Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix cookie handling #6638

Merged
merged 4 commits into from
Mar 7, 2022
Merged

Fix cookie handling #6638

merged 4 commits into from
Mar 7, 2022

Conversation

bratao
Copy link
Contributor

@bratao bratao commented Feb 28, 2022

What do these changes do?

There is an error in cookie handling that override the existing cookie even if the path is different. This is a huge bug in aiohttp, as it makes requests to some sites impossible to work.

This is an updated PR as asked by @Dreamsorcerer

The RFC 6265 is clear on this point (https://datatracker.ietf.org/doc/html/rfc6265) , for example:

Finally, to remove a cookie, the server returns a Set-Cookie header
   with an expiration date in the past.  The server will be successful
   in removing the cookie only **if the Path and the Domain attribute** in
   the Set-Cookie header match the values used when the cookie was
   created.

Actually aiohttp only consider domain and name. Pull request #3627 tried to fix this, but the code has been updated vastly since then.

Pay attention to another library, such as requests. It always consider the path as a key to the cookie jar.
https://github.com/psf/requests/blob/79f60274f7e461b8fd2f579e741f748438d7eadb/requests/cookies.py#L189

Are there changes in behavior for the user?

No

Related issue number

Checklist

  • I think the code is well written
  • Unit tests for the changes exist
  • Documentation reflects the changes
  • If you provide code modification, please add yourself to CONTRIBUTORS.txt
    • The format is <Name> <Surname>.
    • Please keep alphabetical order, the file is sorted by names.
  • Add a new news fragment into the CHANGES folder
    • name it <issue_id>.<type> for example (588.bugfix)
    • if you don't have an issue_id change it to the pr id after creating the pr
    • ensure type is one of the following:
      • .feature: Signifying a new feature.
      • .bugfix: Signifying a bug fix.
      • .doc: Signifying a documentation improvement.
      • .removal: Signifying a deprecation or removal of public API.
      • .misc: A ticket has been closed, but it is not of interest to users.
    • Make sure to use full sentences with correct case and punctuation, for example: "Fix issue with non-ascii contents in doctest text files."

@psf-chronographer psf-chronographer bot added the bot:chronographer:provided There is a change note present in this PR label Feb 28, 2022
aiohttp/cookiejar.py Outdated Show resolved Hide resolved
Co-authored-by: Sam Bull <aa6bs0@sambull.org>
@codecov
Copy link

codecov bot commented Mar 1, 2022

Codecov Report

Merging #6638 (58ed64f) into master (b19d559) will increase coverage by 0.00%.
The diff coverage is 100.00%.

Impacted file tree graph

@@           Coverage Diff           @@
##           master    #6638   +/-   ##
=======================================
  Coverage   93.36%   93.36%           
=======================================
  Files         104      104           
  Lines       30624    30637   +13     
  Branches     3080     3080           
=======================================
+ Hits        28592    28605   +13     
  Misses       1859     1859           
  Partials      173      173           
Flag Coverage Δ
unit 93.28% <100.00%> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
aiohttp/cookiejar.py 98.83% <100.00%> (ø)
tests/test_cookiejar.py 99.09% <100.00%> (+0.03%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update b19d559...58ed64f. Read the comment docs.

Copy link
Member

@Dreamsorcerer Dreamsorcerer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If no one else reviews, I'll merge it at the weekend.

@Dreamsorcerer Dreamsorcerer merged commit 916b3ee into aio-libs:master Mar 7, 2022
@patchback
Copy link
Contributor

patchback bot commented Mar 7, 2022

Backport to 3.9: 💔 cherry-picking failed — conflicts found

❌ Failed to cleanly apply 916b3ee on top of patchback/backports/3.9/916b3eecda825cd42415b6f8821c035647baf890/pr-6638

Backporting merged PR #6638 into master

  1. Ensure you have a local repo clone of your fork. Unless you cloned it
    from the upstream, this would be your origin remote.
  2. Make sure you have an upstream repo added as a remote too. In these
    instructions you'll refer to it by the name upstream. If you don't
    have it, here's how you can add it:
    $ git remote add upstream https://github.com/aio-libs/aiohttp.git
  3. Ensure you have the latest copy of upstream and prepare a branch
    that will hold the backported code:
    $ git fetch upstream
    $ git checkout -b patchback/backports/3.9/916b3eecda825cd42415b6f8821c035647baf890/pr-6638 upstream/3.9
  4. Now, cherry-pick PR Fix cookie handling #6638 contents into that branch:
    $ git cherry-pick -x 916b3eecda825cd42415b6f8821c035647baf890
    If it'll yell at you with something like fatal: Commit 916b3eecda825cd42415b6f8821c035647baf890 is a merge but no -m option was given., add -m 1 as follows intead:
    $ git cherry-pick -m1 -x 916b3eecda825cd42415b6f8821c035647baf890
  5. At this point, you'll probably encounter some merge conflicts. You must
    resolve them in to preserve the patch from PR Fix cookie handling #6638 as close to the
    original as possible.
  6. Push this branch to your fork on GitHub:
    $ git push origin patchback/backports/3.9/916b3eecda825cd42415b6f8821c035647baf890/pr-6638
  7. Create a PR, ensure that the CI is green. If it's not — update it so that
    the tests and any other checks pass. This is it!
    Now relax and wait for the maintainers to process your pull request
    when they have some cycles to do reviews. Don't worry — they'll tell you if
    any improvements are necessary when the time comes!

🤖 @patchback
I'm built with octomachinery and
my source is open — https://github.com/sanitizers/patchback-github-app.

