- Update to 3.13.3:

* Security
    + Brotli and brotlicffi minimum version is now 1.2. Decompression now has
      a default maximum output size of 32MiB per decompress call
      (bsc#1256017, CVE-2025-69223, GHSA-6mq8-rvhq-8wgg)
    + Check for ASCII in header values
      (bsc#1256018, CVE-2025-69224, GHSA-69f9-5gxw-wvc2)
    + Forbid non-ASCII decimals in the Range header
      (bsc#1256019, CVE-2025-69225, GHSA-mqqc-3gqh-h2x8)
    + Reject static URLs that traverse outside static root
      (bsc#1256020, CVE-2025-69226, GHSA-54jq-c3m8-4m76)
    + Raise exceptions when processing a POST body
      (bsc#1256021, CVE-2025-69227, GHSA-jj3x-wxrx-4x23)
    + Enforce client_max_size over entire multipart form
      (bsc#1256022, CVE-2025-69228, GHSA-6jhg-hg63-jvvf)
    + Pause reading of chunks when it reaches a high water mark
      (bsc#1256023, CVE-2025-69229, GHSA-g84x-mcqj-x9qq)
    + Log only once per Cookie header
      (bsc#1256024, CVE-2025-69230, GHSA-fh55-r93g-j68g)
  * Bug fixes
    + Fixed proxy authorization headers not being passed when reusing a
      connection, which caused 407 (Proxy authentication required) errors
    + Fixed multipart reading failing when encountering an empty body part
    + Fixed a case where the parser wasn't raising an exception for a
      websocket continuation frame when there was no initial frame in context
  * Miscellaneous internal changes
    + Optimized web server performance when access logging is disabled by
      reducing time syscalls
    + Added regression test for cached logging status
- Refreshed patches fix-vendoring.patch
- Add patch remove-freethreading-cython-option.patch:
  * Drop newer Cython command line option.

aiohttp-3.12.15.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:4fc61385e9c98d72fcdf47e6dd81833f47b2f77c114c29cd64a361be57a763a2
-size 7823716

fix-vendoring.patch

@@ -0,0 +1,79 @@
+Index: aiohttp-3.13.3/Makefile
+===================================================================
+--- aiohttp-3.13.3.orig/Makefile
++++ aiohttp-3.13.3/Makefile
+@@ -47,10 +47,8 @@ endif
+ .SECONDARY: $(call to-hash,$(ALLS))
+ 
+ .update-pip:
+-	@python -m pip install --upgrade pip
+ 
+ .install-cython: .update-pip $(call to-hash,requirements/cython.txt)
+-	@python -m pip install -r requirements/cython.in -c requirements/cython.txt
+ 	@touch .install-cython
+ 
+ aiohttp/_find_header.c: $(call to-hash,aiohttp/hdrs.py ./tools/gen.py)
+@@ -85,7 +83,6 @@ cythonize: .install-cython $(PYXS:.pyx=.
+ cythonize-nodeps: $(PYXS:.pyx=.c) aiohttp/_websocket/reader_c.c
+ 
+ .install-deps: .install-cython $(PYXS:.pyx=.c) aiohttp/_websocket/reader_c.c $(call to-hash,$(CYS) $(REQS))
+-	@python -m pip install -r requirements/dev.in -c requirements/dev.txt
+ 	@touch .install-deps
+ 
+ .PHONY: lint
+@@ -100,7 +97,6 @@ mypy:
+ 	mypy
+ 
+ .develop: .install-deps generate-llhttp $(call to-hash,$(PYS) $(CYS) $(CS))
+-	python -m pip install -e . -c requirements/runtime-deps.txt
+ 	@touch .develop
+ 
+ .PHONY: test
+@@ -110,12 +106,12 @@ test: .develop
+ .PHONY: vtest
+ vtest: .develop
+ 	@pytest -s -v
+-	@python -X dev -m pytest -s -v -m dev_mode
++	python3 -X dev -m pytest -s -v -m dev_mode
+ 
+ .PHONY: vvtest
+ vvtest: .develop
+ 	@pytest -vv
+-	@python -X dev -m pytest -s -v -m dev_mode
++	python3 -X dev -m pytest -s -v -m dev_mode
+ 
+ 
+ define run_tests_in_docker
+@@ -151,7 +147,7 @@ clean:
+ 	@rm -rf build
+ 	@rm -rf cover
+ 	@make -C docs clean
+-	@python setup.py clean
++	python3 setup.py clean
+ 	@rm -f aiohttp/*.so
+ 	@rm -f aiohttp/*.pyd
+ 	@rm -f aiohttp/*.html
+@@ -182,7 +178,6 @@ doc-spelling:
+ 
+ .PHONY: install
+ install: .update-pip
+-	@python -m pip install -r requirements/dev.in -c requirements/dev.txt
+ 
+ .PHONY: install-dev
+ install-dev: .develop
+@@ -190,4 +185,4 @@ install-dev: .develop
+ .PHONY: sync-direct-runtime-deps
+ sync-direct-runtime-deps:
+ 	@echo Updating 'requirements/runtime-deps.in' from 'pyproject.toml'... >&2
+-	@python requirements/sync-direct-runtime-deps.py
++	python3 requirements/sync-direct-runtime-deps.py
+Index: aiohttp-3.13.3/tools/gen.py
+===================================================================
+--- aiohttp-3.13.3.orig/tools/gen.py
++++ aiohttp-3.13.3/tools/gen.py
+@@ -1,4 +1,4 @@
+-#!/usr/bin/env python
++#!/usr/bin/python3
+ 
+ import io
+ import pathlib

