Skip to content

[pull] master from aio-libs:master #426

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
pull merged 95 commits into from
Jan 3, 2026
Merged

[pull] master from aio-libs:master #426

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
95 commits
Select commit Hold shift + click to select a range
3f0a963
Increment version to 3.13.3.dev0
bdraco Oct 28, 2025
881530d
[PR #11643 backport][3.14] Move dependency metadata from `setup.cfg` …
cdce8p Oct 28, 2025
8211220
[PR #11643 backport][3.13] Move dependency metadata from `setup.cfg` …
cdce8p Oct 28, 2025
88a57ae
Bump virtualenv from 20.35.3 to 20.35.4 (#11739)
dependabot[bot] Oct 29, 2025
fdd8a61
[PR #11771/72fadb8f backport][3.14] Bump pypy to supported version (#…
patchback[bot] Nov 21, 2025
1a6abb4
[PR #11689/a091c738 backport][3.14] Remove unused update-pre-commit c…
patchback[bot] Nov 21, 2025
1e65581
[PR #11689/a091c738 backport][3.13] Remove unused update-pre-commit c…
patchback[bot] Nov 21, 2025
3dd962c
Request/Response storage typing (backport to v3.14) (#11775)
gsoldatov Nov 28, 2025
de9d490
Bump pypy to supported version (#11773)
Dreamsorcerer Nov 28, 2025
5464754
Bump regex from 2025.10.23 to 2025.11.3 (#11742)
dependabot[bot] Dec 1, 2025
092e29d
Bump pre-commit from 4.3.0 to 4.4.0 (#11755)
dependabot[bot] Dec 1, 2025
d4e14f5
Bump pytest from 8.4.2 to 9.0.0 (#11754)
dependabot[bot] Dec 1, 2025
3c15317
Bump actions/upload-artifact from 4 to 5 (#11723)
dependabot[bot] Dec 1, 2025
b7244d7
Bump pydantic from 2.12.3 to 2.12.4 (#11747)
dependabot[bot] Dec 1, 2025
4f78079
Bump cython from 3.1.6 to 3.2.0 (#11748)
dependabot[bot] Dec 1, 2025
8116039
Bump brotli from 1.1.0 to 1.2.0 (#11749)
dependabot[bot] Dec 2, 2025
351989c
[PR #11749/81160396 backport][3.13] Bump brotli from 1.1.0 to 1.2.0 (…
patchback[bot] Dec 2, 2025
96060ae
Bump actions/checkout from 5 to 6 (#11768)
dependabot[bot] Dec 2, 2025
1951c23
Bump certifi from 2025.10.5 to 2025.11.12 (#11788)
dependabot[bot] Dec 2, 2025
e7420bf
Bump execnet from 2.1.1 to 2.1.2 (#11789)
dependabot[bot] Dec 2, 2025
ee20538
Bump backports-zstd from 1.0.0 to 1.1.0 (#11790)
dependabot[bot] Dec 2, 2025
1d651d3
Bump sphinxcontrib-spelling from 8.0.1 to 8.0.2 (#11792)
dependabot[bot] Dec 2, 2025
00c5965
Bump pip-tools from 7.5.1 to 7.5.2 (#11793)
dependabot[bot] Dec 2, 2025
7a1dafc
Bump exceptiongroup from 1.3.0 to 1.3.1 (#11791)
dependabot[bot] Dec 2, 2025
149dfa7
Bump pypa/cibuildwheel from 3.2.1 to 3.3.0 (#11760)
dependabot[bot] Dec 2, 2025
b796fce
[PR #11795/d0970585 backport][3.14] Added regression test for cached …
patchback[bot] Dec 3, 2025
ea6c065
[PR #11795/d0970585 backport][3.13] Added regression test for cached …
patchback[bot] Dec 3, 2025
77ab8f3
[PR #11804/bffff8cf backport][3.14] Bump blockbuster to 1.5.26 (#11805)
patchback[bot] Dec 5, 2025
3e4c3be
Bump blockbuster to 1.5.26 (#11804) (#11806)
Dreamsorcerer Dec 5, 2025
14a65ba
Bump cfgv from 3.4.0 to 3.5.0 (#11801)
dependabot[bot] Dec 5, 2025
96c3b46
Bump sigstore/gh-action-sigstore-python from 3.1.0 to 3.2.0 (#11798)
dependabot[bot] Dec 5, 2025
8b3bba8
Bump mypy from 1.18.2 to 1.19.0 (#11800)
dependabot[bot] Dec 5, 2025
a76721a
Bump click from 8.3.0 to 8.3.1 (#11799)
dependabot[bot] Dec 5, 2025
d66a69e
Re-backport 10713 - add regression test (#11807)
meehand Dec 7, 2025
5ac4695
[PR #11807/d66a69e6 backport][3.13] Re-backport 10713 - add regressio…
patchback[bot] Dec 7, 2025
668f7ce
Bump urllib3 from 2.5.0 to 2.6.0 (#11815)
dependabot[bot] Dec 8, 2025
f7fab6d
Bump pytest from 9.0.1 to 9.0.2 (#11817)
dependabot[bot] Dec 8, 2025
0578060
Bump platformdirs from 4.5.0 to 4.5.1 (#11820)
dependabot[bot] Dec 8, 2025
d211915
Bump aiodns from 3.5.0 to 3.6.0 (#11819)
dependabot[bot] Dec 8, 2025
8a4e76d
Bump librt from 0.6.3 to 0.7.3 (#11818)
dependabot[bot] Dec 8, 2025
bed4add
Bump coverage from 7.11.0 to 7.13.0 (#11826)
webknjaz Dec 9, 2025
624a38c
[PR #11826/fb722b8b backport][3.14] Bump coverage from 7.11.0 to 7.13…
patchback[bot] Dec 9, 2025
f53122c
Bump actions/cache from 4.3.0 to 5.0.0 (#11835)
dependabot[bot] Dec 12, 2025
3551e98
Bump urllib3 from 2.6.0 to 2.6.2 (#11836)
dependabot[bot] Dec 12, 2025
b769670
Bump aiodns from 3.6.0 to 3.6.1 (#11837)
dependabot[bot] Dec 12, 2025
3346938
Bump cython from 3.2.2 to 3.2.3 (#11850)
dependabot[bot] Dec 15, 2025
ddd708c
Bump actions/upload-artifact from 5 to 6 (#11848)
dependabot[bot] Dec 15, 2025
0d28293
Bump mypy from 1.19.0 to 1.19.1 (#11849)
dependabot[bot] Dec 15, 2025
1d0ea97
Bump filelock from 3.20.0 to 3.20.1 (#11853)
dependabot[bot] Dec 16, 2025
e82db38
Bump librt from 0.7.3 to 0.7.4 (#11854)
dependabot[bot] Dec 16, 2025
fdd9c1d
Bump pre-commit from 4.5.0 to 4.5.1 (#11856)
dependabot[bot] Dec 17, 2025
7c6ae23
Add decode_text parameter to WebSocket for receiving TEXT as bytes (#…
bdraco Dec 20, 2025
564d932
fix(connector): propagate proxy headers on connection reuse (#11777) …
Dreamsorcerer Dec 21, 2025
3664900
Revert "Bump coverage from 7.11.0 to 7.13.0 (#11826)"
Dreamsorcerer Dec 21, 2025
de6de91
fix(connector): propagate proxy headers on connection reuse (#11777) …
Dreamsorcerer Dec 21, 2025
d6885d5
Bump actions/download-artifact from 6 to 7 (#11847)
dependabot[bot] Dec 21, 2025
93c24f7
Bump actions/cache from 5.0.0 to 5.0.1 (#11846)
dependabot[bot] Dec 21, 2025
0ba7d58
Bump nodeenv from 1.9.1 to 1.10.0 (#11864)
dependabot[bot] Dec 22, 2025
c15746e
[PR #11865/963ca767 backport][3.14] Add python-proxy-headers to third…
patchback[bot] Dec 22, 2025
dcc02a8
[PR #11867/c3b08f73 backport][3.14] Fix flaky test (#11869)
patchback[bot] Dec 23, 2025
0d2d1d6
[PR #11867/c3b08f73 backport][3.13] Fix flaky test (#11868)
patchback[bot] Dec 23, 2025
49a4405
Bump librt from 0.7.4 to 0.7.5 (#11872)
dependabot[bot] Dec 25, 2025
0c26d87
Accept async context managers for cleanup contexts (#11681) (#11704)…
Dreamsorcerer Dec 27, 2025
44f619b
Bump coverage from 7.13.0 to 7.13.1 (#11875)
dependabot[bot] Dec 29, 2025
90f7143
Bump backports-zstd from 1.1.0 to 1.3.0 (#11878)