@Dreamsorcerer
Copy link
Member

Dreamsorcerer commented Mar 7, 2022

If you could handle the backport to 3.9 (as per instructions above), that would be great.

galaxyfeeder pushed a commit to bankfliptech/aiohttp that referenced this pull request Aug 23, 2022
* Fix cookie handling

* Fix cookie handling

* [pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci

* Update aiohttp/cookiejar.py

Co-authored-by: Sam Bull <aa6bs0@sambull.org>

Co-authored-by: Bruno Cabral <bruno@potelo.com.br>
Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
Co-authored-by: Sam Bull <aa6bs0@sambull.org>
galaxyfeeder pushed a commit to bankfliptech/aiohttp that referenced this pull request Aug 23, 2022
* Fix cookie handling

* Fix cookie handling

* [pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci

* Update aiohttp/cookiejar.py

Co-authored-by: Sam Bull <aa6bs0@sambull.org>

Co-authored-by: Bruno Cabral <bruno@potelo.com.br>
Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
Co-authored-by: Sam Bull <aa6bs0@sambull.org>
(cherry picked from commit 916b3ee)
galaxyfeeder pushed a commit to bankfliptech/aiohttp that referenced this pull request Sep 26, 2022
* Fix cookie handling

* Fix cookie handling

* [pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci

* Update aiohttp/cookiejar.py

Co-authored-by: Sam Bull <aa6bs0@sambull.org>

Co-authored-by: Bruno Cabral <bruno@potelo.com.br>
Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
Co-authored-by: Sam Bull <aa6bs0@sambull.org>
(cherry picked from commit 916b3ee)
Dreamsorcerer pushed a commit that referenced this pull request Sep 26, 2022
* Fix cookie handling

* Fix cookie handling

* [pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci

* Update aiohttp/cookiejar.py

Co-authored-by: Sam Bull <aa6bs0@sambull.org>

Co-authored-by: Bruno Cabral <bruno@potelo.com.br>
Co-authored-by: pre-commit-ci[bot]
<66853113+pre-commit-ci[bot]@users.noreply.github.com>
Co-authored-by: Sam Bull <aa6bs0@sambull.org>
(cherry picked from commit 916b3ee)

<!-- Thank you for your contribution! -->

## What do these changes do?

<!-- Please give a short brief about these changes. -->

## Are there changes in behavior for the user?

<!-- Outline any notable behaviour for the end users. -->

## Related issue number

<!-- Are there any issues opened that will be resolved by merging this
change? -->

## Checklist

- [ ] I think the code is well written
- [ ] Unit tests for the changes exist
- [ ] Documentation reflects the changes
- [ ] If you provide code modification, please add yourself to
`CONTRIBUTORS.txt`
  * The format is &lt;Name&gt; &lt;Surname&gt;.
  * Please keep alphabetical order, the file is sorted by names.
- [ ] Add a new news fragment into the `CHANGES` folder
  * name it `<issue_id>.<type>` for example (588.bugfix)
* if you don't have an `issue_id` change it to the pr id after creating
the pr
  * ensure type is one of the following:
    * `.feature`: Signifying a new feature.
    * `.bugfix`: Signifying a bug fix.
    * `.doc`: Signifying a documentation improvement.
    * `.removal`: Signifying a deprecation or removal of public API.
* `.misc`: A ticket has been closed, but it is not of interest to users.
* Make sure to use full sentences with correct case and punctuation, for
example: "Fix issue with non-ascii contents in doctest text files."

Co-authored-by: Bruno Cabral <brataodream@gmail.com>
Dreamsorcerer pushed a commit that referenced this pull request Sep 27, 2022
* Fix cookie handling

* Fix cookie handling

* [pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci

* Update aiohttp/cookiejar.py

Co-authored-by: Sam Bull <aa6bs0@sambull.org>

Co-authored-by: Bruno Cabral <bruno@potelo.com.br>
Co-authored-by: pre-commit-ci[bot]
<66853113+pre-commit-ci[bot]@users.noreply.github.com>
Co-authored-by: Sam Bull <aa6bs0@sambull.org>
(cherry picked from commit 916b3ee)

<!-- Thank you for your contribution! -->

## What do these changes do?

<!-- Please give a short brief about these changes. -->

## Are there changes in behavior for the user?

<!-- Outline any notable behaviour for the end users. -->

## Related issue number

<!-- Are there any issues opened that will be resolved by merging this
change? -->

## Checklist

- [ ] I think the code is well written
- [ ] Unit tests for the changes exist
- [ ] Documentation reflects the changes
- [ ] If you provide code modification, please add yourself to
`CONTRIBUTORS.txt`
  * The format is &lt;Name&gt; &lt;Surname&gt;.
  * Please keep alphabetical order, the file is sorted by names.
- [ ] Add a new news fragment into the `CHANGES` folder
  * name it `<issue_id>.<type>` for example (588.bugfix)
* if you don't have an `issue_id` change it to the pr id after creating
the pr
  * ensure type is one of the following:
    * `.feature`: Signifying a new feature.
    * `.bugfix`: Signifying a bug fix.
    * `.doc`: Signifying a documentation improvement.
    * `.removal`: Signifying a deprecation or removal of public API.
* `.misc`: A ticket has been closed, but it is not of interest to users.
* Make sure to use full sentences with correct case and punctuation, for
example: "Fix issue with non-ascii contents in doctest text files."

Co-authored-by: Bruno Cabral <brataodream@gmail.com>
renovate bot referenced this pull request in allenporter/pyrainbird Feb 14, 2023
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [aiohttp](https://togithub.com/aio-libs/aiohttp) | `==3.8.3` ->
`==3.8.4` |
[![age](https://badges.renovateapi.com/packages/pypi/aiohttp/3.8.4/age-slim)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://badges.renovateapi.com/packages/pypi/aiohttp/3.8.4/adoption-slim)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://badges.renovateapi.com/packages/pypi/aiohttp/3.8.4/compatibility-slim/3.8.3)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://badges.renovateapi.com/packages/pypi/aiohttp/3.8.4/confidence-slim/3.8.3)](https://docs.renovatebot.com/merge-confidence/)
|

---

### Release Notes

<details>
<summary>aio-libs/aiohttp</summary>

###
[`v3.8.4`](https://togithub.com/aio-libs/aiohttp/blob/HEAD/CHANGES.rst#&#8203;384-2023-02-12)

[Compare
Source](https://togithub.com/aio-libs/aiohttp/compare/v3.8.3...v3.8.4)