python-aiohttp.changes

@@ -1,3 +1,109 @@
+-------------------------------------------------------------------
+Wed Jan 28 04:50:29 UTC 2026 - Steve Kowalik <steven.kowalik@suse.com>
+
+- Update to 3.13.3:
+  * Security
+    + Brotli and brotlicffi minimum version is now 1.2. Decompression now has
+      a default maximum output size of 32MiB per decompress call
+      (bsc#1256017, CVE-2025-69223, GHSA-6mq8-rvhq-8wgg)
+    + Check for ASCII in header values
+      (bsc#1256018, CVE-2025-69224, GHSA-69f9-5gxw-wvc2)
+    + Forbid non-ASCII decimals in the Range header
+      (bsc#1256019, CVE-2025-69225, GHSA-mqqc-3gqh-h2x8)
+    + Reject static URLs that traverse outside static root
+      (bsc#1256020, CVE-2025-69226, GHSA-54jq-c3m8-4m76)
+    + Raise exceptions when processing a POST body
+      (bsc#1256021, CVE-2025-69227, GHSA-jj3x-wxrx-4x23)
+    + Enforce client_max_size over entire multipart form
+      (bsc#1256022, CVE-2025-69228, GHSA-6jhg-hg63-jvvf)
+    + Pause reading of chunks when it reaches a high water mark
+      (bsc#1256023, CVE-2025-69229, GHSA-g84x-mcqj-x9qq)
+    + Log only once per Cookie header
+      (bsc#1256024, CVE-2025-69230, GHSA-fh55-r93g-j68g)
+  * Bug fixes
+    + Fixed proxy authorization headers not being passed when reusing a
+      connection, which caused 407 (Proxy authentication required) errors
+    + Fixed multipart reading failing when encountering an empty body part
+    + Fixed a case where the parser wasn't raising an exception for a
+      websocket continuation frame when there was no initial frame in context
+  * Miscellaneous internal changes
+    + Optimized web server performance when access logging is disabled by
+      reducing time syscalls
+    + Added regression test for cached logging status
+- Refreshed patches fix-vendoring.patch
+- Add patch remove-freethreading-cython-option.patch:
+  * Drop newer Cython command line option.
+
+-------------------------------------------------------------------
+Fri Nov 14 03:13:57 UTC 2025 - Steve Kowalik <steven.kowalik@suse.com>
+
+- Skip a test broken by idna 3.11.
+
+-------------------------------------------------------------------
+Mon Nov  3 11:51:55 UTC 2025 - Dirk Müller <dmueller@suse.com>
+
+- update to 3.13.2:
+  * Fixed cookie parser to continue parsing subsequent cookies
+    when encountering a malformed cookie that fails regex
+    validation, such as Google's g_state cookie with unescaped
+    quotes -- by :user:`bdraco`. Related issues and pull requests
+    on GitHub: :issue:`11632`.
+  * Fixed loading netrc credentials from the default
+    :file:`~/.netrc` (:file:`~/_netrc` on Windows) location when
+    the :envvar:`NETRC` environment variable is not set -- by
+    :user:`bdraco`. Related issues and pull requests on GitHub:
+    :issue:`11713`, :issue:`11714`.
+  * Fixed WebSocket compressed sends to be cancellation safe.
+    Tasks are now shielded during compression to prevent
+    compressor state corruption. This ensures that the stateful
+    compressor remains consistent even when send operations are
+    cancelled -- by :user:`bdraco`. Related issues and pull
+    requests on GitHub: :issue:`11725`.
+  * Make configuration options in AppRunner also available in
+    run_app() -- by :user:`Cycloctane`. Related issues and pull
+    requests on GitHub: :issue:`11633`.
+  * Switched to backports.zstd for Python <3.14 and fixed zstd
+    decompression for chunked zstd streams -- by :user:`ZhaoMJ`.
+    Note: Users who installed zstandard for support on Python
+    <3.14 will now need to install backports.zstd instead
+    (installing aiohttp[speedups] will do this automatically).
+    Related issues and pull requests on GitHub: :issue:`11623`.
+  * Updated Content-Type header parsing to return
+    application/octet-stream when header contains invalid syntax.
+    See RFC 9110. -- by :user:`sgaist`. Related issues and pull
+    requests on GitHub: :issue:`10889`.
+  * Fixed Python 3.14 support when built without zstd support --
+    by :user:`JacobHenner`. Related issues and pull requests on
+    GitHub: :issue:`11603`.
+  * Fixed blocking I/O in the event loop when using netrc
+    authentication by moving netrc file lookup to an executor --
+    by :user:`bdraco`. Related issues and pull requests on
+    GitHub: :issue:`11634`.
+  * Fixed routing to a sub-application added via .add_domain()
+    not working if the same path exists on the parent app. -- by
+    :user:`Dreamsorcerer`. Related issues and pull requests on
+    GitHub: :issue:`11673`.
+  * Moved core packaging metadata from :file:`setup.cfg` to
+    :file:`pyproject.toml` per PEP 621 -- by :user:`cdce8p`.
+    Related issues and pull requests on GitHub: :issue:`9951`.
+
+-------------------------------------------------------------------
+Thu Oct 16 21:40:07 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
+
+- Add fix-vendoring.patch
+
+-------------------------------------------------------------------
+Thu Oct 16 14:06:37 UTC 2025 - Adrian Schröter <adrian@suse.de>
+
+- Update to 3.13.0
+  Details: https://github.com/aio-libs/aiohttp/releases/tag/v3.13.0
+  * python 3.14 support
+  * zstd support
+- drop remove-isal-test-dep.patch
+- "make cythonize" is required as poetry is not supporting cython
+- add vendor-llhttp.tar.gz of new git submodule. 
+  added downloaded nodejs modules
+
 -------------------------------------------------------------------
 Thu Aug  7 11:36:47 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
 

