aio-libs/aiohttp

Recent updates

• v3.14.0

  Yesterday

  aiohttp 3.14.0 focuses on new typed keys for request and response context storage, additional WebSocket and JSON byte-oriented APIs, and a major parser and decompression overhaul (including zip bomb hardening). It also includes several documented behavioral fixes, plus contributor and CI tooling updates.

  BreakingSecurityFeatures

• v3.13.5

  2 months ago

  Release 3.13.5 includes a bug fix related to how duplicate RFC 9110 singleton headers are handled during HTTP parsing. Specifically, it skips the duplicate singleton header check in lax mode (the default used by the response parser), while strict mode (request parsing, or -X dev) still enforces the singleton rule.

• v3.13.4

  2 months ago

  aiohttp 3.13.4 adds a new max_headers option (for limiting response headers read) and introduces TCPConnector.dns_cache_max_size. It also includes multiple parsing and robustness fixes around header handling and request/response processing, plus documentation and llhttp upgrade notes.

  SecurityFeatures

• v3.13.3

  5 months ago

  v3.13.3 is primarily a security and bugfix release. The documented items focus on proxy authorization handling, multipart parsing, and a websocket continuation validation case, plus a decompression safety limit and Brotli version floor.

  BreakingSecurity

• v3.13.2

  7 months ago

  Release 3.13.2 contains three bug fixes focused on cookie parsing robustness, netrc credential loading, and cancellation safety for WebSocket compressed sends. The code changes also include broader internal refactors around WebSocket compression and compressor locking, plus a CI timeout tweak.

• v3.13.1

  7 months ago

  aiohttp 3.13.1 adds support for passing AppRunner configuration options through run_app(), along with multiple HTTP correctness and performance-related bug fixes. The patch also updates zstd handling for older Python versions, improves Content-Type parsing to default to application/octet-stream on invalid syntax, and fixes sub-application routing priority.

  Features

• v3.13.0

  7 months ago

  aiohttp 3.13.0 adds Python 3.14 support, including free-threading related build/test coverage. It also introduces Zstandard (zstd) compression support, plus several HTTP-related bug fixes (Content-Disposition parsing, cookie jar loading, and pytest asyncio deprecation handling).

  Features

• v3.12.15

  10 months ago

  Release v3.12.15 is primarily a bug-fix release. The documented functional change is in DigestAuthMiddleware, preserving the exact case of the server-provided Digest algorithm parameter when constructing the Authorization header, improving compatibility with case-sensitive servers.

• v3.12.14

  10 months ago

  This release (v3.12.14) focuses on bug fixes around HTTP redirect upload behavior, and preventing a hang in ClientSession.close when using HTTPS through HTTP proxies. It also introduces initial trailer parsing support in the HTTP parser. Release notes document these items, plus an aiosignal minimum version bump and a small documentation clarification.

  Features

• v3.12.13

  11 months ago

  Release 3.12.13 is a small patch release focused on a bug fix in aiohttp ClientSession behavior when no explicit connector is provided. The main code change ensures that auto-created TCPConnector instances use the same event loop as the creating ClientSession.

• v3.12.12

  11 months ago

  aiohttp v3.12.12 contains two cookie-related bug fixes: improved unquoting of cookie values (including octal escape sequences), and RFC 6265 compliant parsing of Cookie headers where attribute-like names are treated as regular cookies. The implementation changes also refactor internal cookie parsing helpers and swap which helpers are used by request and client cookie handling.