\==================

## Bugfixes

- Fixed incorrectly overwriting cookies with the same name and domain,
but different path.
    `#&#8203;6638 <https://github.com/aio-libs/aiohttp/issues/6638>`\_
- Fixed `ConnectionResetError` not being raised after client
disconnection in SSL environments.
    `#&#8203;7180 <https://github.com/aio-libs/aiohttp/issues/7180>`\_

***

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://app.renovatebot.com/dashboard#github/allenporter/pyrainbird).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNC4xMzMuMCIsInVwZGF0ZWRJblZlciI6IjM0LjEzMy4wIn0=-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
marcelveldt pushed a commit to music-assistant/python-hass-client that referenced this pull request Apr 19, 2023
Bumps [aiohttp[speedups]](https://github.com/aio-libs/aiohttp) from
3.7.4 to 3.8.4.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/aio-libs/aiohttp/releases">aiohttp[speedups]'s
releases</a>.</em></p>
<blockquote>
<h2>3.8.4</h2>
<h2>Bugfixes</h2>
<ul>
<li>Fixed incorrectly overwriting cookies with the same name and domain,
but different path.
(<a
href="https://github-redirect.dependabot.com/aio-libs/aiohttp/issues/6638">#6638</a>)</li>
<li>Fixed <code>ConnectionResetError</code> not being raised after
client disconnection in SSL environments.
(<a
href="https://github-redirect.dependabot.com/aio-libs/aiohttp/issues/7180">#7180</a>)</li>
</ul>
<hr />
<h2>3.8.3</h2>
<p>.. attention::</p>
<p>This is the last :doc:<code>aiohttp &lt;index&gt;</code> release
tested under
Python 3.6. The 3.9 stream is dropping it from the CI and the
distribution package metadata.</p>
<h2>Bugfixes</h2>
<ul>
<li>
<p>Increased the upper boundary of the :doc:<code>multidict:index</code>
dependency
to allow for the version 6 -- by :user:<code>hugovk</code>.</p>
<p>It used to be limited below version 7 in :doc:<code>aiohttp
&lt;index&gt;</code> v3.8.1 but
was lowered in v3.8.2 via :pr:<code>6550</code> and never brought back,
causing
problems with dependency pins when upgrading. :doc:<code>aiohttp
&lt;index&gt;</code> v3.8.3
fixes that by recovering the original boundary of <code>&lt; 7</code>.
(<a
href="https://github-redirect.dependabot.com/aio-libs/aiohttp/issues/6950">#6950</a>)</p>
</li>
</ul>
<hr />
<h1>3.8.2 (2022-09-20, subsequently yanked on 2022-09-21)</h1>
<p>.. note::</p>
<p>This release has some compatibility fixes for Python 3.11 but it may
still have some quirks. Some tests are still flaky in the CI.</p>
<p>.. caution::</p>
<p>This release has been yanked from PyPI. Modern pip will not pick it
up automatically. The reason is that is has <code>multidict &lt;
6</code> set in
the distribution package metadata (see :pr:<code>6950</code>). Please,
use
<code>aiohttp ~= 3.8.3, != 3.8.1</code> instead, if you can.</p>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/aio-libs/aiohttp/blob/master/CHANGES.rst">aiohttp[speedups]'s
changelog</a>.</em></p>
<blockquote>
<h1>3.8.4 (2023-02-12)</h1>
<h2>Bugfixes</h2>
<ul>
<li>Fixed incorrectly overwriting cookies with the same name and domain,
but different path.
<code>[#6638](aio-libs/aiohttp#6638)
&lt;https://github.com/aio-libs/aiohttp/issues/6638&gt;</code>_</li>
<li>Fixed <code>ConnectionResetError</code> not being raised after
client disconnection in SSL environments.
<code>[#7180](aio-libs/aiohttp#7180)
&lt;https://github.com/aio-libs/aiohttp/issues/7180&gt;</code>_</li>
</ul>
<hr />
<h1>3.8.3 (2022-09-21)</h1>
<p>.. attention::</p>
<p>This is the last :doc:<code>aiohttp &lt;index&gt;</code> release
tested under
Python 3.6. The 3.9 stream is dropping it from the CI and the
distribution package metadata.</p>
<h2>Bugfixes</h2>
<ul>
<li>
<p>Increased the upper boundary of the :doc:<code>multidict:index</code>
dependency
to allow for the version 6 -- by :user:<code>hugovk</code>.</p>
<p>It used to be limited below version 7 in :doc:<code>aiohttp
&lt;index&gt;</code> v3.8.1 but
was lowered in v3.8.2 via :pr:<code>6550</code> and never brought back,
causing
problems with dependency pins when upgrading. :doc:<code>aiohttp
&lt;index&gt;</code> v3.8.3
fixes that by recovering the original boundary of <code>&lt; 7</code>.
<code>[#6950](aio-libs/aiohttp#6950)
&lt;https://github.com/aio-libs/aiohttp/issues/6950&gt;</code>_</p>
</li>
</ul>
<hr />
<h1>3.8.2 (2022-09-20, subsequently yanked on 2022-09-21)</h1>
<h2>Bugfixes</h2>
<ul>
<li>Support registering OPTIONS HTTP method handlers via RouteTableDef.
<code>[#4663](aio-libs/aiohttp#4663)
&lt;https://github.com/aio-libs/aiohttp/issues/4663&gt;</code>_</li>
<li>Started supporting <code>authority-form</code> and
<code>absolute-form</code> URLs on the server-side.
<code>[#6227](aio-libs/aiohttp#6227)
