LCORE-1692: Fixed CVE in AIOHTTP package

[tisnik]

Description

LCORE-1692: Fixed CVE in AIOHTTP package

Type of change

• Refactor
• New feature
• Bug fix
• CVE fix
• Optimization
• Documentation Update
• Configuration Update
• Bump-up service version
• Bump-up dependent library
• Bump-up library or tool used for development (does not change the final image)
• CI configuration change
• Konflux configuration change
• Unit tests improvement
• Integration tests improvement
• End to end tests improvement
• Benchmarks improvement

Tools used to create PR

• Assisted-by: N/A
• Generated by: N/A

Related Tickets & Documents

• Related Issue #LCORE-1692

Summary by CodeRabbit

• Chores
  • Updated build system dependencies for improved compatibility
  • Modified pipeline configurations to optimize dependency management
  • Updated dependency integrity verification and requirements pinning

[coderabbitai]

Walkthrough

These changes update the aiohttp dependency from version 3.13.3 to 3.13.5 across build requirements and CI/CD pipeline configurations, while removing aiohttp from Tekton prefetch binary package lists and updating related dependency metadata.

Changes

Cohort / File(s)	Summary
Tekton Pipeline Configuration .tekton/lightspeed-stack-pull-request.yaml, .tekton/lightspeed-stack-push.yaml	Removed aiohttp from prefetch-input pip binary package lists in both pull-request and push pipeline definitions.
Dependency Lock and Requirement Files requirements.hashes.source.txt, requirements.hashes.wheel.txt, requirements.overrides.txt, requirements-build.txt	Updated aiohttp version from 3.13.3 to 3.13.5 with corresponding SHA256 hash updates; added pkgconfig==1.6.0 and updated related dependency provenance comments.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: fixing a CVE in the AIOHTTP package, which is reflected across multiple dependency and configuration files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

✨ Simplify code

• Create PR with simplified code

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@requirements.overrides.txt`:
- Line 6: Update the stale comment that currently reads "# aiohttp==3.13.3" to
reflect the fixed version by changing it to "# aiohttp==3.13.5"; ensure the
comment text exactly matches the pinned version in
requirements.hashes.source.txt so it cannot be mistaken for an older vulnerable
version.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 98e114ed-2c51-42ac-b610-f0969bbdc8c7

📥 Commits

Reviewing files that changed from the base of the PR and between f247e21 and 57be9f5.

📒 Files selected for processing (6)

• .tekton/lightspeed-stack-pull-request.yaml
• .tekton/lightspeed-stack-push.yaml
• requirements-build.txt
• requirements.hashes.source.txt
• requirements.hashes.wheel.txt
• requirements.overrides.txt

💤 Files with no reviewable changes (1)

• requirements.hashes.wheel.txt

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: Konflux kflux-prd-rh02 / lightspeed-stack-on-pull-request
• GitHub Check: E2E Tests for Lightspeed Evaluation job
• GitHub Check: build-pr
• GitHub Check: E2E: server mode / ci
• GitHub Check: E2E: library mode / ci

🔇 Additional comments (4)

requirements.hashes.source.txt (1)

11-131: Pinned aiohttp source requirement and hash set look consistent.

The update to aiohttp==3.13.5 with explicit hashes is coherent with the dependency-locking approach used in this file.

requirements-build.txt (1)

77-78: Build dependency provenance updates are consistent.

The pkgconfig and aiohttp provenance annotations align with the generated build dependency metadata and look correct.

Also applies to: 85-85, 125-125

.tekton/lightspeed-stack-pull-request.yaml (1)

61-61: Prefetch binary package list update is coherent for PR pipeline.

Removing aiohttp from binary.packages here is consistent with the dependency remediation flow and keeps the JSON payload valid.

.tekton/lightspeed-stack-push.yaml (1)

53-53: Push pipeline prefetch change is consistent with PR pipeline.

The binary.packages update mirrors the PR pipeline adjustment, which avoids configuration drift between CI entry points.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Confirm stale pin references are gone (expected: no matches after fix)
rg -nP '\baiohttp==3\.13\.3\b' || true

# Confirm fixed pin references exist
rg -nP '\baiohttp==3\.13\.5\b' || true

Repository: lightspeed-core/lightspeed-stack

Length of output: 174

---

Update the stale aiohttp==3.13.3 comment to match the fixed version.

Line 6 still references the old vulnerable version in a comment. Update it to # aiohttp==3.13.5 to align with the actual pinned version in requirements.hashes.source.txt and eliminate rollback risk.

Proposed fix

-# aiohttp==3.13.3
+# aiohttp==3.13.5

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	# aiohttp==3.13.3
	# aiohttp==3.13.5

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@requirements.overrides.txt` at line 6, Update the stale comment that
currently reads "# aiohttp==3.13.3" to reflect the fixed version by changing it
to "# aiohttp==3.13.5"; ensure the comment text exactly matches the pinned
version in requirements.hashes.source.txt so it cannot be mistaken for an older
vulnerable version.