3.9.0rc0

Features

• Performance: Skipped filtering CookieJar when the jar is empty or all cookies have expired.

  (#7819)

• Performance: Only check origin if insecure scheme and there are origins to treat as secure, in CookieJar.filter_cookies().

  (#7821)

• Performance: Used timestamp instead of datetime to achieve faster cookie expiration in CookieJar.

  (#7824)

Bugfixes

• Fixed an issue where the client could go into an infinite loop. -- by :user:Dreamsorcerer

  (#7815)

• Added HTTP method validation.

  (#6533)

• Fixed arbitrary sequence types being allowed to inject values via version parameter. -- by :user:Dreamsorcerer

  (#7835)

• Performance: Fixed increase in latency with small messages from websocket compression changes.

  (#7797)

---

3.9.0b1

Features

• Added WebSocketResponse.get_extra_info() to access a protocol transport's extra info.

  (#7078)

• Allow link argument to be set to None/empty in HTTP 451 exception.

  (#7689)

• Added shutdown_timeout parameter to BaseRunner, while
  deprecating shutdown_timeout parameter from BaseSite. -- by :user:Dreamsorcerer

  (#7718)

Bugfixes

• Fixed keep-alive connections stopping a graceful shutdown. -- by :user:Dreamsorcerer

  (#7718)

• Fixed ClientWebSocketResponse.close_code being erroneously set to None when there are concurrent async tasks receiving data and closing the connection.

  (#7306)

• Changed AppKey warning to web.NotAppKeyWarning and stop it being displayed by default. -- by :user:Dreamsorcerer

  (#7677)

• Fix issue with insufficient HTTP method and version validation.

  (#7700)

• Add check to validate that absolute URIs have schemes.

  (#7712)

• Fix unhandled exception when Python HTTP parser encounters unpaired Unicode surrogates.

  (#7715)

• Update parser to disallow invalid characters in header field names and stop accepting LF as a request line separator.

  (#7719)

• Fix py http parser not treating 204/304/1xx as an empty body

  (#7755)

• Ensure empty body response for 1xx/204/304 per RFC 9112 sec 6.3

  (#7756)

• Fixed an issue when a client request is closed before completing a chunked payload -- by :user:Dreamsorcerer

  (#7764)

• Edge Case Handling for ResponseParser for missing reason value

  (#7776)

• Fixed a rare RuntimeError: await wasn't used with future exception -- by :user:stalkerg

  (#7785)

Improved Documentation

• Fix, update, and improve client exceptions documentation.

  (#7733)

---

3.9.0b0

Features

• Introduced AppKey for static typing support of Application storage.
  See https://docs.aiohttp.org/en/stable/web_advanced.html#application-s-config

  (#5864)

• Added a graceful shutdown period which allows pending tasks to complete before the application's cleanup is called.
  The period can be adjusted with the shutdown_timeout parameter. -- by :user:Dreamsorcerer.
  See https://docs.aiohttp.org/en/latest/web_advanced.html#graceful-shutdown

  (#7188)

• Added handler_cancellation <https://docs.aiohttp.org/en/stable/web_advanced.html#web-handler-cancellation>_ parameter to cancel web handler on client disconnection. -- by :user:mosquito
  This (optionally) reintroduces a feature removed in a previous release.
  Recommended for those looking for an extra level of protection against denial-of-service attacks.

  (#7056)

• Added support for setting response header parameters max_line_size and max_field_size.

  (#2304)

• Added auto_decompress parameter to ClientSession.request to override ClientSession._auto_decompress. -- by :user:Daste745

  (#3751)

• Changed raise_for_status to allow a coroutine.

  (#3892)

• Added client brotli compression support (optional with runtime check).

  (#5219)

• Added client_max_size to BaseRequest.clone() to allow overriding the request body size -- :user:anesabml.

  (#5704)

• Added a middleware type alias aiohttp.typedefs.Middleware.

  (#5898)

• Exported HTTPMove which can be used to catch any redirection request
  that has a location -- :user:dreamsorcerer.

  (#6594)

• Changed the path parameter in web.run_app() to accept a pathlib.Path object.

