Releases: aio-libs/aiohttp
3.9.4rc0
Bug fixes
-
The asynchronous internals now set the underlying causes
when assigning exceptions to the future objects
-- by :user:webknjaz
.Related issues and pull requests on GitHub:
#8089. -
Treated values of
Accept-Encoding
header as case-insensitive when checking for gzip files -- by :user:steverep
.Related issues and pull requests on GitHub:
#8104.
Features
-
Upgraded llhttp to 9.2 -- by :user:
Dreamsorcerer
.Related issues and pull requests on GitHub:
#8146.
Contributor-facing changes
-
The pull request template is now asking the contributors to
answer a question about the long-term maintenance challenges
they envision as a result of merging their patches
-- by :user:webknjaz
.Related issues and pull requests on GitHub:
#8099. -
Updated CI and documentation to use NPM clean install and upgrade node to version 18 -- by :user:
steverep
.Related issues and pull requests on GitHub:
#8116. -
A pytest fixture
hello_txt
was introduced to aid
static file serving tests in
:file:test_web_sendfile_functional.py
. It dynamically
provisionshello.txt
file variants shared across the
tests in the module.-- by :user:
steverep
Related issues and pull requests on GitHub:
#8136. -
Two definitions for "test_invalid_route_name" existed, only one was being run. Refactored them into a single parameterized test. Enabled lint rule to prevent regression. -- by :user:
alexmac
.Related issues and pull requests on GitHub:
#8139.
3.9.3
Bug fixes
-
Fixed backwards compatibility breakage (in 3.9.2) of
ssl
parameter when set outside
ofClientSession
(e.g. directly inTCPConnector
) -- by :user:Dreamsorcerer
.
Miscellaneous internal changes
-
Improved test suite handling of paths and temp files to consistently use pathlib and pytest fixtures.
Related issues and pull requests on GitHub:
#3957.
3.9.2
Bug fixes
-
Fixed server-side websocket connection leak.
Related issues and pull requests on GitHub:
#7978. -
Fixed
web.FileResponse
doing blocking I/O in the event loop.Related issues and pull requests on GitHub:
#8012. -
Fixed double compress when compression enabled and compressed file exists in server file responses.
Related issues and pull requests on GitHub:
#8014. -
Added runtime type check for
ClientSession
timeout
parameter.Related issues and pull requests on GitHub:
#8021. -
Fixed an unhandled exception in the Python HTTP parser on header lines starting with a colon -- by :user:
pajod
.Invalid request lines with anything but a dot between the HTTP major and minor version are now rejected.
Invalid header field names containing question mark or slash are now rejected.
Such requests are incompatible with :rfc:9110#section-5.6.2
and are not known to be of any legitimate use.Related issues and pull requests on GitHub:
#8074. -
Improved validation of paths for static resources requests to the server -- by :user:
bdraco
.Related issues and pull requests on GitHub:
#8079.
Features
-
Added support for passing :py:data:
True
tossl
parameter inClientSession
while
deprecating :py:data:None
-- by :user:xiangyan99
.Related issues and pull requests on GitHub:
#7698.
Breaking changes
-
Fixed an unhandled exception in the Python HTTP parser on header lines starting with a colon -- by :user:
pajod
.Invalid request lines with anything but a dot between the HTTP major and minor version are now rejected.
Invalid header field names containing question mark or slash are now rejected.
Such requests are incompatible with :rfc:9110#section-5.6.2
and are not known to be of any legitimate use.Related issues and pull requests on GitHub:
#8074.
Improved documentation
-
Fixed examples of
fallback_charset_resolver
function in the :doc:client_advanced
document. -- by :user:henry0312
.Related issues and pull requests on GitHub:
#7995. -
The Sphinx setup was updated to avoid showing the empty
changelog draft section in the tagged release documentation
builds on Read The Docs -- by :user:webknjaz
.Related issues and pull requests on GitHub:
#8067.
Packaging updates and notes for downstreams
-
The changelog categorization was made clearer. The
contributors can now mark their fragment files more
accurately -- by :user:webknjaz
.The new category tags are:
* ``bugfix`` * ``feature`` * ``deprecation`` * ``breaking`` (previously, ``removal``) * ``doc`` * ``packaging`` * ``contrib`` * ``misc``
Related issues and pull requests on GitHub:
#8066.
