Update dependency aiohttp to v3.9.0 (main)

[mend-for-github-com]

This PR contains the following updates:

Package	Update	Change
aiohttp	minor	==3.8.5 -> ==3.9.0

By merging this PR, the issue #3 will be automatically resolved and closed:

Severity	CVSS Score	CVE
High	7.5	CVE-2023-47627
Medium	5.3	CVE-2023-49081
Medium	5.3	CVE-2023-49082

---

Release Notes

aio-libs/aiohttp (aiohttp)

v3.9.0

Compare Source

==================

Features

• Introduced AppKey for static typing support of Application storage.
  See https://docs.aiohttp.org/en/stable/web_advanced.html#application-s-config

  #&#8203;5864 <https://github.com/aio-libs/aiohttp/issues/5864>_

• Added a graceful shutdown period which allows pending tasks to complete before the application's cleanup is called.
  The period can be adjusted with the shutdown_timeout parameter. -- by :user:Dreamsorcerer.
  See https://docs.aiohttp.org/en/latest/web_advanced.html#graceful-shutdown

  #&#8203;7188 <https://github.com/aio-libs/aiohttp/issues/7188>_

• Added handler_cancellation <https://docs.aiohttp.org/en/stable/web_advanced.html#web-handler-cancellation>_ parameter to cancel web handler on client disconnection. -- by :user:mosquito
  This (optionally) reintroduces a feature removed in a previous release.
  Recommended for those looking for an extra level of protection against denial-of-service attacks.

  #&#8203;7056 <https://github.com/aio-libs/aiohttp/issues/7056>_

• Added support for setting response header parameters max_line_size and max_field_size.

  #&#8203;2304 <https://github.com/aio-libs/aiohttp/issues/2304>_

• Added auto_decompress parameter to ClientSession.request to override ClientSession._auto_decompress. -- by :user:Daste745

  #&#8203;3751 <https://github.com/aio-libs/aiohttp/issues/3751>_

• Changed raise_for_status to allow a coroutine.

  #&#8203;3892 <https://github.com/aio-libs/aiohttp/issues/3892>_

• Added client brotli compression support (optional with runtime check).

  #&#8203;5219 <https://github.com/aio-libs/aiohttp/issues/5219>_

• Added client_max_size to BaseRequest.clone() to allow overriding the request body size. -- :user:anesabml.

  #&#8203;5704 <https://github.com/aio-libs/aiohttp/issues/5704>_

• Added a middleware type alias aiohttp.typedefs.Middleware.

  #&#8203;5898 <https://github.com/aio-libs/aiohttp/issues/5898>_

• Exported HTTPMove which can be used to catch any redirection request
  that has a location -- :user:dreamsorcerer.

  #&#8203;6594 <https://github.com/aio-libs/aiohttp/issues/6594>_

• Changed the path parameter in web.run_app() to accept a pathlib.Path object.

  #&#8203;6839 <https://github.com/aio-libs/aiohttp/issues/6839>_

• Performance: Skipped filtering CookieJar when the jar is empty or all cookies have expired.

  #&#8203;7819 <https://github.com/aio-libs/aiohttp/issues/7819>_

• Performance: Only check origin if insecure scheme and there are origins to treat as secure, in CookieJar.filter_cookies().

  #&#8203;7821 <https://github.com/aio-libs/aiohttp/issues/7821>_

• Performance: Used timestamp instead of datetime to achieve faster cookie expiration in CookieJar.

  #&#8203;7824 <https://github.com/aio-libs/aiohttp/issues/7824>_

• Added support for passing a custom server name parameter to HTTPS connection.

  #&#8203;7114 <https://github.com/aio-libs/aiohttp/issues/7114>_

• Added support for using Basic Auth credentials from :file:.netrc file when making HTTP requests with the
  :py:class:~aiohttp.ClientSession trust_env argument is set to True. -- by :user:yuvipanda.

  #&#8203;7131 <https://github.com/aio-libs/aiohttp/issues/7131>_

• Turned access log into no-op when the logger is disabled.

  #&#8203;7240 <https://github.com/aio-libs/aiohttp/issues/7240>_

• Added typing information to RawResponseMessage. -- by :user:Gobot1234

  #&#8203;7365 <https://github.com/aio-libs/aiohttp/issues/7365>_

• Removed async-timeout for Python 3.11+ (replaced with asyncio.timeout() on newer releases).

  #&#8203;7502 <https://github.com/aio-libs/aiohttp/issues/7502>_

• Added support for brotlicffi as an alternative to brotli (fixing Brotli support on PyPy).

  #&#8203;7611 <https://github.com/aio-libs/aiohttp/issues/7611>_

• Added WebSocketResponse.get_extra_info() to access a protocol transport's extra info.

  #&#8203;7078 <https://github.com/aio-libs/aiohttp/issues/7078>_

• Allow link argument to be set to None/empty in HTTP 451 exception.