&lt;https://github.com/aio-libs/aiohttp/issues/6227&gt;</code>_</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/aio-libs/aiohttp/commit/33953f110e97eecc707e1402daa8d543f38a189b"><code>33953f1</code></a>
Release v3.8.4 (<a
href="https://github-redirect.dependabot.com/aio-libs/aiohttp/issues/7207">#7207</a>)</li>
<li><a
href="https://github.com/aio-libs/aiohttp/commit/28854a4743cb367351397bd0a8b38469f28f369a"><code>28854a4</code></a>
Fix ConnectionResetError not being raised when the transport is close…
(<a
href="https://github-redirect.dependabot.com/aio-libs/aiohttp/issues/7199">#7199</a>)</li>
<li><a
href="https://github.com/aio-libs/aiohttp/commit/565cc2132a4c3667e0601f055cff913526226352"><code>565cc21</code></a>
Raise upper bound of charset-normalizer</li>
<li><a
href="https://github.com/aio-libs/aiohttp/commit/ba573e267c0601e97b7caafb7ac9ad4ec7c7d52d"><code>ba573e2</code></a>
[3.8] Fix CI (<a
href="https://github-redirect.dependabot.com/aio-libs/aiohttp/issues/7143">#7143</a>)
(<a
href="https://github-redirect.dependabot.com/aio-libs/aiohttp/issues/7200">#7200</a>)</li>
<li><a
href="https://github.com/aio-libs/aiohttp/commit/9cde3b47e10b04b9db3bf86611d01132d852c0c7"><code>9cde3b4</code></a>
Update .pre-commit-config.yaml</li>
<li><a
href="https://github.com/aio-libs/aiohttp/commit/ed04b4da2e0fbb504728064335fc0cdcd52773c6"><code>ed04b4d</code></a>
[PR <a
href="https://github-redirect.dependabot.com/aio-libs/aiohttp/issues/7154">#7154</a>/283861dd
backport][3.8] fixed error in ContentDisposition doc (<a
href="https://github-redirect.dependabot.com/aio-libs/aiohttp/issues/7155">#7155</a>)</li>
<li><a
href="https://github.com/aio-libs/aiohttp/commit/8cf01adc8c8dbf706e4cd33bf89fd5195f638715"><code>8cf01ad</code></a>
[3.8] Fix cookie handling (<a
href="https://github-redirect.dependabot.com/aio-libs/aiohttp/issues/6638">#6638</a>)
(<a
href="https://github-redirect.dependabot.com/aio-libs/aiohttp/issues/6974">#6974</a>)</li>
<li><a
href="https://github.com/aio-libs/aiohttp/commit/6d4ec02dcbfaa849aa6756dec9f2314bf8665ff5"><code>6d4ec02</code></a>
Merge branch 'release/v3.8.3' into 3.8</li>
<li><a
href="https://github.com/aio-libs/aiohttp/commit/e4bce667f6bef14d34cfc32276cfdaf95de4c033"><code>e4bce66</code></a>
Bump the hardcoded version to v3.8.3.post0.dev0</li>
<li><a
href="https://github.com/aio-libs/aiohttp/commit/0f8d39ff7bacfef6e4dad00e1b20895cd50b8396"><code>0f8d39f</code></a>
Revert &quot;Stop including an empty changelog draft in
Sphinx&quot;</li>
<li>Additional commits viewable in <a
href="https://github.com/aio-libs/aiohttp/compare/v3.7.4...v3.8.4">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=aiohttp[speedups]&package-manager=pip&previous-version=3.7.4&new-version=3.8.4)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
marcelveldt pushed a commit to music-assistant/python-hass-client that referenced this pull request Apr 19, 2023
Bumps [aiohttp](https://github.com/aio-libs/aiohttp) from 3.7.4 to
3.8.4.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/aio-libs/aiohttp/releases">aiohttp's
releases</a>.</em></p>
<blockquote>
<h2>3.8.4</h2>
<h2>Bugfixes</h2>
<ul>
<li>Fixed incorrectly overwriting cookies with the same name and domain,
but different path.
(<a
href="https://github-redirect.dependabot.com/aio-libs/aiohttp/issues/6638">#6638</a>)</li>
<li>Fixed <code>ConnectionResetError</code> not being raised after
client disconnection in SSL environments.
(<a
href="https://github-redirect.dependabot.com/aio-libs/aiohttp/issues/7180">#7180</a>)</li>
</ul>
<hr />
<h2>3.8.3</h2>
<p>.. attention::</p>
<p>This is the last :doc:<code>aiohttp &lt;index&gt;</code> release
tested under
Python 3.6. The 3.9 stream is dropping it from the CI and the
distribution package metadata.</p>
<h2>Bugfixes</h2>
<ul>
<li>
<p>Increased the upper boundary of the :doc:<code>multidict:index</code>
dependency
to allow for the version 6 -- by :user:<code>hugovk</code>.</p>
<p>It used to be limited below version 7 in :doc:<code>aiohttp
&lt;index&gt;</code> v3.8.1 but
was lowered in v3.8.2 via :pr:<code>6550</code> and never brought back,
causing
problems with dependency pins when upgrading. :doc:<code>aiohttp
&lt;index&gt;</code> v3.8.3
fixes that by recovering the original boundary of <code>&lt; 7</code>.
(<a
href="https://github-redirect.dependabot.com/aio-libs/aiohttp/issues/6950">#6950</a>)</p>
</li>
</ul>
<hr />
<h1>3.8.2 (2022-09-20, subsequently yanked on 2022-09-21)</h1>
<p>.. note::</p>
<p>This release has some compatibility fixes for Python 3.11 but it may
still have some quirks. Some tests are still flaky in the CI.</p>
<p>.. caution::</p>
<p>This release has been yanked from PyPI. Modern pip will not pick it
up automatically. The reason is that is has <code>multidict &lt;
6</code> set in
the distribution package metadata (see :pr:<code>6950</code>). Please,