dependabot[bot] Dec 30, 2025
b0bdefd
[PR #11857/0a915b8f backport][3.14] Fix multipart parsing for empty b…
patchback[bot] Jan 2, 2026
344f6f9
[PR #11857/0a915b8f backport][3.13] Fix multipart parsing for empty b…
patchback[bot] Jan 2, 2026
a5d6456
Fixing test for Continuation frame without intial frame (#11862) (#11…
Dreamsorcerer Jan 2, 2026
fafe1eb
Fixing test for Continuation frame without intial frame (#11862) (#11…
Dreamsorcerer Jan 2, 2026
a969cc5
Bump librt from 0.7.5 to 0.7.7 (#11884)
dependabot[bot] Jan 2, 2026
f7a7043
[PR #11893/fb93442c backport][3.14] Add tests for static route resolu…
patchback[bot] Jan 2, 2026
14d0c81
[PR #11893/fb93442c backport][3.13] Add tests for static route resolu…
patchback[bot] Jan 2, 2026
6dde72e
Improve regex performance (#11885) (#11899)
Dreamsorcerer Jan 2, 2026
ff3f0e2
Reject non-ascii characters in some headers (#11886) (#11901)
Dreamsorcerer Jan 2, 2026
15a367e
Improve regex performance (#11885) (#11900)
Dreamsorcerer Jan 3, 2026
32677f2
Reject non-ascii characters in some headers (#11886) (#11902)
Dreamsorcerer Jan 3, 2026
6d76ac3
[PR #11887/7a067d19 backport][3.14] Reject non-ascii digits in Range …
patchback[bot] Jan 3, 2026
c7b7a04
[PR #11887/7a067d19 backport][3.13] Reject non-ascii digits in Range …
patchback[bot] Jan 3, 2026
f2a86fd
Reject static URLs that traverse outside static root (#11888) (#11906)
Dreamsorcerer Jan 3, 2026
94fb7fc
Reject static URLs that traverse outside static root (#11888) (#11905)
Dreamsorcerer Jan 3, 2026
fae376c
Enforce client_max_size over entire multipart form (#11889) (#11907)
Dreamsorcerer Jan 3, 2026
b7dbd35
Enforce client_max_size over entire multipart form (#11889) (#11908)
Dreamsorcerer Jan 3, 2026
1933571
[PR #11890/384a1730 backport][3.14] Log once per cookie header (#11910)
patchback[bot] Jan 3, 2026
64629a0
[PR #11890/384a1730 backport][3.13] Log once per cookie header (#11909)
patchback[bot] Jan 3, 2026
540053a
[PR #11892/271532ea backport][3.14] Use collections.deque for chunk s…
patchback[bot] Jan 3, 2026
dc3170b
Use collections.deque for chunk splits (#11892) (#11912)
Dreamsorcerer Jan 3, 2026
ed4ab6f
Replace asserts with exceptions (#11897) (#11913)
Dreamsorcerer Jan 3, 2026
bc1319e
Replace asserts with exceptions (#11897) (#11914)
Dreamsorcerer Jan 3, 2026
0d3328e
Limit number of chunks before pausing reading (#11894) (#11915)
Dreamsorcerer Jan 3, 2026
4ed97a4
Limit number of chunks before pausing reading (#11894) (#11916)
Dreamsorcerer Jan 3, 2026
6237b51
Use decompressor max_length parameter (#11898) (#11917)
Dreamsorcerer Jan 3, 2026
2b920c3
Use decompressor max_length parameter (#11898) (#11918)
Dreamsorcerer Jan 3, 2026
41f01ed
Release v3.13.3 (#11919)
Dreamsorcerer Jan 3, 2026
026eced
Merge branch '3.13' into 3.14
Dreamsorcerer Jan 3, 2026
957d5ba
Merge branch '3.14'
Dreamsorcerer Jan 3, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
96 changes: 96 additions & 0 deletions CHANGES.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,102 @@