python-aiohttp.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package python-aiohttp
 #
-# Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2026 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -19,18 +19,24 @@
 %bcond_with docs
 %{?sle15_python_module_pythons}
 Name:           python-aiohttp
-Version:        3.12.15
+Version:        3.13.3
 Release:        0
 Summary:        Asynchronous HTTP client/server framework
 License:        Apache-2.0
 URL:            https://github.com/aio-libs/aiohttp
 Source:         https://files.pythonhosted.org/packages/source/a/aiohttp/aiohttp-%{version}.tar.gz
+# llhttp vendor tar ball manually created based on git submodule via:
+# - yarn
+# - make generate
+# - tar cfvz vendor-llhttp.tar.gz vendor/
+Source2:        vendor-llhttp.tar.gz
 Patch0:         test_no_warnings_fix.patch
-# PATCH-FIX-OPENSUSE remove-isal-test-dep.patch -- daniel.garcia@suse.com
-# Remove python-isal dependency for testing.
-Patch1:         remove-isal-test-dep.patch
 # PATCH-FIX-OPENSUSE remove-zlib-ng-test-dep.patch
 Patch2:         remove-zlib-ng-test-dep.patch
+# PATCH-FIX-OPENSUSE fix-vendoring.patch
+Patch3:         fix-vendoring.patch
+# PATCH-FIX-SLE Remove incompatible Cython command line argument
+Patch4:         remove-freethreading-cython-option.patch
 Requires:       python-aiohappyeyeballs >= 2.5.0
 Requires:       python-aiosignal >= 1.4
 Requires:       python-attrs >= 17.3.0
@@ -38,7 +44,7 @@ Requires:       python-frozenlist >= 1.1.1
 Requires:       (python-charset-normalizer >= 2.0 with python-charset-normalizer < 4)
 Requires:       (python-multidict >= 4.5 with python-multidict < 7)
 Requires:       (python-yarl >= 1.17.0 with python-yarl < 2)
-Recommends:     python-Brotli
+Recommends:     python-Brotli >= 1.2
 Recommends:     python-aiodns
 Recommends:     python-cChardet
 Suggests:       %{name}-doc
@@ -61,7 +67,7 @@ BuildRequires:  %{python_module multidict >= 4.5 with %python-multidict < 7}
 BuildRequires:  %{python_module yarl >= 1.17.0 with %python-yarl < 2}
 # /SECTION
 # SECTION test requirements
-BuildRequires:  %{python_module Brotli}
+BuildRequires:  %{python_module Brotli >= 1.2}
 BuildRequires:  %{python_module blockbuster}
 BuildRequires:  %{python_module freezegun}
 BuildRequires:  %{python_module gunicorn}
@@ -109,6 +115,11 @@ HTML documentation on the API and examples for %{name}.
 # don't check coverage
 sed -i '/--cov/d' setup.cfg
 
+# vendored llhttp
+tar xfv %{S:2}
+# prepare cython files manually for now
+make cythonize
+
 %build
 export CFLAGS="%{optflags}"
 %pyproject_wheel
@@ -135,6 +146,8 @@ donttest="test_aiohttp_request_coroutine or test_mark_formdata_as_processed or t
 donttest+=" or test_tcp_connector_ssl_shutdown_timeout"
 # most probably https://github.com/cbornet/blockbuster/issues/47
 donttest+=" or (test_cookie_jar and (heap or expire)) or test_treat_as_secure_origin_init"
+# broken with idna 3.11 https://github.com/aio-libs/aiohttp/pull/11638
+donttest+=" or test_invalid_idna"
 