  #&#8203;7689 <https://github.com/aio-libs/aiohttp/issues/7689>_

Bugfixes

• Implemented stripping the trailing dots from fully-qualified domain names in Host headers and TLS context when acting as an HTTP client.
  This allows the client to connect to URLs with FQDN host name like https://example.com./.
  -- by :user:martin-sucha.

  #&#8203;3636 <https://github.com/aio-libs/aiohttp/issues/3636>_

• Fixed client timeout not working when incoming data is always available without waiting. -- by :user:Dreamsorcerer.

  #&#8203;5854 <https://github.com/aio-libs/aiohttp/issues/5854>_

• Fixed readuntil to work with a delimiter of more than one character.

  #&#8203;6701 <https://github.com/aio-libs/aiohttp/issues/6701>_

• Added __repr__ to EmptyStreamReader to avoid AttributeError.

  #&#8203;6916 <https://github.com/aio-libs/aiohttp/issues/6916>_

• Fixed bug when using TCPConnector with ttl_dns_cache=0.

  #&#8203;7014 <https://github.com/aio-libs/aiohttp/issues/7014>_

• Fixed response returned from expect handler being thrown away. -- by :user:Dreamsorcerer

  #&#8203;7025 <https://github.com/aio-libs/aiohttp/issues/7025>_

• Avoided raising UnicodeDecodeError in multipart and in HTTP headers parsing.

  #&#8203;7044 <https://github.com/aio-libs/aiohttp/issues/7044>_

• Changed sock_read timeout to start after writing has finished, avoiding read timeouts caused by an unfinished write. -- by :user:dtrifiro

  #&#8203;7149 <https://github.com/aio-libs/aiohttp/issues/7149>_

• Fixed missing query in tracing method URLs when using yarl 1.9+.

  #&#8203;7259 <https://github.com/aio-libs/aiohttp/issues/7259>_

• Changed max 32-bit timestamp to an aware datetime object, for consistency with the non-32-bit one, and to avoid a DeprecationWarning on Python 3.12.

  #&#8203;7302 <https://github.com/aio-libs/aiohttp/issues/7302>_

• Fixed EmptyStreamReader.iter_chunks() never ending. -- by :user:mind1m

  #&#8203;7616 <https://github.com/aio-libs/aiohttp/issues/7616>_

• Fixed a rare RuntimeError: await wasn't used with future exception. -- by :user:stalkerg

  #&#8203;7785 <https://github.com/aio-libs/aiohttp/issues/7785>_

• Fixed issue with insufficient HTTP method and version validation.

  #&#8203;7700 <https://github.com/aio-libs/aiohttp/issues/7700>_

• Added check to validate that absolute URIs have schemes.

  #&#8203;7712 <https://github.com/aio-libs/aiohttp/issues/7712>_

• Fixed unhandled exception when Python HTTP parser encounters unpaired Unicode surrogates.

  #&#8203;7715 <https://github.com/aio-libs/aiohttp/issues/7715>_

• Updated parser to disallow invalid characters in header field names and stop accepting LF as a request line separator.

  #&#8203;7719 <https://github.com/aio-libs/aiohttp/issues/7719>_

• Fixed Python HTTP parser not treating 204/304/1xx as an empty body.

  #&#8203;7755 <https://github.com/aio-libs/aiohttp/issues/7755>_

• Ensure empty body response for 1xx/204/304 per RFC 9112 sec 6.3.

  #&#8203;7756 <https://github.com/aio-libs/aiohttp/issues/7756>_

• Fixed an issue when a client request is closed before completing a chunked payload. -- by :user:Dreamsorcerer

  #&#8203;7764 <https://github.com/aio-libs/aiohttp/issues/7764>_

• Edge Case Handling for ResponseParser for missing reason value.

  #&#8203;7776 <https://github.com/aio-libs/aiohttp/issues/7776>_

• Fixed ClientWebSocketResponse.close_code being erroneously set to None when there are concurrent async tasks receiving data and closing the connection.

  #&#8203;7306 <https://github.com/aio-libs/aiohttp/issues/7306>_

• Added HTTP method validation.

  #&#8203;6533 <https://github.com/aio-libs/aiohttp/issues/6533>_

• Fixed arbitrary sequence types being allowed to inject values via version parameter. -- by :user:Dreamsorcerer

  #&#8203;7835 <https://github.com/aio-libs/aiohttp/issues/7835>_

• Performance: Fixed increase in latency with small messages from websocket compression changes.

  #&#8203;7797 <https://github.com/aio-libs/aiohttp/issues/7797>_

Improved Documentation

• Fixed the ClientResponse.release's type in the doc. Changed from comethod to method.

  #&#8203;5836 <https://github.com/aio-libs/aiohttp/issues/5836>_

• Added information on behavior of base_url parameter in ClientSession.

  #&#8203;6647 <https://github.com/aio-libs/aiohttp/issues/6647>_

• Fixed ClientResponseError docs.

  #&#8203;6700 <https://github.com/aio-libs/aiohttp/issues/6700>_

• Updated Redis code examples to follow the latest API.

  #&#8203;6907 <https://github.com/aio-libs/aiohttp/issues/6907>_

• Added a note about possibly needing to update headers when using on_response_prepare. -- by :user:Dreamsorcerer

  #&#8203;7283 <https://github.com/aio-libs/aiohttp/issues/7283>_

• Completed trust_env parameter description to honor wss_proxy, ws_proxy or no_proxy env.

  #&#8203;7325 <https://github.com/aio-libs/aiohttp/issues/7325>_

• Expanded SSL documentation with more examples (e.g. how to use certifi). -- by :user:Dreamsorcerer

  #&#8203;7334 <https://github.com/aio-libs/aiohttp/issues/7334>_

• Fix, update, and improve client exceptions documentation.

  #&#8203;7733 <https://github.com/aio-libs/aiohttp/issues/7733>_

Deprecations and Removals

• Added shutdown_timeout parameter to BaseRunner, while
  deprecating shutdown_timeout parameter from BaseSite. -- by :user:Dreamsorcerer

  #&#8203;7718 <https://github.com/aio-libs/aiohttp/issues/7718>_

• Dropped Python 3.6 support.

  #&#8203;6378 <https://github.com/aio-libs/aiohttp/issues/6378>_

• Dropped Python 3.7 support. -- by :user:Dreamsorcerer

  #&#8203;7336 <https://github.com/aio-libs/aiohttp/issues/7336>_

• Removed support for abandoned tokio event loop. -- by :user:Dreamsorcerer

  #&#8203;7281 <https://github.com/aio-libs/aiohttp/issues/7281>_

Misc

• Made print argument in run_app() optional.

  #&#8203;3690 <https://github.com/aio-libs/aiohttp/issues/3690>_

• Improved performance of ceil_timeout in some cases.

  #&#8203;6316 <https://github.com/aio-libs/aiohttp/issues/6316>_

• Changed importing Gunicorn to happen on-demand, decreasing import time by ~53%. -- :user:Dreamsorcerer

  #&#8203;6591 <https://github.com/aio-libs/aiohttp/issues/6591>_

• Improved import time by replacing http.server with http.HTTPStatus.

  #&#8203;6903 <https://github.com/aio-libs/aiohttp/issues/6903>_

• Fixed annotation of ssl parameter to disallow True. -- by :user:Dreamsorcerer.

  #&#8203;7335 <https://github.com/aio-libs/aiohttp/issues/7335>_

---

v3.8.6

Compare Source

==================

Security bugfixes

• Upgraded the vendored copy of llhttp_ to v9.1.3 -- by :user:Dreamsorcerer

  Thanks to :user:kenballus for reporting this, see
  GHSA-pjjw-qhg8-p2p9.

  .. _llhttp: https://llhttp.org

  #&#8203;7647 <https://github.com/aio-libs/aiohttp/issues/7647>_

• Updated Python parser to comply with RFCs 9110/9112 -- by :user:Dreamorcerer

  Thanks to :user:kenballus for reporting this, see
  GHSA-gfw2-4jvh-wgfg.

  #&#8203;7663 <https://github.com/aio-libs/aiohttp/issues/7663>_

Deprecation

• Added fallback_charset_resolver parameter in ClientSession to allow a user-supplied
  character set detection function.

  Character set detection will no longer be included in 3.9 as a default. If this feature is needed,
  please use fallback_charset_resolver <https://docs.aiohttp.org/en/stable/client_advanced.html#character-set-detection>_.

  #&#8203;7561 <https://github.com/aio-libs/aiohttp/issues/7561>_

Features

• Enabled lenient response parsing for more flexible parsing in the client
  (this should resolve some regressions when dealing with badly formatted HTTP responses). -- by :user:Dreamsorcerer

  #&#8203;7490 <https://github.com/aio-libs/aiohttp/issues/7490>_

Bugfixes

• Fixed PermissionError when .netrc is unreadable due to permissions.

  #&#8203;7237 <https://github.com/aio-libs/aiohttp/issues/7237>_

• Fixed output of parsing errors pointing to a \n. -- by :user:Dreamsorcerer

  #&#8203;7468 <https://github.com/aio-libs/aiohttp/issues/7468>_

• Fixed GunicornWebWorker max_requests_jitter not working.

  #&#8203;7518 <https://github.com/aio-libs/aiohttp/issues/7518>_

• Fixed sorting in filter_cookies to use cookie with longest path. -- by :user:marq24.

  #&#8203;7577 <https://github.com/aio-libs/aiohttp/issues/7577>_

• Fixed display of BadStatusLine messages from llhttp_. -- by :user:Dreamsorcerer

  #&#8203;7651 <https://github.com/aio-libs/aiohttp/issues/7651>_

---

---

• If you want to rebase/retry this PR, check this box