  (#6839)

• Added support for passing a custom server name parameter to HTTPS connection.

  (#7114)

• Added support for using Basic Auth credentials from :file:.netrc file when making HTTP requests with the :py:class:~aiohttp.ClientSession trust_env argument is set to True -- by :user:yuvipanda.

  (#7131)

• Turned access log into no-op when the logger is disabled.

  (#7240)

• Added typing information to RawResponseMessage -- by :user:Gobot1234

  (#7365)

• Removed async-timeout for Python 3.11+ (replaced with asyncio.timeout() on newer releases).

  (#7502)

• Added support for brotlicffi as an alternative to brotli (fixing Brotli support on PyPy).

  (#7611)

Bugfixes

• Implemented stripping the trailing dots from fully-qualified domain names in Host headers and TLS context when acting as an HTTP client.
  This allows the client to connect to URLs with FQDN host name like https://example.com./.
  -- by :user:martin-sucha.

  (#3636)

• Fixed client timeout not working when incoming data is always available without waiting -- by :user:Dreamsorcerer.

  (#5854)

• Fixed readuntil to work with a delimiter of more than one character

  (#6701)

• Added __repr__ to EmptyStreamReader to avoid AttributeError.

  (#6916)

• Fixed bug when using TCPConnector with ttl_dns_cache=0.

  (#7014)

• Fixed response returned from expect handler being thrown away. -- by :user:Dreamsorcerer

  (#7025)

• Avoided raising UnicodeDecodeError in multipart and in HTTP headers parsing.

  (#7044)

• Changed sock_read timeout to start after writing has finished, avoiding read timeouts caused by an unfinished write. -- by :user:dtrifiro

  (#7149)

• Fixed missing query in tracing method URLs when using yarl 1.9+.

  (#7259)

• Changed max 32-bit timestamp to an aware datetime object, for consistency with the non-32-bit one, and to avoid a DeprecationWarning on Python 3.12.

  (#7302)

• Fixed EmptyStreamReader.iter_chunks() never ending. -- by :user:mind1m

  (#7616)

Improved Documentation

• Fixed the ClientResponse.release's type in the doc. Changed from comethod to method.

  (#5836)

• Added information on behavior of base_url parameter in ClientSession.

  (#6647)

• Fixed ClientResponseError docs.

  (#6700)

• Updated Redis code examples to follow the latest API.

  (#6907)

• Added a note about possibly needing to update headers when using on_response_prepare. -- by :user:Dreamsorcerer

  (#7283)

• Completed trust_env parameter description to honor wss_proxy, ws_proxy or no_proxy env.

  (#7325)

• Expanded SSL documentation with more examples (e.g. how to use certifi). -- by :user:Dreamsorcerer

  (#7334)

Deprecations and Removals

• Dropped Python 3.6 support.

  (#6378)

• Dropped Python 3.7 support. -- by :user:Dreamsorcerer

  (#7336)

• Removed support for abandoned tokio event loop. -- by :user:Dreamsorcerer

  (#7281)

Misc

• Made print argument in run_app() optional.

  (#3690)

• Improved performance of ceil_timeout in some cases.

  (#6316)

• Changed importing Gunicorn to happen on-demand, decreasing import time by ~53%. -- :user:Dreamsorcerer

  (#6591)

• Improved import time by replacing http.server with http.HTTPStatus.

  (#6903)

• Fixed annotation of ssl parameter to disallow True. -- by :user:Dreamsorcerer

  (#7335)

---

3.8.6

Security bugfixes

• Upgraded the vendored copy of llhttp_ to v9.1.3 -- by :user:Dreamsorcerer

  Thanks to :user:kenballus for reporting this, see
  GHSA-pjjw-qhg8-p2p9.

  .. _llhttp: https://llhttp.org

  (#7647)

• Updated Python parser to comply with RFCs 9110/9112 -- by :user:Dreamorcerer

  Thanks to :user:kenballus for reporting this, see
  GHSA-gfw2-4jvh-wgfg.

  (#7663)

Deprecation

• Added fallback_charset_resolver parameter in ClientSession to allow a user-supplied
  character set detection function.