Contributor-facing changes
-
Updated :ref:
contributing/Tests coverage <aiohttp-contributing>
section to show how we usecodecov
-- by :user:Dreamsorcerer
.Related issues and pull requests on GitHub:
#7916. -
The changelog categorization was made clearer. The
contributors can now mark their fragment files more
accurately -- by :user:webknjaz
.The new category tags are:
* ``bugfix`` * ``feature`` * ``deprecation`` * ``breaking`` (previously, ``removal``) * ``doc`` * ``packaging`` * ``contrib`` * ``misc``
Related issues and pull requests on GitHub:
#8066.
Miscellaneous internal changes
-
Replaced all
tmpdir
fixtures withtmp_path
in test suite.Related issues and pull requests on GitHub:
#3551.
3.9.1
Bugfixes
-
Fixed importing aiohttp under PyPy on Windows.
(#7848)
-
Fixed async concurrency safety in websocket compressor.
(#7865)
-
Fixed
ClientResponse.close()
releasing the connection instead of closing.(#7869)
-
Fixed a regression where connection may get closed during upgrade. -- by :user:
Dreamsorcerer
(#7879)
-
Fixed messages being reported as upgraded without an Upgrade header in Python parser. -- by :user:
Dreamsorcerer
(#7895)
3.9.0
Features
-
Introduced
AppKey
for static typing support ofApplication
storage.
See https://docs.aiohttp.org/en/stable/web_advanced.html#application-s-config(#5864)
-
Added a graceful shutdown period which allows pending tasks to complete before the application's cleanup is called.
The period can be adjusted with theshutdown_timeout
parameter. -- by :user:Dreamsorcerer
.
See https://docs.aiohttp.org/en/latest/web_advanced.html#graceful-shutdown(#7188)
-
Added
handler_cancellation <https://docs.aiohttp.org/en/stable/web_advanced.html#web-handler-cancellation>
_ parameter to cancel web handler on client disconnection. -- by :user:mosquito
This (optionally) reintroduces a feature removed in a previous release.
Recommended for those looking for an extra level of protection against denial-of-service attacks.(#7056)
-
Added support for setting response header parameters
max_line_size
andmax_field_size
.(#2304)
-
Added
auto_decompress
parameter toClientSession.request
to overrideClientSession._auto_decompress
. -- by :user:Daste745
(#3751)
-
Changed
raise_for_status
to allow a coroutine.(#3892)
-
Added client brotli compression support (optional with runtime check).
(#5219)
-
Added
client_max_size
toBaseRequest.clone()
to allow overriding the request body size. -- :user:anesabml
.(#5704)
-
Added a middleware type alias
aiohttp.typedefs.Middleware
.(#5898)
-
Exported
HTTPMove
which can be used to catch any redirection request
that has a location -- :user:dreamsorcerer
.(#6594)
-
Changed the
path
parameter inweb.run_app()
to accept apathlib.Path
object.(#6839)
-
Performance: Skipped filtering
CookieJar
when the jar is empty or all cookies have expired.(#7819)
-
Performance: Only check origin if insecure scheme and there are origins to treat as secure, in
CookieJar.filter_cookies()
.(#7821)
-
Performance: Used timestamp instead of
datetime
to achieve faster cookie expiration inCookieJar
.(#7824)
-
Added support for passing a custom server name parameter to HTTPS connection.
(#7114)
-
Added support for using Basic Auth credentials from :file:
.netrc
file when making HTTP requests with the
:py:class:~aiohttp.ClientSession
trust_env
argument is set toTrue
. -- by :user:yuvipanda
.(#7131)
-
Turned access log into no-op when the logger is disabled.
(#7240)
-
Added typing information to
RawResponseMessage
. -- by :user:Gobot1234
(#7365)
-
Removed
async-timeout
for Python 3.11+ (replaced withasyncio.timeout()
on newer releases).(#7502)
-
Added support for
brotlicffi
as an alternative tobrotli
(fixing Brotli support on PyPy).(#7611)
-
Added
WebSocketResponse.get_extra_info()
to access a protocol transport's extra info.(#7078)
-
Allow
link
argument to be set to None/empty in HTTP 451 exception.(#7689)
Bugfixes
-
Implemented stripping the trailing dots from fully-qualified domain names in
Host
headers and TLS context when acting as an HTTP client.
This allows the client to connect to URLs with FQDN host name likehttps://example.com./
.