.. towncrier release notes start

3.13.3 (2026-01-03)
===================

This release contains fixes for several vulnerabilities. It is advised to
upgrade as soon as possible.

Bug fixes
---------

- Fixed proxy authorization headers not being passed when reusing a connection, which caused 407 (Proxy authentication required) errors
-- by :user:`GLeurquin`.


*Related issues and pull requests on GitHub:*
:issue:`2596`.



- Fixed multipart reading failing when encountering an empty body part -- by :user:`Dreamsorcerer`.


*Related issues and pull requests on GitHub:*
:issue:`11857`.



- Fixed a case where the parser wasn't raising an exception for a websocket continuation frame when there was no initial frame in context.


*Related issues and pull requests on GitHub:*
:issue:`11862`.




Removals and backward incompatible breaking changes
---------------------------------------------------

- ``Brotli`` and ``brotlicffi`` minimum version is now 1.2.
Decompression now has a default maximum output size of 32MiB per decompress call -- by :user:`Dreamsorcerer`.


*Related issues and pull requests on GitHub:*
:issue:`11898`.




Packaging updates and notes for downstreams
-------------------------------------------

- Moved dependency metadata from :file:`setup.cfg` to :file:`pyproject.toml` per :pep:`621`
-- by :user:`cdce8p`.


*Related issues and pull requests on GitHub:*
:issue:`11643`.




Contributor-facing changes
--------------------------

- Removed unused ``update-pre-commit`` github action workflow -- by :user:`Cycloctane`.


*Related issues and pull requests on GitHub:*
:issue:`11689`.




Miscellaneous internal changes
------------------------------

- Optimized web server performance when access logging is disabled by reducing time syscalls -- by :user:`bdraco`.


*Related issues and pull requests on GitHub:*
:issue:`10713`.



- Added regression test for cached logging status -- by :user:`meehand`.


*Related issues and pull requests on GitHub:*
:issue:`11778`.




----


3.13.2 (2025-10-28)
===================

Expand Down
2 changes: 0 additions & 2 deletions CHANGES/11643.packaging.rst
View file
Open in desktop

This file was deleted.

1 change: 0 additions & 1 deletion CHANGES/11689.contrib.rst
View file
Open in desktop

This file was deleted.

1 change: 0 additions & 1 deletion CHANGES/11778.misc.rst
View file
Open in desktop

This file was deleted.

1 change: 0 additions & 1 deletion CHANGES/11857.bugfix.rst
View file
Open in desktop

This file was deleted.

1 change: 0 additions & 1 deletion CHANGES/11862.bugfix.rst
View file
Open in desktop

This file was deleted.

2 changes: 0 additions & 2 deletions CHANGES/11898.breaking.rst
View file
Open in desktop

This file was deleted.

2 changes: 0 additions & 2 deletions CHANGES/2596.bugfix.rst
View file
Open in desktop

This file was deleted.

Loading