 # requires python-on-whales
 rm -v tests/autobahn/test_autobahn.py

remove-freethreading-cython-option.patch

@@ -0,0 +1,22 @@
+Index: aiohttp-3.13.3/Makefile
+===================================================================
+--- aiohttp-3.13.3.orig/Makefile
++++ aiohttp-3.13.3/Makefile
+@@ -57,14 +57,14 @@ aiohttp/_find_header.c: $(call to-hash,a
+ # Special case for reader since we want to be able to disable
+ # the extension with AIOHTTP_NO_EXTENSIONS
+ aiohttp/_websocket/reader_c.c: aiohttp/_websocket/reader_c.py
+-	cython -3 -X freethreading_compatible=True -o $@ $< -I aiohttp -Werror
++	cython -3 -o $@ $< -I aiohttp -Werror
+ 
+ # _find_headers generator creates _headers.pyi as well
+ aiohttp/%.c: aiohttp/%.pyx $(call to-hash,$(CYS)) aiohttp/_find_header.c
+-	cython -3 -X freethreading_compatible=True -o $@ $< -I aiohttp -Werror
++	cython -3 -o $@ $< -I aiohttp -Werror
+ 
+ aiohttp/_websocket/%.c: aiohttp/_websocket/%.pyx $(call to-hash,$(CYS))
+-	cython -3 -X freethreading_compatible=True -o $@ $< -I aiohttp -Werror
++	cython -3 -o $@ $< -I aiohttp -Werror
+ 
+ vendor/llhttp/node_modules: vendor/llhttp/package.json
+ 	cd vendor/llhttp; npm ci

remove-isal-test-dep.patch

@@ -1,21 +0,0 @@
-Index: aiohttp-3.12.13/tests/conftest.py
-===================================================================
---- aiohttp-3.12.13.orig/tests/conftest.py
-+++ aiohttp-3.12.13/tests/conftest.py
-@@ -12,7 +12,6 @@ from typing import Any, AsyncIterator, G
- from unittest import mock
- from uuid import uuid4
- 
--import isal.isal_zlib
- import pytest
- import zlib_ng.zlib_ng
- from blockbuster import blockbuster_ctx
-@@ -331,7 +330,7 @@ def unused_port_socket() -> Generator[so
-         s.close()
- 
- 
--@pytest.fixture(params=[zlib, zlib_ng.zlib_ng, isal.isal_zlib])
-+@pytest.fixture(params=[zlib, zlib_ng.zlib_ng])
- def parametrize_zlib_backend(
-     request: pytest.FixtureRequest,
- ) -> Generator[None, None, None]:

remove-zlib-ng-test-dep.patch

@@ -1,30 +1,13 @@
-Index: aiohttp-3.12.14/requirements/test.in
+Index: aiohttp-3.13.3/tests/conftest.py
 ===================================================================
---- aiohttp-3.12.14.orig/requirements/test.in
-+++ aiohttp-3.12.14/requirements/test.in
-@@ -17,4 +17,3 @@ re-assert
- setuptools-git
- trustme; platform_machine != "i686"  # no 32-bit wheels
- wait-for-it
--zlib_ng
-Index: aiohttp-3.12.14/tests/conftest.py
-===================================================================
---- aiohttp-3.12.14.orig/tests/conftest.py
-+++ aiohttp-3.12.14/tests/conftest.py
-@@ -13,7 +13,6 @@ from unittest import mock
- from uuid import uuid4
- 
- import pytest
--import zlib_ng.zlib_ng
- from blockbuster import blockbuster_ctx
- 
- from aiohttp import payload
-@@ -330,7 +329,7 @@ def unused_port_socket() -> Generator[so
+--- aiohttp-3.13.3.orig/tests/conftest.py
++++ aiohttp-3.13.3/tests/conftest.py
+@@ -381,7 +381,7 @@ def unused_port_socket() -> Generator[so
          s.close()
  
  
--@pytest.fixture(params=[zlib, zlib_ng.zlib_ng])
-+@pytest.fixture(params=[zlib])
+-@pytest.fixture(params=["zlib", "zlib_ng.zlib_ng", "isal.isal_zlib"])
++@pytest.fixture(params=["zlib"])
  def parametrize_zlib_backend(
      request: pytest.FixtureRequest,
  ) -> Generator[None, None, None]: