CVS commit: pkgsrc/www/py-aiohttp

["Adam Ciarcinski" <adam%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   adam
Date:           Mon Jun  8 09:57:50 UTC 2026

Modified Files:
        pkgsrc/www/py-aiohttp: Makefile distinfo

Log Message:
py-aiohttp: updated to 3.14.1

3.14.1 (2026-06-07)

Bug fixes

- Fixed a race condition in :py:class:`~aiohttp.TCPConnector` where closing the connector while a DNS resolution was in-flight could raise :py:exc:`AttributeError` instead of 
:py:exc:`~aiohttp.ClientConnectionError` -- by :user:`goingforstudying-ctrl`.

- Fixed ``CancelledError`` not closing a connection -- by :user:`aiolibsbot`.

- Tightened up some websocket parser checks -- by :user:`Dreamsorcerer`.

- Fixed :class:`~aiohttp.CookieJar` dropping the host-only flag of cookies when persisted with :meth:`~aiohttp.CookieJar.save` and reloaded with :meth:`~aiohttp.CookieJar.load`, so a cookie set 
without a ``Domain`` attribute is again scoped to the exact host that set it after a reload; the absolute expiration deadline is now persisted as well, so a reloaded cookie keeps its original 
lifetime instead of being rescheduled from the load time. :meth:`~aiohttp.CookieJar.load` now replaces the jar contents rather than merging onto prior state, and loaded cookies pass through the same 
acceptance rules as :meth:`~aiohttp.CookieJar.update_cookies`, so a cookie for an IP-address host is dropped when loaded into a jar created without ``unsafe=True`` -- by :user:`bdraco`.

- Scoped :class:`~aiohttp.DigestAuthMiddleware` credentials to the origin of the first request it handles, so a redirect to a different origin no longer triggers a digest response computed from the 
configured credentials; a challenge from another origin is only answered when that origin falls within a protection space advertised by the anchor origin through the RFC 7616 ``domain`` directive -- 
by :user:`bdraco`.

- Fixed the C HTTP parser not enforcing ``max_line_size`` on a request target or response reason phrase that is split across multiple reads; each fragment was checked on its own, so an accumulated 
line could exceed the limit without raising ``LineTooLong``. The accumulated length is now checked, matching the pure-Python parser -- by :user:`bdraco`.

- Changed :class:`~aiohttp.TCPConnector` to reject legacy non-canonical numeric IPv4 host forms such as ``2130706433``, ``017700000001`` and ``127.1`` with :exc:`~aiohttp.InvalidUrlClientError`; only 
canonical dotted-quad IPv4 literals are now treated as IP address literals, while every other host is sent through the configured resolver -- by :user:`bdraco`.

- Fixed :meth:`~aiohttp.StreamReader.readany` and :meth:`~aiohttp.StreamReader.read_nowait` joining data fed back into the buffer during the call (when draining below the low water mark resumes 
reading) into a single unbounded :class:`bytes`; a call now returns only the chunks that were buffered when it started, keeping the drain of an unread auto-decompressed request body bounded by the 
read buffer -- by :user:`bdraco`.

- Bounded the number of parsed-but-unhandled pipelined HTTP/1 requests buffered per connection on the server; once the queue reaches an internal limit the parser stops emitting and the transport is 
paused, resuming as the request handler drains the queue, so a client keeping one handler busy can no longer accumulate an unbounded backlog of pipelined requests -- by :user:`bdraco`.

- Fixed :meth:`aiohttp.web.Response.write_eof` skipping ``Payload.close()`` when the body write was interrupted by an error or cancellation, for example when a client disconnects mid-response; the 
payload close hook now runs in a ``finally`` so a :class:`~aiohttp.payload.Payload` body always releases its resources -- by :user:`bdraco`.

- Fixed the pure-Python HTTP parser not enforcing ``max_line_size`` on a chunk-size line when the whole line arrived in a single read; the limit was only applied to chunk-size metadata split across 
reads. The complete-line case is now checked too, matching the split-line behavior -- by :user:`bdraco`.

- Included the per-request ``server_hostname`` override in the :class:`~aiohttp.TCPConnector` connection pool key, so a pooled TLS connection is no longer reused for a request that sets 
``server_hostname`` to a different value -- by :user:`bdraco`.


To generate a diff of this commit:
cvs rdiff -u -r1.106 -r1.107 pkgsrc/www/py-aiohttp/Makefile
cvs rdiff -u -r1.98 -r1.99 pkgsrc/www/py-aiohttp/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/www/py-aiohttp/Makefile
diff -u pkgsrc/www/py-aiohttp/Makefile:1.106 pkgsrc/www/py-aiohttp/Makefile:1.107
--- pkgsrc/www/py-aiohttp/Makefile:1.106        Tue Jun  2 05:11:04 2026
+++ pkgsrc/www/py-aiohttp/Makefile      Mon Jun  8 09:57:50 2026
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.106 2026/06/02 05:11:04 adam Exp $
+# $NetBSD: Makefile,v 1.107 2026/06/08 09:57:50 adam Exp $
 
-DISTNAME=      aiohttp-3.14.0
+DISTNAME=      aiohttp-3.14.1
 PKGNAME=       ${PYPKGPREFIX}-${DISTNAME}
 CATEGORIES=    www python
 MASTER_SITES=  ${MASTER_SITE_PYPI:=a/aiohttp/}

Index: pkgsrc/www/py-aiohttp/distinfo
diff -u pkgsrc/www/py-aiohttp/distinfo:1.98 pkgsrc/www/py-aiohttp/distinfo:1.99
--- pkgsrc/www/py-aiohttp/distinfo:1.98 Tue Jun  2 05:11:04 2026
+++ pkgsrc/www/py-aiohttp/distinfo      Mon Jun  8 09:57:50 2026
@@ -1,5 +1,5 @@
-$NetBSD: distinfo,v 1.98 2026/06/02 05:11:04 adam Exp $
+$NetBSD: distinfo,v 1.99 2026/06/08 09:57:50 adam Exp $
 
-BLAKE2s (aiohttp-3.14.0.tar.gz) = a61b19d5275a8e0936d0ad1d918c66abb7e4ff2926d4a2397a62fe72ade3a725
-SHA512 (aiohttp-3.14.0.tar.gz) = 7888be5d7c285efb84e38cebd3b4dcd8dd199ba654df5faac87d254f9a423d7b5300d195e2d99b196c3d1d53fd8f0cadbcf368ce985e2269ec9c31400e40c036
-Size (aiohttp-3.14.0.tar.gz) = 7940674 bytes
+BLAKE2s (aiohttp-3.14.1.tar.gz) = 31766abd96aaa57a24a0218bdcb06b0c008622f57a3292f54a83c463843229f8
+SHA512 (aiohttp-3.14.1.tar.gz) = 8cba5eff6e62f29fc2f600b30c840febc2a6b947134d6e194a2dcd873972ada2d48cbdaa01216b53cc3127b973b0f30ef1ac69713081b5e1ed2efbfd654fdebc
+Size (aiohttp-3.14.1.tar.gz) = 7955794 bytes