-- by :user:martin-sucha
.(#3636)
-
Fixed client timeout not working when incoming data is always available without waiting. -- by :user:
Dreamsorcerer
.(#5854)
-
Fixed
readuntil
to work with a delimiter of more than one character.(#6701)
-
Added
__repr__
toEmptyStreamReader
to avoidAttributeError
.(#6916)
-
Fixed bug when using
TCPConnector
withttl_dns_cache=0
.(#7014)
-
Fixed response returned from expect handler being thrown away. -- by :user:
Dreamsorcerer
(#7025)
-
Avoided raising
UnicodeDecodeError
in multipart and in HTTP headers parsing.(#7044)
-
Changed
sock_read
timeout to start after writing has finished, avoiding read timeouts caused by an unfinished write. -- by :user:dtrifiro
(#7149)
-
Fixed missing query in tracing method URLs when using
yarl
1.9+.(#7259)
-
Changed max 32-bit timestamp to an aware datetime object, for consistency with the non-32-bit one, and to avoid a
DeprecationWarning
on Python 3.12.(#7302)
-
Fixed
EmptyStreamReader.iter_chunks()
never ending. -- by :user:mind1m
(#7616)
-
Fixed a rare
RuntimeError: await wasn't used with future
exception. -- by :user:stalkerg
(#7785)
-
Fixed issue with insufficient HTTP method and version validation.
(#7700)
-
Added check to validate that absolute URIs have schemes.
(#7712)
-
Fixed unhandled exception when Python HTTP parser encounters unpaired Unicode surrogates.
(#7715)
-
Updated parser to disallow invalid characters in header field names and stop accepting LF as a request line separator.
(#7719)
-
Fixed Python HTTP parser not treating 204/304/1xx as an empty body.
(#7755)
-
Ensure empty body response for 1xx/204/304 per RFC 9112 sec 6.3.
(#7756)
-
Fixed an issue when a client request is closed before completing a chunked payload. -- by :user:
Dreamsorcerer
(#7764)
-
Edge Case Handling for ResponseParser for missing reason value.
(#7776)
-
Fixed
ClientWebSocketResponse.close_code
being erroneously set toNone
when there are concurrent async tasks receiving data and closing the connection.(#7306)
-
Added HTTP method validation.
(#6533)
-
Fixed arbitrary sequence types being allowed to inject values via version parameter. -- by :user:
Dreamsorcerer
(#7835)
-
Performance: Fixed increase in latency with small messages from websocket compression changes.
(#7797)
Improved Documentation
-
Fixed the
ClientResponse.release
's type in the doc. Changed fromcomethod
tomethod
.(#5836)
-
Added information on behavior of base_url parameter in
ClientSession
.(#6647)
-
Fixed
ClientResponseError
docs.(#6700)
-
Updated Redis code examples to follow the latest API.
(#6907)
-
Added a note about possibly needing to update headers when using
on_response_prepare
. -- by :user:Dreamsorcerer
(#7283)
-
Completed
trust_env
parameter description to honorwss_proxy
,ws_proxy
orno_proxy
env.(#7325)
-
Expanded SSL documentation with more examples (e.g. how to use certifi). -- by :user:
Dreamsorcerer
(#7334)
-
Fix, update, and improve client exceptions documentation.
(#7733)
Deprecations and Removals
-
Added
shutdown_timeout
parameter toBaseRunner
, while
deprecatingshutdown_timeout
parameter fromBaseSite
. -- by :user:Dreamsorcerer
(#7718)
-
Dropped Python 3.6 support.
(#6378)
-
Dropped Python 3.7 support. -- by :user:
Dreamsorcerer
(#7336)
-
Removed support for abandoned
tokio
event loop. -- by :user:Dreamsorcerer
(#7281)
Misc
-
Made
print
argument inrun_app()
optional.(#3690)
-
Improved performance of
ceil_timeout
in some cases.(#6316)
-
Changed importing Gunicorn to happen on-demand, decreasing import time by ~53%. -- :user:
Dreamsorcerer
(#6591)
-
Improved import time by replacing
http.server
withhttp.HTTPStatus
.(#6903)
-
Fixed annotation of
ssl
parameter to disallowTrue
. -- by :user:Dreamsorcerer
.(#7335)
3.9.0rc0
Features
-
Performance: Skipped filtering
CookieJar
when the jar is empty or all cookies have expired.(#7819)
-
Performance: Only check origin if insecure scheme and there are origins to treat as secure, in
CookieJar.filter_cookies()
.(#7821)
-
Performance: Used timestamp instead of
datetime
to achieve faster cookie expiration inCookieJar
.(#7824)
Bugfixes
-
Fixed an issue where the client could go into an infinite loop. -- by :user:
Dreamsorcerer
(#7815)
-
Added HTTP method validation.
(#6533)
-
Fixed arbitrary sequence types being allowed to inject values via version parameter. -- by :user:
Dreamsorcerer
(#7835)
-
Performance: Fixed increase in latency with small messages from websocket compression changes.
(#7797)
3.9.0b1
Features
-
Added
WebSocketResponse.get_extra_info()
to access a protocol transport's extra info.(#7078)
-
Allow
link
argument to be set to None/empty in HTTP 451 exception.(#7689)
-
Added
shutdown_timeout
parameter toBaseRunner
, while
deprecatingshutdown_timeout
parameter fromBaseSite
. -- by :user:Dreamsorcerer
(#7718)
Bugfixes
-
Fixed keep-alive connections stopping a graceful shutdown. -- by :user:
Dreamsorcerer
(#7718)
-
Fixed
ClientWebSocketResponse.close_code
being erroneously set toNone
when there are concurrent async tasks receiving data and closing the connection.(#7306)
-
Changed
AppKey
warning toweb.NotAppKeyWarning
and stop it being displayed by default. -- by :user:Dreamsorcerer
(#7677)
-
Fix issue with insufficient HTTP method and version validation.
(#7700)
-
Add check to validate that absolute URIs have schemes.
(#7712)
-
Fix unhandled exception when Python HTTP parser encounters unpaired Unicode surrogates.
(#7715)
-
Update parser to disallow invalid characters in header field names and stop accepting LF as a request line separator.
(#7719)
-
Fix py http parser not treating 204/304/1xx as an empty body
(#7755)
-
Ensure empty body response for 1xx/204/304 per RFC 9112 sec 6.3
(#7756)
-
Fixed an issue when a client request is closed before completing a chunked payload -- by :user:
Dreamsorcerer
(#7764)
-
Edge Case Handling for ResponseParser for missing reason value
(#7776)
-
Fixed a rare
RuntimeError: await wasn't used with future
exception -- by :user:stalkerg
(#7785)
Improved Documentation
-
Fix, update, and improve client exceptions documentation.
(#7733)
3.9.0b0
Features
-
Introduced
AppKey
for static typing support ofApplication
storage.
See https://docs.aiohttp.org/en/stable/web_advanced.html#application-s-config(#5864)
-
Added a graceful shutdown period which allows pending tasks to complete before the application's cleanup is called.
The period can be adjusted with theshutdown_timeout
parameter. -- by :user:Dreamsorcerer
.
See https://docs.aiohttp.org/en/latest/web_advanced.html#graceful-shutdown(#7188)
-
Added
handler_cancellation <https://docs.aiohttp.org/en/stable/web_advanced.html#web-handler-cancellation>
_ parameter to cancel web handler on client disconnection. -- by :user:mosquito
This (optionally) reintroduces a feature removed in a previous release.
Recommended for those looking for an extra level of protection against denial-of-service attacks.(#7056)
-
Added support for setting response header parameters
max_line_size
andmax_field_size
.(#2304)
-
Added
auto_decompress
parameter toClientSession.request
to overrideClientSession._auto_decompress
. -- by :user:Daste745
(#3751)
-
Changed
raise_for_status
to allow a coroutine.(#3892)
-
Added client brotli compression support (optional with runtime check).
(#5219)
-
Added
client_max_size
toBaseRequest.clone()
to allow overriding the request body size -- :user:anesabml
.(#5704)
-
Added a middleware type alias
aiohttp.typedefs.Middleware
.(#5898)
-
Exported
HTTPMove
which can be used to catch any redirection request
that has a location -- :user:dreamsorcerer
.(#6594)
-
Changed the
path
parameter inweb.run_app()
to accept apathlib.Path
object.(#6839)
-
Added support for passing a custom server name parameter to HTTPS connection.
(#7114)
-
Added support for using Basic Auth credentials from :file:
.netrc
file when making HTTP requests with the :py:class:~aiohttp.ClientSession
trust_env
argument is set toTrue
-- by :user:yuvipanda
.(#7131)
-
Turned access log into no-op when the logger is disabled.
(#7240)
-
Added typing information to
RawResponseMessage
-- by :user:Gobot1234
(#7365)
-
Removed
async-timeout
for Python 3.11+ (replaced withasyncio.timeout()
on newer releases).(#7502)
-
Added support for
brotlicffi
as an alternative tobrotli
(fixing Brotli support on PyPy).(#7611)
Bugfixes
-
Implemented stripping the trailing dots from fully-qualified domain names in
Host
headers and TLS context when acting as an HTTP client.
This allows the client to connect to URLs with FQDN host name likehttps://example.com./
.
