3.9.4rc0

Bug fixes

• The asynchronous internals now set the underlying causes
  when assigning exceptions to the future objects
  -- by :user:webknjaz.

  Related issues and pull requests on GitHub:
  #8089.

• Treated values of Accept-Encoding header as case-insensitive when checking for gzip files -- by :user:steverep.

  Related issues and pull requests on GitHub:
  #8104.

Features

• Upgraded llhttp to 9.2 -- by :user:Dreamsorcerer.

  Related issues and pull requests on GitHub:
  #8146.

Contributor-facing changes

• The pull request template is now asking the contributors to
  answer a question about the long-term maintenance challenges
  they envision as a result of merging their patches
  -- by :user:webknjaz.

  Related issues and pull requests on GitHub:
  #8099.

• Updated CI and documentation to use NPM clean install and upgrade node to version 18 -- by :user:steverep.

  Related issues and pull requests on GitHub:
  #8116.

• A pytest fixture hello_txt was introduced to aid
  static file serving tests in
  :file:test_web_sendfile_functional.py. It dynamically
  provisions hello.txt file variants shared across the
  tests in the module.

  -- by :user:steverep

  Related issues and pull requests on GitHub:
  #8136.

• Two definitions for "test_invalid_route_name" existed, only one was being run. Refactored them into a single parameterized test. Enabled lint rule to prevent regression. -- by :user:alexmac.

  Related issues and pull requests on GitHub:
  #8139.

---

3.9.3

Bug fixes

• Fixed backwards compatibility breakage (in 3.9.2) of ssl parameter when set outside
  of ClientSession (e.g. directly in TCPConnector) -- by :user:Dreamsorcerer.

  Related issues and pull requests on GitHub:
  #8097, #8098.

Miscellaneous internal changes

• Improved test suite handling of paths and temp files to consistently use pathlib and pytest fixtures.

  Related issues and pull requests on GitHub:
  #3957.

---

3.9.2

Bug fixes

• Fixed server-side websocket connection leak.

  Related issues and pull requests on GitHub:
  #7978.

• Fixed web.FileResponse doing blocking I/O in the event loop.

  Related issues and pull requests on GitHub:
  #8012.

• Fixed double compress when compression enabled and compressed file exists in server file responses.

  Related issues and pull requests on GitHub:
  #8014.

• Added runtime type check for ClientSession timeout parameter.

  Related issues and pull requests on GitHub:
  #8021.

• Fixed an unhandled exception in the Python HTTP parser on header lines starting with a colon -- by :user:pajod.

  Invalid request lines with anything but a dot between the HTTP major and minor version are now rejected.
  Invalid header field names containing question mark or slash are now rejected.
  Such requests are incompatible with :rfc:9110#section-5.6.2 and are not known to be of any legitimate use.

  Related issues and pull requests on GitHub:
  #8074.

• Improved validation of paths for static resources requests to the server -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  #8079.

Features

• Added support for passing :py:data:True to ssl parameter in ClientSession while
  deprecating :py:data:None -- by :user:xiangyan99.

  Related issues and pull requests on GitHub:
  #7698.

Breaking changes

• Fixed an unhandled exception in the Python HTTP parser on header lines starting with a colon -- by :user:pajod.

  Invalid request lines with anything but a dot between the HTTP major and minor version are now rejected.
  Invalid header field names containing question mark or slash are now rejected.
  Such requests are incompatible with :rfc:9110#section-5.6.2 and are not known to be of any legitimate use.

  Related issues and pull requests on GitHub:
  #8074.

Improved documentation

• Fixed examples of fallback_charset_resolver function in the :doc:client_advanced document. -- by :user:henry0312.

  Related issues and pull requests on GitHub:
  #7995.

• The Sphinx setup was updated to avoid showing the empty
  changelog draft section in the tagged release documentation
  builds on Read The Docs -- by :user:webknjaz.

  Related issues and pull requests on GitHub:
  #8067.

Packaging updates and notes for downstreams

• The changelog categorization was made clearer. The
  contributors can now mark their fragment files more
  accurately -- by :user:webknjaz.

  The new category tags are:

  * ``bugfix``
  
  * ``feature``
  
  * ``deprecation``
  
  * ``breaking`` (previously, ``removal``)
  
  * ``doc``
  
  * ``packaging``
  
  * ``contrib``
  
  * ``misc``
  

  Related issues and pull requests on GitHub:
  #8066.

Contributor-facing changes

• Updated :ref:contributing/Tests coverage <aiohttp-contributing> section to show how we use codecov -- by :user:Dreamsorcerer.

  Related issues and pull requests on GitHub:
  #7916.

• The changelog categorization was made clearer. The
  contributors can now mark their fragment files more
  accurately -- by :user:webknjaz.

  The new category tags are:

  * ``bugfix``
  
  * ``feature``
  
  * ``deprecation``
  
  * ``breaking`` (previously, ``removal``)
  
  * ``doc``
  
  * ``packaging``
  
  * ``contrib``
  
  * ``misc``
  

  Related issues and pull requests on GitHub:
  #8066.

Miscellaneous internal changes

• Replaced all tmpdir fixtures with tmp_path in test suite.

  Related issues and pull requests on GitHub:
  #3551.

---

3.9.1

Bugfixes

• Fixed importing aiohttp under PyPy on Windows.

  (#7848)

• Fixed async concurrency safety in websocket compressor.

  (#7865)

• Fixed ClientResponse.close() releasing the connection instead of closing.

  (#7869)

• Fixed a regression where connection may get closed during upgrade. -- by :user:Dreamsorcerer

  (#7879)

• Fixed messages being reported as upgraded without an Upgrade header in Python parser. -- by :user:Dreamsorcerer

  (#7895)

---

3.9.0

Features

• Introduced AppKey for static typing support of Application storage.
  See https://docs.aiohttp.org/en/stable/web_advanced.html#application-s-config

  (#5864)

• Added a graceful shutdown period which allows pending tasks to complete before the application's cleanup is called.
  The period can be adjusted with the shutdown_timeout parameter. -- by :user:Dreamsorcerer.
  See https://docs.aiohttp.org/en/latest/web_advanced.html#graceful-shutdown

  (#7188)

• Added handler_cancellation <https://docs.aiohttp.org/en/stable/web_advanced.html#web-handler-cancellation>_ parameter to cancel web handler on client disconnection. -- by :user:mosquito
  This (optionally) reintroduces a feature removed in a previous release.
  Recommended for those looking for an extra level of protection against denial-of-service attacks.

  (#7056)

• Added support for setting response header parameters max_line_size and max_field_size.

  (#2304)

• Added auto_decompress parameter to ClientSession.request to override ClientSession._auto_decompress. -- by :user:Daste745

  (#3751)

• Changed raise_for_status to allow a coroutine.

  (#3892)

• Added client brotli compression support (optional with runtime check).

  (#5219)

• Added client_max_size to BaseRequest.clone() to allow overriding the request body size. -- :user:anesabml.

  (#5704)

• Added a middleware type alias aiohttp.typedefs.Middleware.

  (#5898)

• Exported HTTPMove which can be used to catch any redirection request
  that has a location -- :user:dreamsorcerer.

  (#6594)

• Changed the path parameter in web.run_app() to accept a pathlib.Path object.

  (#6839)

• Performance: Skipped filtering CookieJar when the jar is empty or all cookies have expired.

  (#7819)

• Performance: Only check origin if insecure scheme and there are origins to treat as secure, in CookieJar.filter_cookies().

  (#7821)

• Performance: Used timestamp instead of datetime to achieve faster cookie expiration in CookieJar.

  (#7824)

• Added support for passing a custom server name parameter to HTTPS connection.

  (#7114)

• Added support for using Basic Auth credentials from :file:.netrc file when making HTTP requests with the
  :py:class:~aiohttp.ClientSession trust_env argument is set to True. -- by :user:yuvipanda.

  (#7131)

• Turned access log into no-op when the logger is disabled.

  (#7240)

• Added typing information to RawResponseMessage. -- by :user:Gobot1234

  (#7365)

• Removed async-timeout for Python 3.11+ (replaced with asyncio.timeout() on newer releases).

  (#7502)

• Added support for brotlicffi as an alternative to brotli (fixing Brotli support on PyPy).

  (#7611)

• Added WebSocketResponse.get_extra_info() to access a protocol transport's extra info.

  (#7078)

• Allow link argument to be set to None/empty in HTTP 451 exception.

  (#7689)

Bugfixes

• Implemented stripping the trailing dots from fully-qualified domain names in Host headers and TLS context when acting as an HTTP client.
  This allows the client to connect to URLs with FQDN host name like https://example.com./.
  -- by :user:martin-sucha.

  (#3636)

• Fixed client timeout not working when incoming data is always available without waiting. -- by :user:Dreamsorcerer.

  (#5854)

• Fixed readuntil to work with a delimiter of more than one character.

  (#6701)

• Added __repr__ to EmptyStreamReader to avoid AttributeError.

  (#6916)

• Fixed bug when using TCPConnector with ttl_dns_cache=0.

  (#7014)

• Fixed response returned from expect handler being thrown away. -- by :user:Dreamsorcerer

  (#7025)

• Avoided raising UnicodeDecodeError in multipart and in HTTP headers parsing.

  (#7044)

• Changed sock_read timeout to start after writing has finished, avoiding read timeouts caused by an unfinished write. -- by :user:dtrifiro

  (#7149)

• Fixed missing query in tracing method URLs when using yarl 1.9+.

  (#7259)

• Changed max 32-bit timestamp to an aware datetime object, for consistency with the non-32-bit one, and to avoid a DeprecationWarning on Python 3.12.

  (#7302)

• Fixed EmptyStreamReader.iter_chunks() never ending. -- by :user:mind1m

  (#7616)

• Fixed a rare RuntimeError: await wasn't used with future exception. -- by :user:stalkerg

  (#7785)

• Fixed issue with insufficient HTTP method and version validation.

  (#7700)

• Added check to validate that absolute URIs have schemes.

  (#7712)

• Fixed unhandled exception when Python HTTP parser encounters unpaired Unicode surrogates.

  (#7715)

• Updated parser to disallow invalid characters in header field names and stop accepting LF as a request line separator.

  (#7719)

• Fixed Python HTTP parser not treating 204/304/1xx as an empty body.

  (#7755)

• Ensure empty body response for 1xx/204/304 per RFC 9112 sec 6.3.

  (#7756)

• Fixed an issue when a client request is closed before completing a chunked payload. -- by :user:Dreamsorcerer

  (#7764)

• Edge Case Handling for ResponseParser for missing reason value.

  (#7776)

• Fixed ClientWebSocketResponse.close_code being erroneously set to None when there are concurrent async tasks receiving data and closing the connection.

  (#7306)

• Added HTTP method validation.

  (#6533)

• Fixed arbitrary sequence types being allowed to inject values via version parameter. -- by :user:Dreamsorcerer

  (#7835)

• Performance: Fixed increase in latency with small messages from websocket compression changes.

  (#7797)

Improved Documentation

• Fixed the ClientResponse.release's type in the doc. Changed from comethod to method.

  (#5836)

• Added information on behavior of base_url parameter in ClientSession.

  (#6647)

• Fixed ClientResponseError docs.

  (#6700)

• Updated Redis code examples to follow the latest API.

  (#6907)

• Added a note about possibly needing to update headers when using on_response_prepare. -- by :user:Dreamsorcerer

  (#7283)

• Completed trust_env parameter description to honor wss_proxy, ws_proxy or no_proxy env.

  (#7325)

• Expanded SSL documentation with more examples (e.g. how to use certifi). -- by :user:Dreamsorcerer

  (#7334)

• Fix, update, and improve client exceptions documentation.

  (#7733)

Deprecations and Removals

• Added shutdown_timeout parameter to BaseRunner, while
  deprecating shutdown_timeout parameter from BaseSite. -- by :user:Dreamsorcerer

  (#7718)

• Dropped Python 3.6 support.

  (#6378)

• Dropped Python 3.7 support. -- by :user:Dreamsorcerer

  (#7336)

• Removed support for abandoned tokio event loop. -- by :user:Dreamsorcerer

  (#7281)

Misc

• Made print argument in run_app() optional.

  (#3690)

• Improved performance of ceil_timeout in some cases.

  (#6316)

• Changed importing Gunicorn to happen on-demand, decreasing import time by ~53%. -- :user:Dreamsorcerer

  (#6591)

• Improved import time by replacing http.server with http.HTTPStatus.

  (#6903)

• Fixed annotation of ssl parameter to disallow True. -- by :user:Dreamsorcerer.

  (#7335)

---

3.9.0rc0

Features

• Performance: Skipped filtering CookieJar when the jar is empty or all cookies have expired.

  (#7819)

• Performance: Only check origin if insecure scheme and there are origins to treat as secure, in CookieJar.filter_cookies().

  (#7821)

• Performance: Used timestamp instead of datetime to achieve faster cookie expiration in CookieJar.

  (#7824)

Bugfixes

• Fixed an issue where the client could go into an infinite loop. -- by :user:Dreamsorcerer

  (#7815)

• Added HTTP method validation.

  (#6533)

• Fixed arbitrary sequence types being allowed to inject values via version parameter. -- by :user:Dreamsorcerer

  (#7835)

• Performance: Fixed increase in latency with small messages from websocket compression changes.

  (#7797)

---

3.9.0b1

Features

• Added WebSocketResponse.get_extra_info() to access a protocol transport's extra info.

  (#7078)

• Allow link argument to be set to None/empty in HTTP 451 exception.

  (#7689)

• Added shutdown_timeout parameter to BaseRunner, while
  deprecating shutdown_timeout parameter from BaseSite. -- by :user:Dreamsorcerer

  (#7718)

Bugfixes

• Fixed keep-alive connections stopping a graceful shutdown. -- by :user:Dreamsorcerer

  (#7718)

• Fixed ClientWebSocketResponse.close_code being erroneously set to None when there are concurrent async tasks receiving data and closing the connection.

  (#7306)

• Changed AppKey warning to web.NotAppKeyWarning and stop it being displayed by default. -- by :user:Dreamsorcerer

  (#7677)

• Fix issue with insufficient HTTP method and version validation.

  (#7700)

• Add check to validate that absolute URIs have schemes.

  (#7712)

• Fix unhandled exception when Python HTTP parser encounters unpaired Unicode surrogates.

  (#7715)

• Update parser to disallow invalid characters in header field names and stop accepting LF as a request line separator.

  (#7719)

• Fix py http parser not treating 204/304/1xx as an empty body

  (#7755)

• Ensure empty body response for 1xx/204/304 per RFC 9112 sec 6.3

  (#7756)

• Fixed an issue when a client request is closed before completing a chunked payload -- by :user:Dreamsorcerer

  (#7764)

• Edge Case Handling for ResponseParser for missing reason value

  (#7776)

• Fixed a rare RuntimeError: await wasn't used with future exception -- by :user:stalkerg

  (#7785)

Improved Documentation

• Fix, update, and improve client exceptions documentation.

  (#7733)

---

3.9.0b0

Features

• Introduced AppKey for static typing support of Application storage.
  See https://docs.aiohttp.org/en/stable/web_advanced.html#application-s-config

  (#5864)

• Added a graceful shutdown period which allows pending tasks to complete before the application's cleanup is called.
  The period can be adjusted with the shutdown_timeout parameter. -- by :user:Dreamsorcerer.
  See https://docs.aiohttp.org/en/latest/web_advanced.html#graceful-shutdown

  (#7188)

• Added handler_cancellation <https://docs.aiohttp.org/en/stable/web_advanced.html#web-handler-cancellation>_ parameter to cancel web handler on client disconnection. -- by :user:mosquito
  This (optionally) reintroduces a feature removed in a previous release.
  Recommended for those looking for an extra level of protection against denial-of-service attacks.

  (#7056)

• Added support for setting response header parameters max_line_size and max_field_size.

  (#2304)

• Added auto_decompress parameter to ClientSession.request to override ClientSession._auto_decompress. -- by :user:Daste745

  (#3751)

• Changed raise_for_status to allow a coroutine.

  (#3892)

• Added client brotli compression support (optional with runtime check).

  (#5219)

• Added client_max_size to BaseRequest.clone() to allow overriding the request body size -- :user:anesabml.

  (#5704)

• Added a middleware type alias aiohttp.typedefs.Middleware.

  (#5898)

• Exported HTTPMove which can be used to catch any redirection request
  that has a location -- :user:dreamsorcerer.

  (#6594)

• Changed the path parameter in web.run_app() to accept a pathlib.Path object.

  (#6839)

• Added support for passing a custom server name parameter to HTTPS connection.

  (#7114)

• Added support for using Basic Auth credentials from :file:.netrc file when making HTTP requests with the :py:class:~aiohttp.ClientSession trust_env argument is set to True -- by :user:yuvipanda.

  (#7131)

• Turned access log into no-op when the logger is disabled.

  (#7240)

• Added typing information to RawResponseMessage -- by :user:Gobot1234

  (#7365)

• Removed async-timeout for Python 3.11+ (replaced with asyncio.timeout() on newer releases).

  (#7502)

• Added support for brotlicffi as an alternative to brotli (fixing Brotli support on PyPy).

  (#7611)

Bugfixes

• Implemented stripping the trailing dots from fully-qualified domain names in Host headers and TLS context when acting as an HTTP client.
  This allows the client to connect to URLs with FQDN host name like https://example.com./.
  -- by :user:martin-sucha.

  (#3636)

• Fixed client timeout not working when incoming data is always available without waiting -- by :user:Dreamsorcerer.

  (#5854)

• Fixed readuntil to work with a delimiter of more than one character

  (#6701)

• Added __repr__ to EmptyStreamReader to avoid AttributeError.

