fix(deps): bump aiohttp lower bound to >=3.14.0 to fix CVE-2026-47265, CVE-2026-47266#16230
Conversation
devin-ai-integration
Bot
changed the title
devin-ai-integration
Bot
force-pushed
the
dependabot-alert-2081-devin
branch
from
ec6dea8 to
91fd9e2
Compare
devin-ai-integration
Bot
changed the title
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
Claude Code Review
This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.
Tip: disable this comment in your organization's Code Review settings.
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
| # accordingly so SDKs that still support older Python fall back to not | ||
| # installing the extra rather than pinning to a vulnerable aiohttp. | ||
| project.add_dependency( | ||
| dependency=AST.Dependency(name="httpx-aiohttp", version="0.1.8", optional=True, python=">=3.9") |
There was a problem hiding this comment.
🔴 httpx-aiohttp Python marker not tightened to >=3.10, creating inconsistency with aiohttp marker
The PR tightens the aiohttp Python marker from >=3.9 to >=3.10 but leaves httpx-aiohttp at >=3.9. The prior change (generators/python/sdk/changes/5.5.5/add-aiohttp-python39-marker.yml) deliberately set both markers to the same value. With this inconsistency, on Python 3.9, pip install sdk[aiohttp] will install httpx-aiohttp (marker matches) but skip our aiohttp>=3.14.0,<4 constraint (marker doesn't match). Since httpx-aiohttp transitively depends on aiohttp, pip will resolve whatever older aiohttp version is compatible with Python 3.9 — likely a version vulnerable to the CVEs this PR is meant to address.
| dependency=AST.Dependency(name="httpx-aiohttp", version="0.1.8", optional=True, python=">=3.9") | |
| dependency=AST.Dependency(name="httpx-aiohttp", version="0.1.8", optional=True, python=">=3.10") |
Was this helpful? React with 👍 or 👎 to provide feedback.
There was a problem hiding this comment.
Good catch — fixed in 166501c. Both httpx-aiohttp and aiohttp now use python=">=3.10".
SDK Generation Benchmark ResultsComparing PR branch against median of 5 nightly run(s) on Full benchmark table (click to expand)
main (generator): generator-only time via --skip-scripts (includes Docker image build, container startup, IR parsing, and code generation — this is the same Docker-based flow customers use via |
#16235) chore(deps): remove orphaned seed files for basic-auth-pw-omitted The seed.yml config for basic-auth-pw-omitted only generates output into the with-wire-tests/ subfolder. These root-level files were orphaned from a previous configuration and still referenced aiohttp 3.13.5, keeping Dependabot alerts #2080 and #2081 open despite the generator fix in #16230. Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
…E-2026-47266 Both Dependabot alerts #2081 (CVE-2026-47265, cross-origin redirect with per-request cookies) and #2080 (CVE-2026-47266, deserialization of untrusted data) reference seed/python-sdk/basic-auth-pw-omitted/poetry.lock which no longer exists in the repository. The aiohttp lower bound was already bumped to >=3.14.0 in PR #16230 and all remaining seed poetry.lock files contain aiohttp 3.14.0 (the patched version). The orphaned manifest file was removed in PR #16235.
1 participant
Description
Addresses Dependabot alerts #2081 (CVE-2026-47265 — cross-origin redirect with per-request cookies) and #2080 (CVE-2026-47266 — deserialization of untrusted data).
Changes Made
aiohttplower bound from>=3.13.4,<4to>=3.14.0,<4in the Python SDK generator source (sdk_generator.py)>=3.9to>=3.10(aiohttp 3.14.0 requires Python 3.10+).github/dependabot-alerts/alert-2081.mdNext Step
The Update Seed workflow needs to be triggered on this branch with
language=pythonto regenerate theseed/python-sdk/**/poetry.lockfiles.Testing
Link to Devin session: https://app.devin.ai/sessions/89af7d2e63e64a8c834cb8e8cf03969d