  Character set detection will no longer be included in 3.9 as a default. If this feature is needed,
  please use fallback_charset_resolver <https://docs.aiohttp.org/en/stable/client_advanced.html#character-set-detection>_.

  (#7561)

Features

• Enabled lenient response parsing for more flexible parsing in the client
  (this should resolve some regressions when dealing with badly formatted HTTP responses). -- by :user:Dreamsorcerer

  (#7490)

Bugfixes

• Fixed PermissionError when .netrc is unreadable due to permissions.

  (#7237)

• Fixed output of parsing errors pointing to a \n. -- by :user:Dreamsorcerer

  (#7468)

• Fixed GunicornWebWorker max_requests_jitter not working.

  (#7518)

• Fixed sorting in filter_cookies to use cookie with longest path. -- by :user:marq24.

  (#7577)

• Fixed display of BadStatusLine messages from llhttp_. -- by :user:Dreamsorcerer

  (#7651)

---

3.8.5

Security bugfixes

• Upgraded the vendored copy of llhttp_ to v8.1.1 -- by :user:webknjaz
  and :user:Dreamsorcerer.

  Thanks to :user:sethmlarson for reporting this and providing us with
  comprehensive reproducer, workarounds and fixing details! For more
  information, see
  GHSA-45c4-8wx5-qw6w.

  .. _llhttp: https://llhttp.org

  (#7346)

Features

• Added information to C parser exceptions to show which character caused the error. -- by :user:Dreamsorcerer

  (#7366)

Bugfixes

• Fixed a transport is :data:None error -- by :user:Dreamsorcerer.

  (#3355)

---

3.8.4

Bugfixes

• Fixed incorrectly overwriting cookies with the same name and domain, but different path.
  (#6638)
• Fixed ConnectionResetError not being raised after client disconnection in SSL environments.
  (#7180)

---

3.8.3

.. attention::

This is the last :doc:aiohttp <index> release tested under
Python 3.6. The 3.9 stream is dropping it from the CI and the
distribution package metadata.

Bugfixes

• Increased the upper boundary of the :doc:multidict:index dependency
  to allow for the version 6 -- by :user:hugovk.

  It used to be limited below version 7 in :doc:aiohttp <index> v3.8.1 but
  was lowered in v3.8.2 via :pr:6550 and never brought back, causing
  problems with dependency pins when upgrading. :doc:aiohttp <index> v3.8.3
  fixes that by recovering the original boundary of < 7.
  (#6950)

---

3.8.2 (2022-09-20, subsequently yanked on 2022-09-21)

.. note::

This release has some compatibility fixes for Python 3.11 but it may
still have some quirks. Some tests are still flaky in the CI.

.. caution::

This release has been yanked from PyPI. Modern pip will not pick it
up automatically. The reason is that is has multidict < 6 set in
the distribution package metadata (see :pr:6950). Please, use
aiohttp ~= 3.8.3, != 3.8.1 instead, if you can.

Bugfixes

• Added support for registering :rfc:OPTIONS <9110#OPTIONS>
  HTTP method handlers via :py:class:~aiohttp.web.RouteTableDef.
  (#4663)

• Started supporting :rfc:authority-form <9112#authority-form> and
  :rfc:absolute-form <9112#absolute-form> URLs on the server-side.
  (#6227)

• Fixed Python 3.11 incompatibilities by using Cython 0.29.25.
  (#6396)

• Extended the sock argument typing declaration of the
  :py:func:~aiohttp.web.run_app function as optionally
  accepting iterables.
  (#6401)

• Fixed a regression where :py:exc:~asyncio.CancelledError
  occurs on client disconnection.
  (#6719)

• Started exporting :py:class:~aiohttp.web.PrefixedSubAppResource
  under :py:mod:aiohttp.web -- by :user:Dreamsorcerer.

  This fixes a regression introduced by :pr:3469.
  (#6889)

• Dropped the :class:object type possibility from
  the :py:attr:aiohttp.ClientSession.timeout
  property return type declaration.
  (#6917),
  (#6923)

Improved Documentation

• Added clarification on configuring the app object with
  settings such as a database connection.
  (#4137)
• Extended the sock argument typing declaration of the
  :py:func:~aiohttp.web.run_app function as optionally
  accepting iterables.
  (#6401)
• Dropped the :class:object type possibility from
  the :py:attr:aiohttp.ClientSession.timeout
  property return type declaration.
  (#6917),
  (#6923)

Deprecations and Removals

• Dropped Python 3.5 support, :doc:aiohttp <index> only works
  under Python 3.6 and higher from now on.
  (#4046)

Misc

• Removed a deprecated usage of :py:func:pytest.warns(None) <pytest.warns> in tests.
  (#6663)
• (#6369), (#6399), (#6550), (#6708), (#6757), (#6857), (#6872).

---

3.8.2

.. note::

This release has some compatibility fixes for Python 3.11 but it may
still have some quirks. Some tests are still flaky in the CI.

.. attention::

This is the last :doc:aiohttp <index> release tested under
Python 3.6. The 3.9 stream is dropping it from the CI and the
distribution package metadata.

Bugfixes

• Added support for registering :rfc:OPTIONS <9110#OPTIONS>
  HTTP method handlers via :py:class:~aiohttp.web.RouteTableDef.
  (#4663)

• Started supporting :rfc:authority-form <9112#authority-form> and
  :rfc:absolute-form <9112#absolute-form> URLs on the server-side.
  (#6227)

• Fixed Python 3.11 incompatibilities by using Cython 0.29.25.
  (#6396)

• Extended the sock argument typing declaration of the
  :py:func:~aiohttp.web.run_app function as optionally
  accepting iterables.
  (#6401)

• Fixed a regression where :py:exc:~asyncio.CancelledError
  occurs on client disconnection.
  (#6719)

• Started exporting :py:class:~aiohttp.web.PrefixedSubAppResource
  under :py:mod:aiohttp.web -- by :user:Dreamsorcerer.

  This fixes a regression introduced by :pr:3469.
  (#6889)

• Dropped the :class:object type possibility from
  the :py:attr:aiohttp.ClientSession.timeout
  property return type declaration.
  (#6917),
  (#6923)

Improved Documentation

• Added clarification on configuring the app object with
  settings such as a database connection.
  (#4137)
• Extended the sock argument typing declaration of the
  :py:func:~aiohttp.web.run_app function as optionally
  accepting iterables.
  (#6401)
• Dropped the :class:object type possibility from
  the :py:attr:aiohttp.ClientSession.timeout
  property return type declaration.
  (#6917),
  (#6923)

Deprecations and Removals

• Dropped Python 3.5 support, :doc:aiohttp <index> only works
  under Python 3.6 and higher from now on.
  (#4046)

Misc

• Removed a deprecated usage of :py:func:pytest.warns(None) <pytest.warns> in tests.
  (#6663)
• (#6369), (#6399), (#6550), (#6708), (#6757), (#6857), (#6872).

---

v3.8.1

Bugfixes

• Fix the error in handling the return value of getaddrinfo.
  getaddrinfo will return an (int, bytes) tuple, if CPython could not handle the address family.
  It will cause a index out of range error in aiohttp. For example, if user compile CPython with
  --disable-ipv6 option but his system enable the ipv6.
  (#5901)
• Do not install "examples" as a top-level package.
  (#6189)
• Restored ability to connect IPv6-only host.
  (#6195)
• Remove Signal from __all__, replace aiohttp.Signal with aiosignal.Signal in docs
  (#6201)
• Made chunked encoding HTTP header check stricter.
  (#6305)

Improved Documentation

• update quick starter demo codes.
  (#6240)
• Added an explanation of how tiny timeouts affect performance to the client reference document.
  (#6274)
• Add flake8-docstrings to flake8 configuration, enable subset of checks.
  (#6276)
• Added information on running complex applications with additional tasks/processes -- :user:Dreamsorcerer.
  (#6278)

Misc

• (#6205)

---

v3.8.0b0

Features

• Added a GunicornWebWorker feature for extending the aiohttp server configuration by allowing the 'wsgi' coroutine to return web.AppRunner object.
  (#2988)_

• Switch from http-parser to llhttp
  (#3561)_

• Use Brotli instead of brotlipy
  (#3803)_

• Disable implicit switch-back to pure python mode. The build fails loudly if aiohttp
  cannot be compiled with C Accelerators. Use AIOHTTP_NO_EXTENSIONS=1 to explicitly
  disable C Extensions complication and switch to Pure-Python mode. Note that Pure-Python
  mode is significantly slower than compiled one.
  (#3828)_

• Make access log use local time with timezone
  (#3853)_

• Implemented readuntil in StreamResponse
  (#4054)_

• FileResponse now supports ETag.
  (#4594)_

• Add a request handler type alias aiohttp.typedefs.Handler.
  (#4686)_

• AioHTTPTestCase is more async friendly now.

  For people who use unittest and are used to use :py:exc:~unittest.TestCase
  it will be easier to write new test cases like the sync version of the :py:exc:~unittest.TestCase class,
  without using the decorator @unittest_run_loop, just async def test_*.
  The only difference is that for the people using python3.7 and below a new dependency is needed, it is asynctestcase.
  (#4700)_

• Add validation of HTTP header keys and values to prevent header injection.
  (#4818)_

• Add predicate to AbstractCookieJar.clear.
  Add AbstractCookieJar.clear_domain to clean all domain and subdomains cookies only.
  (#4942)_

• Add keepalive_timeout parameter to web.run_app.
  (#5094)_

• Tracing for client sent headers
  (#5105)_

• Make type hints for http parser stricter
  (#5267)_

• Add final declarations for constants.
  (#5275)_

• Switch to external frozenlist and aiosignal libraries.
  (#5293)_

• Don't send secure cookies by insecure transports.

  By default, the transport is secure if https or wss scheme is used.
  Use CookieJar(treat_as_secure_origin="http://127.0.0.1") to override the default security checker.
  (#5571)_

• Always create a new event loop in aiohttp.web.run_app().
  This adds better compatibility with asyncio.run() or if trying to run multiple apps in sequence.
  (#5572)_

• Add aiohttp.pytest_plugin.AiohttpClient for static typing of pytest plugin.
  (#5585)_

• Added a socket_factory argument to BaseTestServer.
  (#5844)_

• Add compression strategy parameter to enable_compression method.
  (#5909)_

• Added support for Python 3.10 to Github Actions CI/CD workflows and fix the related deprecation warnings -- :user:Hanaasagi.
  (#5927)_

• Switched chardet to charset-normalizer for guessing the HTTP payload body encoding -- :user:Ousret.
  (#5930)_

• Added optional auto_decompress argument for HttpRequestParser
  (#5957)_

• Added support for HTTPS proxies to the extent CPython's
  :py:mod:asyncio supports it -- by :user:bmbouter,
  :user:jborean93 and :user:webknjaz.
  (#5992)_

• Added base_url parameter to the initializer of :class:~aiohttp.ClientSession.
  (#6013)_

• Add Trove classifier and create binary wheels for 3.10. -- :user:hugovk.
  (#6079)_

• Started shipping platform-specific wheels with the musl tag targeting typical Alpine Linux runtimes — :user:asvetlov.
  (#6139)_

• Started shipping platform-specific arm64 wheels for Apple Silicon — :user:asvetlov.
  (#6139)_

