CVS commit: pkgsrc/www/py-aiohttp

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/www/py-aiohttp
From: "Adam Ciarcinski" <adam%netbsd.org@localhost>
Date: Tue, 2 Jun 2026 05:11:04 +0000

Module Name:    pkgsrc
Committed By:   adam
Date:           Tue Jun  2 05:11:04 UTC 2026

Modified Files:
        pkgsrc/www/py-aiohttp: Makefile distinfo

Log Message:
py-aiohttp: updated to 3.14.0

3.14.0 (2026-06-01)

Features

- Added ``RequestKey`` and ``ResponseKey`` classes,
  which enable static type checking for request & response
  context storages in the same way that ``AppKey`` does for ``Application``
- Added :func:`~aiohttp.encode_basic_auth` for encoding HTTP Basic
  Authentication credentials. Replaces the now-deprecated
  :class:`~aiohttp.BasicAuth`
- Started accepting :term:`asynchronous context managers <asynchronous context manager>` for cleanup contexts.
  Legacy single-yield :term:`asynchronous generator` cleanup contexts continue to be
  supported; async context managers are adapted internally so they are
  entered at startup and exited during cleanup.
- Added :py:attr:`~aiohttp.CookieJar.cookies` and :py:attr:`~aiohttp.CookieJar.host_only_cookies` read-only properties to :py:class:`~aiohttp.CookieJar` exposing the stored cookies with their full 
attributes
- Added :py:attr:`~aiohttp.web.TCPSite.port` accessor for dynamic port allocations in :class:`~aiohttp.web.TCPSite`
- Added ``decode_text`` parameter to :meth:`~aiohttp.ClientSession.ws_connect` and :class:`~aiohttp.web.WebSocketResponse` to receive WebSocket TEXT messages as raw bytes instead of decoded strings, 
enabling direct use with high-performance JSON parsers like ``orjson``
- Large overhaul of parser/decompression code.

  The zip bomb security fix in 3.13 stopped highly compressed payloads
  from being decompressed, regardless of validity. Now aiohttp will
  decompress such payloads in chunks of 256+ KiB, allowing safe decompression
  of such payloads.

- Added explicit APIs for bytes-returning JSON serializer:
  ``JSONBytesEncoder`` type, ``JsonBytesPayload``,
  :func:`~aiohttp.web.json_bytes_response`,
  :meth:`~aiohttp.web.WebSocketResponse.send_json_bytes` and
  :meth:`~aiohttp.ClientWebSocketResponse.send_json_bytes` methods, and
  ``json_serialize_bytes`` parameter for :class:`~aiohttp.ClientSession`
- Added :attr:`~aiohttp.ClientResponse.output_size` and
  :attr:`~aiohttp.ClientResponse.upload_complete`