use
<code>aiohttp ~= 3.8.3, != 3.8.1</code> instead, if you can.</p>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/aio-libs/aiohttp/blob/master/CHANGES.rst">aiohttp's
changelog</a>.</em></p>
<blockquote>
<h1>3.8.4 (2023-02-12)</h1>
<h2>Bugfixes</h2>
<ul>
<li>Fixed incorrectly overwriting cookies with the same name and domain,
but different path.
<code>[#6638](aio-libs/aiohttp#6638)
&lt;https://github.com/aio-libs/aiohttp/issues/6638&gt;</code>_</li>
<li>Fixed <code>ConnectionResetError</code> not being raised after
client disconnection in SSL environments.
<code>[#7180](aio-libs/aiohttp#7180)
&lt;https://github.com/aio-libs/aiohttp/issues/7180&gt;</code>_</li>
</ul>
<hr />
<h1>3.8.3 (2022-09-21)</h1>
<p>.. attention::</p>
<p>This is the last :doc:<code>aiohttp &lt;index&gt;</code> release
tested under
Python 3.6. The 3.9 stream is dropping it from the CI and the
distribution package metadata.</p>
<h2>Bugfixes</h2>
<ul>
<li>
<p>Increased the upper boundary of the :doc:<code>multidict:index</code>
dependency
to allow for the version 6 -- by :user:<code>hugovk</code>.</p>
<p>It used to be limited below version 7 in :doc:<code>aiohttp
&lt;index&gt;</code> v3.8.1 but
was lowered in v3.8.2 via :pr:<code>6550</code> and never brought back,
causing
problems with dependency pins when upgrading. :doc:<code>aiohttp
&lt;index&gt;</code> v3.8.3
fixes that by recovering the original boundary of <code>&lt; 7</code>.
<code>[#6950](aio-libs/aiohttp#6950)
&lt;https://github.com/aio-libs/aiohttp/issues/6950&gt;</code>_</p>
</li>
</ul>
<hr />
<h1>3.8.2 (2022-09-20, subsequently yanked on 2022-09-21)</h1>
<h2>Bugfixes</h2>
<ul>
<li>Support registering OPTIONS HTTP method handlers via RouteTableDef.
<code>[#4663](aio-libs/aiohttp#4663)
&lt;https://github.com/aio-libs/aiohttp/issues/4663&gt;</code>_</li>
<li>Started supporting <code>authority-form</code> and
<code>absolute-form</code> URLs on the server-side.
<code>[#6227](aio-libs/aiohttp#6227)
&lt;https://github.com/aio-libs/aiohttp/issues/6227&gt;</code>_</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/aio-libs/aiohttp/commit/33953f110e97eecc707e1402daa8d543f38a189b"><code>33953f1</code></a>
Release v3.8.4 (<a
href="https://github-redirect.dependabot.com/aio-libs/aiohttp/issues/7207">#7207</a>)</li>
<li><a
href="https://github.com/aio-libs/aiohttp/commit/28854a4743cb367351397bd0a8b38469f28f369a"><code>28854a4</code></a>
Fix ConnectionResetError not being raised when the transport is close…
(<a
href="https://github-redirect.dependabot.com/aio-libs/aiohttp/issues/7199">#7199</a>)</li>
<li><a
href="https://github.com/aio-libs/aiohttp/commit/565cc2132a4c3667e0601f055cff913526226352"><code>565cc21</code></a>
Raise upper bound of charset-normalizer</li>
<li><a
href="https://github.com/aio-libs/aiohttp/commit/ba573e267c0601e97b7caafb7ac9ad4ec7c7d52d"><code>ba573e2</code></a>
[3.8] Fix CI (<a
href="https://github-redirect.dependabot.com/aio-libs/aiohttp/issues/7143">#7143</a>)
(<a
href="https://github-redirect.dependabot.com/aio-libs/aiohttp/issues/7200">#7200</a>)</li>
<li><a
href="https://github.com/aio-libs/aiohttp/commit/9cde3b47e10b04b9db3bf86611d01132d852c0c7"><code>9cde3b4</code></a>
Update .pre-commit-config.yaml</li>
<li><a
href="https://github.com/aio-libs/aiohttp/commit/ed04b4da2e0fbb504728064335fc0cdcd52773c6"><code>ed04b4d</code></a>
[PR <a
href="https://github-redirect.dependabot.com/aio-libs/aiohttp/issues/7154">#7154</a>/283861dd
backport][3.8] fixed error in ContentDisposition doc (<a
href="https://github-redirect.dependabot.com/aio-libs/aiohttp/issues/7155">#7155</a>)</li>
<li><a
href="https://github.com/aio-libs/aiohttp/commit/8cf01adc8c8dbf706e4cd33bf89fd5195f638715"><code>8cf01ad</code></a>
[3.8] Fix cookie handling (<a
href="https://github-redirect.dependabot.com/aio-libs/aiohttp/issues/6638">#6638</a>)
(<a
href="https://github-redirect.dependabot.com/aio-libs/aiohttp/issues/6974">#6974</a>)</li>
<li><a
href="https://github.com/aio-libs/aiohttp/commit/6d4ec02dcbfaa849aa6756dec9f2314bf8665ff5"><code>6d4ec02</code></a>
Merge branch 'release/v3.8.3' into 3.8</li>
<li><a
href="https://github.com/aio-libs/aiohttp/commit/e4bce667f6bef14d34cfc32276cfdaf95de4c033"><code>e4bce66</code></a>
Bump the hardcoded version to v3.8.3.post0.dev0</li>
<li><a
href="https://github.com/aio-libs/aiohttp/commit/0f8d39ff7bacfef6e4dad00e1b20895cd50b8396"><code>0f8d39f</code></a>
Revert &quot;Stop including an empty changelog draft in
Sphinx&quot;</li>
<li>Additional commits viewable in <a
href="https://github.com/aio-libs/aiohttp/compare/v3.7.4...v3.8.4">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=aiohttp&package-manager=pip&previous-version=3.7.4&new-version=3.8.4)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