  (#6916)

• Fixed bug when using TCPConnector with ttl_dns_cache=0.

  (#7014)

• Fixed response returned from expect handler being thrown away. -- by :user:Dreamsorcerer

  (#7025)

• Avoided raising UnicodeDecodeError in multipart and in HTTP headers parsing.

  (#7044)

• Changed sock_read timeout to start after writing has finished, avoiding read timeouts caused by an unfinished write. -- by :user:dtrifiro

  (#7149)

• Fixed missing query in tracing method URLs when using yarl 1.9+.

  (#7259)

• Changed max 32-bit timestamp to an aware datetime object, for consistency with the non-32-bit one, and to avoid a DeprecationWarning on Python 3.12.

  (#7302)

• Fixed EmptyStreamReader.iter_chunks() never ending. -- by :user:mind1m

  (#7616)

Improved Documentation

• Fixed the ClientResponse.release's type in the doc. Changed from comethod to method.

  (#5836)

• Added information on behavior of base_url parameter in ClientSession.

  (#6647)

• Fixed ClientResponseError docs.

  (#6700)

• Updated Redis code examples to follow the latest API.

  (#6907)

• Added a note about possibly needing to update headers when using on_response_prepare. -- by :user:Dreamsorcerer

  (#7283)

• Completed trust_env parameter description to honor wss_proxy, ws_proxy or no_proxy env.

  (#7325)

• Expanded SSL documentation with more examples (e.g. how to use certifi). -- by :user:Dreamsorcerer

  (#7334)

Deprecations and Removals

• Dropped Python 3.6 support.

  (#6378)

• Dropped Python 3.7 support. -- by :user:Dreamsorcerer

  (#7336)

• Removed support for abandoned tokio event loop. -- by :user:Dreamsorcerer

  (#7281)

Misc

• Made print argument in run_app() optional.

  (#3690)

• Improved performance of ceil_timeout in some cases.

  (#6316)

• Changed importing Gunicorn to happen on-demand, decreasing import time by ~53%. -- :user:Dreamsorcerer

  (#6591)

• Improved import time by replacing http.server with http.HTTPStatus.

  (#6903)

• Fixed annotation of ssl parameter to disallow True. -- by :user:Dreamsorcerer

  (#7335)

---

3.8.6

Security bugfixes

• Upgraded the vendored copy of llhttp_ to v9.1.3 -- by :user:Dreamsorcerer

  Thanks to :user:kenballus for reporting this, see
  GHSA-pjjw-qhg8-p2p9.

  .. _llhttp: https://llhttp.org

  (#7647)

• Updated Python parser to comply with RFCs 9110/9112 -- by :user:Dreamorcerer

  Thanks to :user:kenballus for reporting this, see
  GHSA-gfw2-4jvh-wgfg.

  (#7663)

Deprecation

• Added fallback_charset_resolver parameter in ClientSession to allow a user-supplied
  character set detection function.

  Character set detection will no longer be included in 3.9 as a default. If this feature is needed,
  please use fallback_charset_resolver <https://docs.aiohttp.org/en/stable/client_advanced.html#character-set-detection>_.

  (#7561)

Features

• Enabled lenient response parsing for more flexible parsing in the client
  (this should resolve some regressions when dealing with badly formatted HTTP responses). -- by :user:Dreamsorcerer

  (#7490)

Bugfixes

• Fixed PermissionError when .netrc is unreadable due to permissions.

  (#7237)

• Fixed output of parsing errors pointing to a \n. -- by :user:Dreamsorcerer

  (#7468)

• Fixed GunicornWebWorker max_requests_jitter not working.

  (#7518)

• Fixed sorting in filter_cookies to use cookie with longest path. -- by :user:marq24.

  (#7577)

• Fixed display of BadStatusLine messages from llhttp_. -- by :user:Dreamsorcerer

  (#7651)

---

3.8.5

Security bugfixes

• Upgraded the vendored copy of llhttp_ to v8.1.1 -- by :user:webknjaz
  and :user:Dreamsorcerer.

  Thanks to :user:sethmlarson for reporting this and providing us with
  comprehensive reproducer, workarounds and fixing details! For more
  information, see
  GHSA-45c4-8wx5-qw6w.

  .. _llhttp: https://llhttp.org

  (#7346)

Features

• Added information to C parser exceptions to show which character caused the error. -- by :user:Dreamsorcerer

  (#7366)

Bugfixes

• Fixed a transport is :data:None error -- by :user:Dreamsorcerer.

  (#3355)

---