-- by :user:martin-sucha
.(#3636)
-
Fixed client timeout not working when incoming data is always available without waiting -- by :user:
Dreamsorcerer
.(#5854)
-
Fixed
readuntil
to work with a delimiter of more than one character(#6701)
-
Added
__repr__
toEmptyStreamReader
to avoidAttributeError
.(#6916)
-
Fixed bug when using
TCPConnector
withttl_dns_cache=0
.(#7014)
-
Fixed response returned from expect handler being thrown away. -- by :user:
Dreamsorcerer
(#7025)
-
Avoided raising
UnicodeDecodeError
in multipart and in HTTP headers parsing.(#7044)
-
Changed
sock_read
timeout to start after writing has finished, avoiding read timeouts caused by an unfinished write. -- by :user:dtrifiro
(#7149)
-
Fixed missing query in tracing method URLs when using
yarl
1.9+.(#7259)
-
Changed max 32-bit timestamp to an aware datetime object, for consistency with the non-32-bit one, and to avoid a
DeprecationWarning
on Python 3.12.(#7302)
-
Fixed
EmptyStreamReader.iter_chunks()
never ending. -- by :user:mind1m
(#7616)
Improved Documentation
-
Fixed the
ClientResponse.release
's type in the doc. Changed fromcomethod
tomethod
.(#5836)
-
Added information on behavior of base_url parameter in
ClientSession
.(#6647)
-
Fixed
ClientResponseError
docs.(#6700)
-
Updated Redis code examples to follow the latest API.
(#6907)
-
Added a note about possibly needing to update headers when using
on_response_prepare
. -- by :user:Dreamsorcerer
(#7283)
-
Completed
trust_env
parameter description to honorwss_proxy
,ws_proxy
orno_proxy
env.(#7325)
-
Expanded SSL documentation with more examples (e.g. how to use certifi). -- by :user:
Dreamsorcerer
(#7334)
Deprecations and Removals
-
Dropped Python 3.6 support.
(#6378)
-
Dropped Python 3.7 support. -- by :user:
Dreamsorcerer
(#7336)
-
Removed support for abandoned
tokio
event loop. -- by :user:Dreamsorcerer
(#7281)
Misc
-
Made
print
argument inrun_app()
optional.(#3690)
-
Improved performance of
ceil_timeout
in some cases.(#6316)
-
Changed importing Gunicorn to happen on-demand, decreasing import time by ~53%. -- :user:
Dreamsorcerer
(#6591)
-
Improved import time by replacing
http.server
withhttp.HTTPStatus
.(#6903)
-
Fixed annotation of
ssl
parameter to disallowTrue
. -- by :user:Dreamsorcerer
(#7335)
3.8.6
Security bugfixes
-
Upgraded the vendored copy of llhttp_ to v9.1.3 -- by :user:
Dreamsorcerer
Thanks to :user:
kenballus
for reporting this, see
GHSA-pjjw-qhg8-p2p9... _llhttp: https://llhttp.org
(#7647)
-
Updated Python parser to comply with RFCs 9110/9112 -- by :user:
Dreamorcerer
Thanks to :user:
kenballus
for reporting this, see
GHSA-gfw2-4jvh-wgfg.(#7663)
Deprecation
-
Added
fallback_charset_resolver
parameter inClientSession
to allow a user-supplied
character set detection function.Character set detection will no longer be included in 3.9 as a default. If this feature is needed,
please usefallback_charset_resolver <https://docs.aiohttp.org/en/stable/client_advanced.html#character-set-detection>
_.(#7561)
Features
-
Enabled lenient response parsing for more flexible parsing in the client
(this should resolve some regressions when dealing with badly formatted HTTP responses). -- by :user:Dreamsorcerer
(#7490)
Bugfixes
-
Fixed
PermissionError
when.netrc
is unreadable due to permissions.(#7237)
-
Fixed output of parsing errors pointing to a
\n
. -- by :user:Dreamsorcerer
(#7468)
-
Fixed
GunicornWebWorker
max_requests_jitter not working.(#7518)
-
Fixed sorting in
filter_cookies
to use cookie with longest path. -- by :user:marq24
.(#7577)
-
Fixed display of
BadStatusLine
messages from llhttp_. -- by :user:Dreamsorcerer
(#7651)
3.8.5
Security bugfixes
-
Upgraded the vendored copy of llhttp_ to v8.1.1 -- by :user:
webknjaz
and :user:Dreamsorcerer
.Thanks to :user:
sethmlarson
for reporting this and providing us with
comprehensive reproducer, workarounds and fixing details! For more
information, see
GHSA-45c4-8wx5-qw6w... _llhttp: https://llhttp.org
(#7346)
Features
-
Added information to C parser exceptions to show which character caused the error. -- by :user:
Dreamsorcerer
(#7366)
Bugfixes
-
Fixed a transport is :data:
None
error -- by :user:Dreamsorcerer
.(#3355)