You can trigger a rebase of this PR by commenting `@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>> **Note**
> Automatic rebases have been disabled on this pull request as it has
been open for over 30 days.

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
joeyorlando pushed a commit to grafana/oncall that referenced this pull request Jul 21, 2023
…2602)

Bumps [aiohttp](https://github.com/aio-libs/aiohttp) from 3.8.3 to
3.8.5.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/aio-libs/aiohttp/releases">aiohttp's
releases</a>.</em></p>
<blockquote>
<h2>3.8.5</h2>
<h2>Security bugfixes</h2>
<ul>
<li>
<p>Upgraded the vendored copy of llhttp_ to v8.1.1 -- by
:user:<code>webknjaz</code>
and :user:<code>Dreamsorcerer</code>.</p>
<p>Thanks to :user:<code>sethmlarson</code> for reporting this and
providing us with
comprehensive reproducer, workarounds and fixing details! For more
information, see
<a
href="https://github.com/aio-libs/aiohttp/security/advisories/GHSA-45c4-8wx5-qw6w">https://github.com/aio-libs/aiohttp/security/advisories/GHSA-45c4-8wx5-qw6w</a>.</p>
<p>.. _llhttp: <a href="https://llhttp.org">https://llhttp.org</a></p>
<p>(<a
href="https://redirect.github.com/aio-libs/aiohttp/issues/7346">#7346</a>)</p>
</li>
</ul>
<h2>Features</h2>
<ul>
<li>
<p>Added information to C parser exceptions to show which character
caused the error. -- by :user:<code>Dreamsorcerer</code></p>
<p>(<a
href="https://redirect.github.com/aio-libs/aiohttp/issues/7366">#7366</a>)</p>
</li>
</ul>
<h2>Bugfixes</h2>
<ul>
<li>
<p>Fixed a transport is :data:<code>None</code> error -- by
:user:<code>Dreamsorcerer</code>.</p>
<p>(<a
href="https://redirect.github.com/aio-libs/aiohttp/issues/3355">#3355</a>)</p>
</li>
</ul>
<hr />
<h2>3.8.4</h2>
<h2>Bugfixes</h2>
<ul>
<li>Fixed incorrectly overwriting cookies with the same name and domain,
but different path.
(<a
href="https://redirect.github.com/aio-libs/aiohttp/issues/6638">#6638</a>)</li>
<li>Fixed <code>ConnectionResetError</code> not being raised after
client disconnection in SSL environments.
(<a
href="https://redirect.github.com/aio-libs/aiohttp/issues/7180">#7180</a>)</li>
</ul>
<hr />
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/aio-libs/aiohttp/blob/v3.8.5/CHANGES.rst">aiohttp's
changelog</a>.</em></p>
<blockquote>
<h1>3.8.5 (2023-07-19)</h1>
<h2>Security bugfixes</h2>
<ul>
<li>
<p>Upgraded the vendored copy of llhttp_ to v8.1.1 -- by
:user:<code>webknjaz</code>
and :user:<code>Dreamsorcerer</code>.</p>
<p>Thanks to :user:<code>sethmlarson</code> for reporting this and
providing us with
comprehensive reproducer, workarounds and fixing details! For more
information, see
<a
href="https://github.com/aio-libs/aiohttp/security/advisories/GHSA-45c4-8wx5-qw6w">https://github.com/aio-libs/aiohttp/security/advisories/GHSA-45c4-8wx5-qw6w</a>.</p>
<p>.. _llhttp: <a href="https://llhttp.org">https://llhttp.org</a></p>
<p><code>[#7346](aio-libs/aiohttp#7346)
&lt;https://github.com/aio-libs/aiohttp/issues/7346&gt;</code>_</p>
</li>
</ul>
<h2>Features</h2>
<ul>
<li>
<p>Added information to C parser exceptions to show which character
caused the error. -- by :user:<code>Dreamsorcerer</code></p>
<p><code>[#7366](aio-libs/aiohttp#7366)
&lt;https://github.com/aio-libs/aiohttp/issues/7366&gt;</code>_</p>
</li>
</ul>
<h2>Bugfixes</h2>
<ul>
<li>
<p>Fixed a transport is :data:<code>None</code> error -- by
:user:<code>Dreamsorcerer</code>.</p>
<p><code>[#3355](aio-libs/aiohttp#3355)
&lt;https://github.com/aio-libs/aiohttp/issues/3355&gt;</code>_</p>
</li>
</ul>
<hr />
<h1>3.8.4 (2023-02-12)</h1>
<h2>Bugfixes</h2>
<ul>
<li>Fixed incorrectly overwriting cookies with the same name and domain,
but different path.
<code>[#6638](aio-libs/aiohttp#6638)