Bug fixes

- Fixed ``ZLibDecompressor`` silently dropping data past the first
  member when decompressing concatenated gzip/deflate streams. Each subsequent
  member is now handed to a fresh decompressor, matching the behaviour already
  implemented for ZSTD multi-frame streams.
- Improved the parser error message shown when TLS handshake bytes are received on an HTTP port
- Fixed the C parser failing to reject a response with a body when none was expected
- Fixed http parser not rejecting HTTP/1.1 requests that do not have valid Host header.
- Fixed misleading TLS-in-TLS warning being emitted when sending HTTPS requests through an HTTP proxy. The warning now only fires when the proxy itself uses HTTPS, which is the only case where 
TLS-in-TLS actually applies
- Fixed ``AssertionError`` when the transport is ``None`` during WebSocket
  preparation or file response sending (e.g. when a client disconnects
  immediately after connecting). A ``ConnectionResetError`` is now raised
  instead
- Fixed ad-hoc cookies passed to individual requests not being sent when the session's cookie jar has ``unsafe=True`` and the target URL uses an IP address, by copying the ``unsafe`` setting from the 
session's cookie jar to the temporary cookie jar
- Reset the WebSocket heartbeat timer on inbound data to avoid false ping/pong timeouts while receiving large frames
- Switched :py:meth:`~aiohttp.CookieJar.save` to use JSON format and
  :py:meth:`~aiohttp.CookieJar.load` to try JSON first with a fallback to
  a restricted pickle unpickler
- Fixed redirects with consumed non-rewindable request bodies to raise
  :class:`aiohttp.ClientPayloadError` instead of silently sending an empty body.
- Fixed zstd decompression failing with ``ClientPayloadError`` when the server
  sends a response as multiple zstd frames
- Fixed spurious ``Future exception was never retrieved`` warning on disconnect during back-pressure
- ``Cookiejar.save()`` now uses ``0x600`` permissions to better protect them from being read by other users
- Fixed a crash (:external+python:exc:`~http.cookies.CookieError`) in the cookie parser when receiving cookies
  containing ASCII control characters on CPython builds with the :cve:`2026-3644`
  patch. The parser now gracefully skips cookies whose value contains control
  characters instead of letting the exception propagate
- Fixed digest authentication failing for requests whose path or query string contains percent-encoded reserved characters; the digest signature now uses the encoded request-target that is sent on 
the wire instead of the decoded form
- Fixed :func:`aiohttp.web.run_app` losing inner traceback frames when an
  exception is raised during application startup (e.g. inside
  ``cleanup_ctx`` or ``on_startup``). Regression since 3.10.6.
- Fixed per-request ``cookies`` not being dropped on cross-origin redirects
- Fixed invalid bytes being allowed in multipart/payload headers
- Fixed :py:meth:`~aiohttp.FormData.add_field` accepting invalid bytes in ``name`` and ``filename``
- Fixed websocket upgrade occurring when header contained a value like `notupgrade`

Deprecations (removal in next major release)

- Deprecated :class:`~aiohttp.BasicAuth` and the ``auth`` / ``proxy_auth``
  parameters. They will be removed in aiohttp 4.0. Use the new
  :func:`~aiohttp.encode_basic_auth` helper together with
  ``headers={"Authorization": ...}`` (or
  ``proxy_headers={"Proxy-Authorization": ...}`` for proxies) instead.
  Note that ``encode_basic_auth()`` defaults to `utf-8`, not `latin1`

- Added deprecation warning to ``aiohttp.pytest_plugin``, please switch to ``pytest-aiohttp``


To generate a diff of this commit:
cvs rdiff -u -r1.105 -r1.106 pkgsrc/www/py-aiohttp/Makefile
cvs rdiff -u -r1.97 -r1.98 pkgsrc/www/py-aiohttp/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/www/py-aiohttp/Makefile
diff -u pkgsrc/www/py-aiohttp/Makefile:1.105 pkgsrc/www/py-aiohttp/Makefile:1.106
--- pkgsrc/www/py-aiohttp/Makefile:1.105        Wed Apr  1 05:57:17 2026
+++ pkgsrc/www/py-aiohttp/Makefile      Tue Jun  2 05:11:04 2026
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.105 2026/04/01 05:57:17 adam Exp $
+# $NetBSD: Makefile,v 1.106 2026/06/02 05:11:04 adam Exp $
 
-DISTNAME=      aiohttp-3.13.5
+DISTNAME=      aiohttp-3.14.0
 PKGNAME=       ${PYPKGPREFIX}-${DISTNAME}
 CATEGORIES=    www python
 MASTER_SITES=  ${MASTER_SITE_PYPI:=a/aiohttp/}
@@ -10,9 +10,8 @@ HOMEPAGE=     https://github.com/aio-libs/ai
 COMMENT=       Async http client/server framework
 LICENSE=       apache-2.0
 
-TOOL_DEPENDS+= ${PYPKGPREFIX}-cython-[0-9]*:../../devel/py-cython
+TOOL_DEPENDS+= ${PYPKGPREFIX}-pkgconfig>=0:../../devel/py-pkgconfig
 TOOL_DEPENDS+= ${PYPKGPREFIX}-setuptools>=78:../../devel/py-setuptools
-DEPENDS+=      ${PYPKGPREFIX}-aiodns>=3.2.0:../../net/py-aiodns
 DEPENDS+=      ${PYPKGPREFIX}-aiohappyeyeballs>=2.5.0:../../net/py-aiohappyeyeballs
 DEPENDS+=      ${PYPKGPREFIX}-aiosignal>=1.4.0:../../devel/py-aiosignal
 DEPENDS+=      ${PYPKGPREFIX}-attrs>=17.3.0:../../devel/py-attrs
@@ -20,11 +19,14 @@ DEPENDS+=   ${PYPKGPREFIX}-frozenlist>=1.1
 DEPENDS+=      ${PYPKGPREFIX}-multidict>=4.5:../../databases/py-multidict
 DEPENDS+=      ${PYPKGPREFIX}-propcache>=0.2.0:../../devel/py-propcache
 DEPENDS+=      ${PYPKGPREFIX}-yarl>=1.17.0:../../www/py-yarl
+# speedups
+DEPENDS+=      ${PYPKGPREFIX}-aiodns>=3.3.0:../../net/py-aiodns
 TEST_DEPENDS+= ${PYPKGPREFIX}-brotli-[0-9]*:../../archivers/py-brotli
 TEST_DEPENDS+= ${PYPKGPREFIX}-freezegun-[0-9]*:../../devel/py-freezegun
 TEST_DEPENDS+= ${PYPKGPREFIX}-gunicorn-[0-9]*:../../www/py-gunicorn
 TEST_DEPENDS+= ${PYPKGPREFIX}-re-assert-[0-9]*:../../devel/py-re-assert
 TEST_DEPENDS+= ${PYPKGPREFIX}-test-cov-[0-9]*:../../devel/py-test-cov
+TEST_DEPENDS+= ${PYPKGPREFIX}-test-mock-[0-9]*:../../devel/py-test-mock
 TEST_DEPENDS+= ${PYPKGPREFIX}-test-timeout-[0-9]*:../../devel/py-test-timeout
 TEST_DEPENDS+= ${PYPKGPREFIX}-test-xdist-[0-9]*:../../devel/py-test-xdist
 #TEST_DEPENDS+=        ${PYPKGPREFIX}-isal-[0-9]*:../../wip/py-isal

Index: pkgsrc/www/py-aiohttp/distinfo
diff -u pkgsrc/www/py-aiohttp/distinfo:1.97 pkgsrc/www/py-aiohttp/distinfo:1.98
--- pkgsrc/www/py-aiohttp/distinfo:1.97 Wed Apr  1 05:57:17 2026
+++ pkgsrc/www/py-aiohttp/distinfo      Tue Jun  2 05:11:04 2026
@@ -1,5 +1,5 @@
-$NetBSD: distinfo,v 1.97 2026/04/01 05:57:17 adam Exp $
+$NetBSD: distinfo,v 1.98 2026/06/02 05:11:04 adam Exp $
 
-BLAKE2s (aiohttp-3.13.5.tar.gz) = 4ef1446fd13e5016c1495ed777b2c4d89b8042819d589ee48fe0dea5cd6a5db2
-SHA512 (aiohttp-3.13.5.tar.gz) = 42aafde39a7e0d270a43733293be1450ca7d72be9658403218f4c338fba7f942bd362637676146cc77579a0946303a44b012b070a25027d3b87abfb6bc0f9fb9
-Size (aiohttp-3.13.5.tar.gz) = 7858271 bytes
+BLAKE2s (aiohttp-3.14.0.tar.gz) = a61b19d5275a8e0936d0ad1d918c66abb7e4ff2926d4a2397a62fe72ade3a725
+SHA512 (aiohttp-3.14.0.tar.gz) = 7888be5d7c285efb84e38cebd3b4dcd8dd199ba654df5faac87d254f9a423d7b5300d195e2d99b196c3d1d53fd8f0cadbcf368ce985e2269ec9c31400e40c036
+Size (aiohttp-3.14.0.tar.gz) = 7940674 bytes

Prev by Date: CVS commit: pkgsrc/math/fast_float
Next by Date: CVS commit: pkgsrc/doc
Previous by Thread: CVS commit: pkgsrc/math/fast_float
Next by Thread: CVS commit: pkgsrc/doc
Indexes:

Home | Main Index | Thread Index | Old Index