 Summary:        Asynchronous HTTP client/server framework
 License:        Apache-2.0
 URL:            https://github.com/aio-libs/aiohttp
 Source:         https://files.pythonhosted.org/packages/source/a/aiohttp/aiohttp-%{version}.tar.gz
+# llhttp vendor tar ball manually created based on git submodule via:
+# - yarn
+# - make generate
+# - tar cfvz vendor-llhttp.tar.gz vendor/
+Source2:        vendor-llhttp.tar.gz
 Patch0:         test_no_warnings_fix.patch
-Requires:       python-aiohappyeyeballs >= 2.3.0
-Requires:       python-aiosignal >= 1.1.2
+# PATCH-FIX-OPENSUSE remove-zlib-ng-test-dep.patch
+Patch2:         remove-zlib-ng-test-dep.patch
+# PATCH-FIX-OPENSUSE fix-vendoring.patch
+Patch3:         fix-vendoring.patch
+# PATCH-FIX-SLE Remove incompatible Cython command line argument
+Patch4:         remove-freethreading-cython-option.patch
+Requires:       python-aiohappyeyeballs >= 2.5.0
+Requires:       python-aiosignal >= 1.4
 Requires:       python-attrs >= 17.3.0
 Requires:       python-frozenlist >= 1.1.1
-%if 0%{?python_version_nodots} < 311
-Requires:       (python-async_timeout >= 4.0 with python-async_timeout < 5)
-%endif
 Requires:       (python-charset-normalizer >= 2.0 with python-charset-normalizer < 4)
 Requires:       (python-multidict >= 4.5 with python-multidict < 7)
 Requires:       (python-yarl >= 1.17.0 with python-yarl < 2)
-Recommends:     python-Brotli
+Recommends:     python-Brotli >= 1.2
 Recommends:     python-aiodns
 Recommends:     python-cChardet
 Suggests:       %{name}-doc
@@ -50,9 +58,8 @@ BuildRequires:  fdupes
 BuildRequires:  python-rpm-macros
 # /SECTION
 # SECTION install requirements
-BuildRequires:  %{python_module aiohappyeyeballs >= 2.3.0}
-BuildRequires:  %{python_module aiosignal >= 1.1.2}
-BuildRequires:  %{python_module async_timeout >= 4.0 with %python-async_timeout < 5}
+BuildRequires:  %{python_module aiohappyeyeballs >= 2.5.0}
+BuildRequires:  %{python_module aiosignal >= 1.4}
 BuildRequires:  %{python_module attrs >= 17.3.0}
 BuildRequires:  %{python_module charset-normalizer >= 2.0 with %python-charset-normalizer < 4}
 BuildRequires:  %{python_module frozenlist >= 1.1.1}
@@ -60,8 +67,8 @@ BuildRequires:  %{python_module multidict >= 4.5 with %python-multidict < 7}
 BuildRequires:  %{python_module yarl >= 1.17.0 with %python-yarl < 2}
 # /SECTION
 # SECTION test requirements
-BuildRequires:  %{python_module aiodns}
-BuildRequires:  %{python_module Brotli}
+BuildRequires:  %{python_module Brotli >= 1.2}
+BuildRequires:  %{python_module blockbuster}
 BuildRequires:  %{python_module freezegun}
 BuildRequires:  %{python_module gunicorn}
 BuildRequires:  %{python_module pluggy}
@@ -108,6 +115,11 @@ HTML documentation on the API and examples for %{name}.
 # don't check coverage
 sed -i '/--cov/d' setup.cfg

+# vendored llhttp
+tar xfv %{S:2}
+# prepare cython files manually for now
+make cythonize
+
 %build
 export CFLAGS="%{optflags}"
 %pyproject_wheel
@@ -127,15 +139,15 @@ rm -r %{buildroot}%{$python_sitearch}/aiohttp/.hash

 %check
 donttest="test_aiohttp_request_coroutine or test_mark_formdata_as_processed or test_aiohttp_plugin_async or test_secure_https_proxy_absolute_path"
-# # no name resolution
-# donttest+=" or test_client_session_timeout_zero"
 # # flaky
 # donttest+=" or test_https_proxy_unsupported_tls_in_tls"
 # donttest+=" or test_shutdown_handler_cancellation_suppressed"
-# raises not expected "ConnectionResetError" with openssl 3.2 and python < 3.11
-donttest+=" or test_tcp_connector_raise_connector_ssl_error[pyloop]"
-# # fails with pytest 8 https://github.com/aio-libs/aiohttp/issues/8234
-# donttest+=" or (test_pytest_plugin and test_aiohttp_plugin)"
+# https://github.com/aio-libs/aiohttp/issues/11113
+donttest+=" or test_tcp_connector_ssl_shutdown_timeout"
+# most probably https://github.com/cbornet/blockbuster/issues/47
+donttest+=" or (test_cookie_jar and (heap or expire)) or test_treat_as_secure_origin_init"
+# broken with idna 3.11 https://github.com/aio-libs/aiohttp/pull/11638
+donttest+=" or test_invalid_idna"

 # requires python-on-whales
 rm -v tests/autobahn/test_autobahn.py
@@ -149,8 +161,7 @@ single_runs="(test_run_app or test_web_runner)"
 # breaks without threading
 single_runs+=" and not test_shutdown_handler_cancellation_suppressed"
 test -d aiohttp && mv aiohttp aiohttp.bkp
-%pytest_arch %{?jobs: -n %jobs} tests -k "not ($donttest or ${single_runs})"
-%pytest_arch tests -k "${single_runs}"
+%pytest_arch tests -n 4 -k "not ($donttest or skip_blockbuster)"

 %files %{python_files}
 %license LICENSE.txt
--- a/remove-freethreading-cython-option.patch
+++ b/remove-freethreading-cython-option.patch
@@ -0,0 +1,22 @@
+Index: aiohttp-3.13.3/Makefile
+===================================================================
+--- aiohttp-3.13.3.orig/Makefile
+++ aiohttp-3.13.3/Makefile
+@@ -57,14 +57,14 @@ aiohttp/_find_header.c: $(call to-hash,a
+ # Special case for reader since we want to be able to disable
+ # the extension with AIOHTTP_NO_EXTENSIONS
+ aiohttp/_websocket/reader_c.c: aiohttp/_websocket/reader_c.py
+-	cython -3 -X freethreading_compatible=True -o $@ $< -I aiohttp -Werror
+	cython -3 -o $@ $< -I aiohttp -Werror
+ 
+ # _find_headers generator creates _headers.pyi as well
+ aiohttp/%.c: aiohttp/%.pyx $(call to-hash,$(CYS)) aiohttp/_find_header.c
+-	cython -3 -X freethreading_compatible=True -o $@ $< -I aiohttp -Werror
+	cython -3 -o $@ $< -I aiohttp -Werror
+ 
+ aiohttp/_websocket/%.c: aiohttp/_websocket/%.pyx $(call to-hash,$(CYS))
+-	cython -3 -X freethreading_compatible=True -o $@ $< -I aiohttp -Werror
+	cython -3 -o $@ $< -I aiohttp -Werror
+ 
+ vendor/llhttp/node_modules: vendor/llhttp/package.json
+ 	cd vendor/llhttp; npm ci
--- a/remove-zlib-ng-test-dep.patch
+++ b/remove-zlib-ng-test-dep.patch
@@ -0,0 +1,13 @@
+Index: aiohttp-3.13.3/tests/conftest.py
+===================================================================
+--- aiohttp-3.13.3.orig/tests/conftest.py
+++ aiohttp-3.13.3/tests/conftest.py
+@@ -381,7 +381,7 @@ def unused_port_socket() -> Generator[so
+         s.close()
+ 
+ 
+-@pytest.fixture(params=["zlib", "zlib_ng.zlib_ng", "isal.isal_zlib"])
+@pytest.fixture(params=["zlib"])
+ def parametrize_zlib_backend(
+     request: pytest.FixtureRequest,
+ ) -> Generator[None, None, None]:
--- a/vendor-llhttp.tar.gz
+++ b/vendor-llhttp.tar.gz