&lt;https://github.com/aio-libs/aiohttp/issues/6638&gt;</code>_</li>
<li>Fixed <code>ConnectionResetError</code> not being raised after
client disconnection in SSL environments.
<code>[#7180](aio-libs/aiohttp#7180)
&lt;https://github.com/aio-libs/aiohttp/issues/7180&gt;</code>_</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/aio-libs/aiohttp/commit/9c13a52c21c23dfdb49ed89418d28a5b116d0681"><code>9c13a52</code></a>
Bump aiohttp to v3.8.5 a security release</li>
<li><a
href="https://github.com/aio-libs/aiohttp/commit/7c02129567bc4ec59be467b70fc937c82920948c"><code>7c02129</code></a>
 Bump pypa/cibuildwheel to v2.14.1</li>
<li><a
href="https://github.com/aio-libs/aiohttp/commit/135a45e9d655d56e4ebad78abe84f1cb7b5c62dc"><code>135a45e</code></a>
Improve error messages from C parser (<a
href="https://redirect.github.com/aio-libs/aiohttp/issues/7366">#7366</a>)
(<a
href="https://redirect.github.com/aio-libs/aiohttp/issues/7380">#7380</a>)</li>
<li><a
href="https://github.com/aio-libs/aiohttp/commit/9337fb3f2ab2b5f38d7e98a194bde6f7e3d16c40"><code>9337fb3</code></a>
Fix bump llhttp to v8.1.1 (<a
href="https://redirect.github.com/aio-libs/aiohttp/issues/7367">#7367</a>)
(<a
href="https://redirect.github.com/aio-libs/aiohttp/issues/7377">#7377</a>)</li>
<li><a
href="https://github.com/aio-libs/aiohttp/commit/f07e9b44b5cb909054a697c8dd447b30dbf8073e"><code>f07e9b4</code></a>
[PR <a
href="https://redirect.github.com/aio-libs/aiohttp/issues/7373">#7373</a>/66e261a5
backport][3.8] Drop azure mention (<a
href="https://redirect.github.com/aio-libs/aiohttp/issues/7374">#7374</a>)</li>
<li><a
href="https://github.com/aio-libs/aiohttp/commit/01d9b70e5477cd746561b52225992d8a2ebde953"><code>01d9b70</code></a>
[PR <a
href="https://redirect.github.com/aio-libs/aiohttp/issues/7370">#7370</a>/22c264ce
backport][3.8] fix: Spelling error fixed (<a
href="https://redirect.github.com/aio-libs/aiohttp/issues/7371">#7371</a>)</li>
<li><a
href="https://github.com/aio-libs/aiohttp/commit/3577b1e3719d4648fa973dbdec927f78f9df34dd"><code>3577b1e</code></a>
[PR <a
href="https://redirect.github.com/aio-libs/aiohttp/issues/7359">#7359</a>/7911f1e9
backport][3.8]  Set up secretless publishing to PyPI (<a
href="https://redirect.github.com/aio-libs/aiohttp/issues/7360">#7360</a>)</li>
<li><a
href="https://github.com/aio-libs/aiohttp/commit/8d45f9c99511cd80140d6658bd9c11002c697f1c"><code>8d45f9c</code></a>
[PR <a
href="https://redirect.github.com/aio-libs/aiohttp/issues/7333">#7333</a>/3a54d378
backport][3.8] Fix TLS transport is <code>None</code> error (<a
href="https://redirect.github.com/aio-libs/aiohttp/issues/7357">#7357</a>)</li>
<li><a
href="https://github.com/aio-libs/aiohttp/commit/dd8e24e77351df9c0f029be49d3c6d7862706e79"><code>dd8e24e</code></a>
[PR <a
href="https://redirect.github.com/aio-libs/aiohttp/issues/7343">#7343</a>/18057581
backport][3.8] Mention encoding in <code>yarl.URL</code> (<a
href="https://redirect.github.com/aio-libs/aiohttp/issues/7355">#7355</a>)</li>
<li><a
href="https://github.com/aio-libs/aiohttp/commit/40874103ebfaa1007d47c25ecc4288af873a07cf"><code>4087410</code></a>
[PR <a
href="https://redirect.github.com/aio-libs/aiohttp/issues/7346">#7346</a>/346fd202
backport][3.8]  Bump vendored llhttp to v8.1.1 (<a
href="https://redirect.github.com/aio-libs/aiohttp/issues/7352">#7352</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/aio-libs/aiohttp/compare/v3.8.3...v3.8.5">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=aiohttp&package-manager=pip&previous-version=3.8.3&new-version=3.8.5)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/grafana/oncall/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
keinsell pushed a commit to keinsell/neuronek that referenced this pull request Apr 28, 2024
…sources/psychonautwiki-tripsit (#402)