Bugfixes

• Modify drain_helper() to handle concurrent await resp.write(...) or ws.send_json(...) calls without race-condition.
  (#2934)
• Started using MultiLoopChildWatcher when it's available under POSIX while setting up the test I/O loop.
  (#3450)_
• Only encode content-disposition filename parameter using percent-encoding.
  Other parameters are encoded to quoted-string or RFC2231 extended parameter
  value.
  (#4012)_
• Fixed HTTP client requests to honor no_proxy environment variables.
  (#4431)_
• Change return type on URLDispatcher to UrlMappingMatchInfo to improve type annotations.
  (#4748)_
• Ensure a cleanup context is cleaned up even when an exception occurs during startup.
  (#4799)_
• Added a new exception type for Unix socket client errors which provides a more useful error message.
  (#4984)_
• Remove Transfer-Encoding and Content-Type headers for 204 in StreamResponse
  (#5106)_
• Only depend on typing_extensions for Python <3.8
  (#5107)_
• Add ABNORMAL_CLOSURE and BAD_GATEWAY to WSCloseCode
  (#5192)_
• Fix cookies disappearing from HTTPExceptions.
  (#5233)_
• StaticResource prefixes no longer match URLs with a non-folder prefix. For example routes.static('/foo', '/foo') no longer matches the URL /foobar. Previously, this would attempt to load the file /foo/ar.
  (#5250)_
• Acquire the connection before running traces to prevent race condition.
  (#5259)_
• Add missing slots to ```_RequestContextManagerandWSRequestContextManager``
  (#5329)
• Ensure sending a zero byte file does not throw an exception (round 2)
  (#5380)_
• Set "text/plain" when data is an empty string in client requests.
  (#5392)_
• Stop automatically releasing the ClientResponse object on calls to the ok property for the failed requests.
  (#5403)_
• Include query parameters from params keyword argument in tracing URL.
  (#5432)_
• Fix annotations
  (#5466)_
• Fixed the multipart POST requests processing to always release file
  descriptors for the tempfile.Temporaryfile-created
  _io.BufferedRandom instances of files sent within multipart request
  bodies via HTTP POST requests -- by :user:webknjaz.
  (#5494)_
• Fix 0 being incorrectly treated as an immediate timeout.
  (#5527)_
• Replace deprecated app handler design in tests/autobahn/server.py with call to web.run_app; replace deprecated aiohttp.ws_connect calls in tests/autobahn/client.py with aiohttp.ClienSession.ws_connect.
  (#5606)_
• Fixed test for HTTPUnauthorized that access the text argument. This is not used in any part of the code, so it's removed now.
  (#5657)_
• Remove incorrect default from docs
  (#5727)_
• Remove external test dependency to http://httpbin.org
  (#5840)_
• Don't cancel current task when entering a cancelled timer.
  (#5853)_
• Added params keyword argument to ClientSession.ws_connect. -- :user:hoh.
  (#5868)_
• Uses :py:class:~asyncio.ThreadedChildWatcher under POSIX to allow setting up test loop in non-main thread.
  (#5877)_
• Fix the error in handling the return value of getaddrinfo.
  getaddrinfo will return an (int, bytes) tuple, if CPython could not handle the address family.
  It will cause a index out of range error in aiohttp. For example, if user compile CPython with
  --disable-ipv6 option but his system enable the ipv6.
  (#5901)_
• Removed the deprecated loop argument from the asyncio.sleep/gather calls
  (#5905)_
• Return None from request.if_modified_since, request.if_unmodified_since, request.if_range and response.last_modified when corresponding http date headers are invalid.
  (#5925)_
• Fix resetting SIGCHLD signals in Gunicorn aiohttp Worker to fix subprocesses that capture output having an incorrect returncode.
  (#6130)_
• Raise 400: Content-Length can't be present with Transfer-Encoding if both Content-Length and Transfer-Encoding are sent by peer by both C and Python implementations
  (#6182)_

Improved Documentation

• Refactored OpenAPI/Swagger aiohttp addons, added aio-openapi
  (#5326)_
• Fixed docs on request cookies type, so it matches what is actually used in the code (a
  read-only dictionary-like object).
  (#5725)_
• Documented that the HTTP client Authorization header is removed
  on redirects to a different host or protocol.
  (#5850)_

Misc

• (#3927), (#4247), (#4247), (#5389), (#5457), (#5486), (#5494), (#5515), (#5625), (#5635), (#5648), (#5657), (#5890), (#5914), (#5932), (#6002), (#6045), (#6131), (#6156), (#6165), (#6166)_

---

3.7.4.post0 (2021-03-06)

Misc

• Bumped upper bound of the chardet runtime dependency
  to allow their v4.0 version stream.
  (#5366)_

---