Bumps [aiohttp](https://github.com/aio-libs/aiohttp) from 3.7.4.post0 to
3.8.5.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/aio-libs/aiohttp/releases">aiohttp's
releases</a>.</em></p>
<blockquote>
<h2>3.8.5</h2>
<h2>Security bugfixes</h2>
<ul>
<li>
<p>Upgraded the vendored copy of llhttp_ to v8.1.1 -- by
:user:<code>webknjaz</code>
and :user:<code>Dreamsorcerer</code>.</p>
<p>Thanks to :user:<code>sethmlarson</code> for reporting this and
providing us with
comprehensive reproducer, workarounds and fixing details! For more
information, see
<a
href="https://github.com/aio-libs/aiohttp/security/advisories/GHSA-45c4-8wx5-qw6w">https://github.com/aio-libs/aiohttp/security/advisories/GHSA-45c4-8wx5-qw6w</a>.</p>
<p>.. _llhttp: <a href="https://llhttp.org">https://llhttp.org</a></p>
<p>(<a
href="https://redirect.github.com/aio-libs/aiohttp/issues/7346">#7346</a>)</p>
</li>
</ul>
<h2>Features</h2>
<ul>
<li>
<p>Added information to C parser exceptions to show which character
caused the error. -- by :user:<code>Dreamsorcerer</code></p>
<p>(<a
href="https://redirect.github.com/aio-libs/aiohttp/issues/7366">#7366</a>)</p>
</li>
</ul>
<h2>Bugfixes</h2>
<ul>
<li>
<p>Fixed a transport is :data:<code>None</code> error -- by
:user:<code>Dreamsorcerer</code>.</p>
<p>(<a
href="https://redirect.github.com/aio-libs/aiohttp/issues/3355">#3355</a>)</p>
</li>
</ul>
<hr />
<h2>3.8.4</h2>
<h2>Bugfixes</h2>
<ul>
<li>Fixed incorrectly overwriting cookies with the same name and domain,
but different path.
(<a
href="https://redirect.github.com/aio-libs/aiohttp/issues/6638">#6638</a>)</li>
<li>Fixed <code>ConnectionResetError</code> not being raised after
client disconnection in SSL environments.
(<a
href="https://redirect.github.com/aio-libs/aiohttp/issues/7180">#7180</a>)</li>
</ul>
<hr />
<h2>3.8.3</h2>
<p>.. attention::</p>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/aio-libs/aiohttp/blob/v3.8.5/CHANGES.rst">aiohttp's
changelog</a>.</em></p>
<blockquote>
<h1>3.8.5 (2023-07-19)</h1>
<h2>Security bugfixes</h2>
<ul>
<li>
<p>Upgraded the vendored copy of llhttp_ to v8.1.1 -- by
:user:<code>webknjaz</code>
and :user:<code>Dreamsorcerer</code>.</p>
<p>Thanks to :user:<code>sethmlarson</code> for reporting this and
providing us with
comprehensive reproducer, workarounds and fixing details! For more
information, see
<a
href="https://github.com/aio-libs/aiohttp/security/advisories/GHSA-45c4-8wx5-qw6w">https://github.com/aio-libs/aiohttp/security/advisories/GHSA-45c4-8wx5-qw6w</a>.</p>
<p>.. _llhttp: <a href="https://llhttp.org">https://llhttp.org</a></p>
<p><code>[#7346](aio-libs/aiohttp#7346)
&lt;https://github.com/aio-libs/aiohttp/issues/7346&gt;</code>_</p>
</li>
</ul>
<h2>Features</h2>
<ul>
<li>
<p>Added information to C parser exceptions to show which character
caused the error. -- by :user:<code>Dreamsorcerer</code></p>
<p><code>[#7366](aio-libs/aiohttp#7366)
&lt;https://github.com/aio-libs/aiohttp/issues/7366&gt;</code>_</p>
</li>
</ul>
<h2>Bugfixes</h2>
<ul>
<li>
<p>Fixed a transport is :data:<code>None</code> error -- by
:user:<code>Dreamsorcerer</code>.</p>
<p><code>[#3355](aio-libs/aiohttp#3355)
&lt;https://github.com/aio-libs/aiohttp/issues/3355&gt;</code>_</p>
</li>
</ul>
<hr />
<h1>3.8.4 (2023-02-12)</h1>
<h2>Bugfixes</h2>
<ul>
<li>Fixed incorrectly overwriting cookies with the same name and domain,
but different path.
<code>[#6638](aio-libs/aiohttp#6638)
&lt;https://github.com/aio-libs/aiohttp/issues/6638&gt;</code>_</li>
<li>Fixed <code>ConnectionResetError</code> not being raised after
client disconnection in SSL environments.
<code>[#7180](aio-libs/aiohttp#7180)
&lt;https://github.com/aio-libs/aiohttp/issues/7180&gt;</code>_</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/aio-libs/aiohttp/commit/9c13a52c21c23dfdb49ed89418d28a5b116d0681"><code>9c13a52</code></a>
Bump aiohttp to v3.8.5 a security release</li>
<li><a
href="https://github.com/aio-libs/aiohttp/commit/7c02129567bc4ec59be467b70fc937c82920948c"><code>7c02129</code></a>
 Bump pypa/cibuildwheel to v2.14.1</li>
<li><a
href="https://github.com/aio-libs/aiohttp/commit/135a45e9d655d56e4ebad78abe84f1cb7b5c62dc"><code>135a45e</code></a>
Improve error messages from C parser (<a
href="https://redirect.github.com/aio-libs/aiohttp/issues/7366">#7366</a>)
(<a
href="https://redirect.github.com/aio-libs/aiohttp/issues/7380">#7380</a>)</li>
<li><a
href="https://github.com/aio-libs/aiohttp/commit/9337fb3f2ab2b5f38d7e98a194bde6f7e3d16c40"><code>9337fb3</code></a>
Fix bump llhttp to v8.1.1 (<a
href="https://redirect.github.com/aio-libs/aiohttp/issues/7367">#7367</a>)
(<a
href="https://redirect.github.com/aio-libs/aiohttp/issues/7377">#7377</a>)</li>
<li><a
href="https://github.com/aio-libs/aiohttp/commit/f07e9b44b5cb909054a697c8dd447b30dbf8073e"><code>f07e9b4</code></a>
[PR <a
href="https://redirect.github.com/aio-libs/aiohttp/issues/7373">#7373</a>/66e261a5
backport][3.8] Drop azure mention (<a
href="https://redirect.github.com/aio-libs/aiohttp/issues/7374">#7374</a>)</li>
<li><a
href="https://github.com/aio-libs/aiohttp/commit/01d9b70e5477cd746561b52225992d8a2ebde953"><code>01d9b70</code></a>
[PR <a
href="https://redirect.github.com/aio-libs/aiohttp/issues/7370">#7370</a>/22c264ce
backport][3.8] fix: Spelling error fixed (<a
href="https://redirect.github.com/aio-libs/aiohttp/issues/7371">#7371</a>)</li>
<li><a
href="https://github.com/aio-libs/aiohttp/commit/3577b1e3719d4648fa973dbdec927f78f9df34dd"><code>3577b1e</code></a>
[PR <a
href="https://redirect.github.com/aio-libs/aiohttp/issues/7359">#7359</a>/7911f1e9
backport][3.8]  Set up secretless publishing to PyPI (<a
href="https://redirect.github.com/aio-libs/aiohttp/issues/7360">#7360</a>)</li>
<li><a
href="https://github.com/aio-libs/aiohttp/commit/8d45f9c99511cd80140d6658bd9c11002c697f1c"><code>8d45f9c</code></a>
[PR <a
href="https://redirect.github.com/aio-libs/aiohttp/issues/7333">#7333</a>/3a54d378
backport][3.8] Fix TLS transport is <code>None</code> error (<a
href="https://redirect.github.com/aio-libs/aiohttp/issues/7357">#7357</a>)</li>
<li><a
href="https://github.com/aio-libs/aiohttp/commit/dd8e24e77351df9c0f029be49d3c6d7862706e79"><code>dd8e24e</code></a>
[PR <a
href="https://redirect.github.com/aio-libs/aiohttp/issues/7343">#7343</a>/18057581
backport][3.8] Mention encoding in <code>yarl.URL</code> (<a
href="https://redirect.github.com/aio-libs/aiohttp/issues/7355">#7355</a>)</li>
<li><a
href="https://github.com/aio-libs/aiohttp/commit/40874103ebfaa1007d47c25ecc4288af873a07cf"><code>4087410</code></a>
[PR <a
href="https://redirect.github.com/aio-libs/aiohttp/issues/7346">#7346</a>/346fd202
backport][3.8]  Bump vendored llhttp to v8.1.1 (<a
href="https://redirect.github.com/aio-libs/aiohttp/issues/7352">#7352</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/aio-libs/aiohttp/compare/v3.7.4.post0...v3.8.5">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=aiohttp&package-manager=pip&previous-version=3.7.4.post0&new-version=3.8.5)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

You can trigger a rebase of this PR by commenting `@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/keinsell/neuronek/network/alerts).

</details>

> **Note**
> Automatic rebases have been disabled on this pull request as it has
been open for over 30 days.

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bot:chronographer:provided There is a change note present in this PR
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants