Update dependency aiohttp to v3.13.3 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
aiohttp	==3.13.2 → ==3.13.3

GitHub Vulnerability Alerts

CVE-2025-69224

Summary

The Python HTTP parser may allow a request smuggling attack with the presence of non-ASCII characters.

Impact

If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections.

---

Patch: aio-libs/aiohttp@32677f2

CVE-2025-69223

Summary

A zip bomb can be used to execute a DoS against the aiohttp server.

Impact

An attacker may be able to send a compressed request that when decompressed by aiohttp could exhaust the host's memory.

---

Patch: aio-libs/aiohttp@2b920c3

CVE-2025-69225

Summary

The parser allows non-ASCII decimals to be present in the Range header.

Impact

There is no known impact, but there is the possibility that there's a method to exploit a request smuggling vulnerability.

---

Patch: aio-libs/aiohttp@c7b7a04

CVE-2025-69226

Summary

Path normalization for static files prevents path traversal, but opens up the ability for an attacker to ascertain the
existence of absolute path components.

Impact

If an application uses web.static() (not recommended for production deployments), it may be possible for an attacker to ascertain the existence of path components.

---

Patch: aio-libs/aiohttp@f2a86fd

CVE-2025-69227

Summary

When assert statements are bypassed, an infinite loop can occur, resulting in a DoS attack when processing a POST body.

Impact

If optimisations are enabled (-O or PYTHONOPTIMIZE=1), and the application includes a handler that uses the Request.post() method, then an attacker may be able to execute a DoS attack with a specially crafted message.

---

Patch: aio-libs/aiohttp@bc1319e

CVE-2025-69228

Summary

A request can be crafted in such a way that an aiohttp server's memory fills up uncontrollably during processing.

Impact

If an application includes a handler that uses the Request.post() method, an attacker may be able to freeze the server by exhausting the memory.

---

Patch: aio-libs/aiohttp@b7dbd35

CVE-2025-69229

Summary

Handling of chunked messages can result in excessive blocking CPU usage when receiving a large number of chunks.

Impact

If an application makes use of the request.read() method in an endpoint, it may be possible for an attacker to cause the server to spend a moderate amount of blocking CPU time (e.g. 1 second) while processing the request. This could potentially lead to DoS as the server would be unable to handle other requests during that time.

---

Patch: aio-libs/aiohttp@dc3170b
Patch: aio-libs/aiohttp@4ed97a4

CVE-2025-69230

Summary

Reading multiple invalid cookies can lead to a logging storm.

Impact

If the cookies attribute is accessed in an application, then an attacker may be able to trigger a storm of warning-level logs using a specially crafted Cookie header.

---

Patch: aio-libs/aiohttp@64629a0

---

Release Notes

aio-libs/aiohttp (aiohttp)

v3.13.3

Compare Source

===================

This release contains fixes for several vulnerabilities. It is advised to
upgrade as soon as possible.

Bug fixes

• Fixed proxy authorization headers not being passed when reusing a connection, which caused 407 (Proxy authentication required) errors
  -- by :user:GLeurquin.

  Related issues and pull requests on GitHub:
  :issue:2596.

• Fixed multipart reading failing when encountering an empty body part -- by :user:Dreamsorcerer.

  Related issues and pull requests on GitHub:
  :issue:11857.

• Fixed a case where the parser wasn't raising an exception for a websocket continuation frame when there was no initial frame in context.

  Related issues and pull requests on GitHub:
  :issue:11862.

Removals and backward incompatible breaking changes

• Brotli and brotlicffi minimum version is now 1.2.
  Decompression now has a default maximum output size of 32MiB per decompress call -- by :user:Dreamsorcerer.

  Related issues and pull requests on GitHub:
  :issue:11898.

Packaging updates and notes for downstreams

• Moved dependency metadata from :file:setup.cfg to :file:pyproject.toml per :pep:621
  -- by :user:cdce8p.

  Related issues and pull requests on GitHub:
  :issue:11643.

Contributor-facing changes

• Removed unused update-pre-commit github action workflow -- by :user:Cycloctane.

  Related issues and pull requests on GitHub:
  :issue:11689.

Miscellaneous internal changes

• Optimized web server performance when access logging is disabled by reducing time syscalls -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:10713.

• Added regression test for cached logging status -- by :user:meehand.

  Related issues and pull requests on GitHub:
  :issue:11778.

---

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

❌MegaLinter analysis: Error

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
⚠️ ACTION	actionlint	4		3	0	0.06s
✅ COPYPASTE	jscpd	yes		no	no	1.87s
⚠️ DOCKERFILE	hadolint	2		1	0	0.09s
✅ JSON	jsonlint	3		0	0	0.32s
✅ JSON	prettier	3	0	0	0	0.44s
✅ JSON	v8r	3		0	0	2.62s
⚠️ MARKDOWN	markdownlint	12	0	17	0	1.1s
✅ MARKDOWN	markdown-table-formatter	12	0	0	0	0.25s
✅ PYTHON	bandit	7		0	0	1.37s
✅ PYTHON	black	7	0	0	0	1.47s
✅ PYTHON	flake8	7		0	0	0.78s
✅ PYTHON	isort	7	0	0	0	0.27s
⚠️ PYTHON	mypy	7		5	0	4.66s
✅ PYTHON	pylint	7		0	0	8.09s
⚠️ PYTHON	pyright	7		4	0	6.58s
✅ PYTHON	ruff	7	0	0	0	0.07s
✅ REPOSITORY	checkov	yes		no	no	19.24s
✅ REPOSITORY	gitleaks	yes		no	no	16.71s
✅ REPOSITORY	git_diff	yes		no	no	0.02s
⚠️ REPOSITORY	grype	yes		12	no	41.3s
✅ REPOSITORY	secretlint	yes		no	no	0.83s
✅ REPOSITORY	syft	yes		no	no	2.93s
❌ REPOSITORY	trivy	yes		1	no	10.68s
✅ REPOSITORY	trivy-sbom	yes		no	no	5.52s
✅ REPOSITORY	trufflehog	yes		no	no	4.85s
✅ SPELL	cspell	49		0	0	3.71s
⚠️ SPELL	lychee	30		2	0	1.79s
✅ YAML	prettier	15	0	0	0	0.82s
✅ YAML	v8r	15		0	0	6.63s
✅ YAML	yamllint	15		0	0	0.54s

Detailed Issues

❌ REPOSITORY / trivy - 1 error

│          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-69224                   │
│          ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│          │ CVE-2025-69225 │          │        │                   │               │ aiohttp: aiohttp: Request smuggling vulnerability via        │
│          │                │          │        │                   │               │ non-ASCII decimals in Range header                           │
│          │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-69225                   │
│          ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│          │ CVE-2025-69226 │          │        │                   │               │ aiohttp: aiohttp: Information disclosure of path components  │
│          │                │          │        │                   │               │ via static file path normalization...                        │
│          │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-69226                   │
│          ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│          │ CVE-2025-69230 │          │        │                   │               │ aiohttp: aiohttp: Denial of Service via specially crafted    │
│          │                │          │        │                   │               │ invalid cookies                                              │
│          │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-69230                   │
├──────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ filelock │ CVE-2026-22701 │ MEDIUM   │        │ 3.20.1            │ 3.20.3        │ filelock: filelock Time-of-Check-Time-of-Use (TOCTOU) in     │
│          │                │          │        │                   │               │ SoftFileLock                                                 │
│          │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-22701                   │
├──────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ urllib3  │ CVE-2026-21441 │ HIGH     │        │ 2.6.2             │ 2.6.3         │ urllib3: urllib3 vulnerable to decompression-bomb safeguard  │
│          │                │          │        │                   │               │ bypass when following HTTP redirects (streaming...           │
│          │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-21441                   │
└──────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

requirements.txt (pip)
======================
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 0)

┌──────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│ Library  │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                            │
├──────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ filelock │ CVE-2026-22701 │ MEDIUM   │ fixed  │ 3.20.1            │ 3.20.3        │ filelock: filelock Time-of-Check-Time-of-Use (TOCTOU) in    │
│          │                │          │        │                   │               │ SoftFileLock                                                │
│          │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-22701                  │
├──────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ urllib3  │ CVE-2026-21441 │ HIGH     │        │ 2.6.2             │ 2.6.3         │ urllib3: urllib3 vulnerable to decompression-bomb safeguard │
│          │                │          │        │                   │               │ bypass when following HTTP redirects (streaming...          │
│          │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-21441                  │
└──────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘

(Truncated to last 5000 characters out of 13238)

⚠️ ACTION / actionlint - 3 errors

.github/workflows/github-dependents-info.yml:53:9: shellcheck reported issue in this script: SC2086:info:1:15: Double quote to prevent globbing and word splitting [shellcheck]
   |
53 |         run: sudo chown -R $USER:$USER .
   |         ^~~~
.github/workflows/github-dependents-info.yml:53:9: shellcheck reported issue in this script: SC2086:info:1:21: Double quote to prevent globbing and word splitting [shellcheck]
   |
53 |         run: sudo chown -R $USER:$USER .
   |         ^~~~
.github/workflows/release.yml:63:9: shellcheck reported issue in this script: SC2086:info:1:55: Double quote to prevent globbing and word splitting [shellcheck]
   |
63 |         run: echo "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> ${GITHUB_ENV}
   |         ^~~~

⚠️ REPOSITORY / grype - 12 errors

[0000]  WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal) from=syft
NAME          INSTALLED  FIXED IN  TYPE    VULNERABILITY        SEVERITY  EPSS           RISK   
aiohttp       3.13.2     3.13.3    python  GHSA-6mq8-rvhq-8wgg  High      < 0.1% (18th)  < 0.1  
aiohttp       3.13.2     3.13.3    python  GHSA-6jhg-hg63-jvvf  Medium    < 0.1% (18th)  < 0.1  
aiohttp       3.13.2     3.13.3    python  GHSA-jj3x-wxrx-4x23  Medium    < 0.1% (18th)  < 0.1  
aiohttp       3.13.2     3.13.3    python  GHSA-g84x-mcqj-x9qq  Medium    < 0.1% (15th)  < 0.1  
aiohttp       3.13.2     3.13.3    python  GHSA-54jq-c3m8-4m76  Low       < 0.1% (18th)  < 0.1  
urllib3       2.6.2      2.6.3     python  GHSA-38jv-5279-wg99  High      < 0.1% (4th)   < 0.1  
aiohttp       3.13.2     3.13.3    python  GHSA-mqqc-3gqh-h2x8  Low       < 0.1% (13th)  < 0.1  
aiohttp       3.13.2     3.13.3    python  GHSA-69f9-5gxw-wvc2  Low       < 0.1% (12th)  < 0.1  
aiohttp       3.13.2     3.13.3    python  GHSA-fh55-r93g-j68g  Low       < 0.1% (12th)  < 0.1  
filelock      3.20.1     3.20.3    python  GHSA-qmgc-5h2g-mvrw  Medium    < 0.1% (5th)   < 0.1  
virtualenv    20.35.4    20.36.1   python  GHSA-597g-3phw-6986  Medium    < 0.1% (5th)   < 0.1  
cryptography  46.0.3     46.0.5    python  GHSA-r6ph-v2qm-q3c2  High      < 0.1% (0th)   < 0.1
[0041] ERROR discovered vulnerabilities at or above the severity threshold

⚠️ DOCKERFILE / hadolint - 1 error

Dockerfile:5 DL3013 warning: Pin versions in pip. Instead of `pip install <package>` use `pip install <package>==<version>` or `pip install --requirement <requirements file>`
docker/Dockerfile:7 DL3008 warning: Pin versions in apt get install. Instead of `apt-get install <package>` use `apt-get install <package>=<version>`
docker/Dockerfile:12 DL3045 warning: `COPY` to a relative destination without `WORKDIR` set.
docker/Dockerfile:15 DL3003 warning: Use WORKDIR to switch to a directory
docker/Dockerfile:15 DL4006 warning: Set the SHELL option -o pipefail before RUN with a pipe in it. If you are using /bin/sh in an alpine image or if your shell is symlinked to busybox then consider explicitly setting your SHELL to /bin/ash, or disable this check
docker/Dockerfile:15 SC2226 warning: This ln has no destination. Check the arguments, or specify '.' explicitly.
docker/Dockerfile:24 DL3025 warning: Use arguments JSON notation for CMD and ENTRYPOINT arguments

⚠️ SPELL / lychee - 2 errors

[IGNORED] docker://nvuillam/github-dependents-info:v3.0.0 | Unsupported: Error creating request client: builder error for url (docker://nvuillam/github-dependents-info:v3.0.0)
[404] https://docs.github.com/en/github/administering-a-repository/keeping-your-dependencies-updated-automatically | Network error: Not Found
[404] https://github.com/actions-marketplace-validations/AkhileshNS_heroku-deploy | Network error: Not Found
📝 Summary
---------------------
🔍 Total..........177
✅ Successful.....138
⏳ Timeouts.........0
🔀 Redirected.......0
👻 Excluded........36
❓ Unknown..........0
🚫 Errors...........2

Errors in .github/dependabot.yml
[404] https://docs.github.com/en/github/administering-a-repository/keeping-your-dependencies-updated-automatically | Network error: Not Found

Errors in docs/github-dependents-info.md
[404] https://github.com/actions-marketplace-validations/AkhileshNS_heroku-deploy | Network error: Not Found

⚠️ MARKDOWN / markdownlint - 17 errors

.github/PULL_REQUEST_TEMPLATE.md:1 error MD041/first-line-heading/first-line-h1 First line in a file should be a top-level heading [Context: "## Description"]
docs/github-dependents-info.md:8:401 error MD013/line-length Line length [Expected: 400; Actual: 1092]
README.md:47:2 error MD045/no-alt-text Images should have alternate text (alt text)
README.md:48:2 error MD045/no-alt-text Images should have alternate text (alt text)
README.md:49:2 error MD045/no-alt-text Images should have alternate text (alt text)
README.md:50:2 error MD045/no-alt-text Images should have alternate text (alt text)
README.md:216:3 error MD051/link-fragments Link fragments should be valid [Context: "[Installation](#⚙️-installation)"]
README.md:217:3 error MD051/link-fragments Link fragments should be valid [Context: "[Usage](#🛠️-usage)"]
README.md:218:3 error MD051/link-fragments Link fragments should be valid [Context: "[Examples](#🧪-examples)"]
README.md:276 error MD046/code-block-style Code block style [Expected: fenced; Actual: indented]
README.md:280 error MD046/code-block-style Code block style [Expected: fenced; Actual: indented]
README.md:285 error MD046/code-block-style Code block style [Expected: fenced; Actual: indented]
README.md:289 error MD046/code-block-style Code block style [Expected: fenced; Actual: indented]
README.md:293 error MD046/code-block-style Code block style [Expected: fenced; Actual: indented]
README.md:297 error MD046/code-block-style Code block style [Expected: fenced; Actual: indented]
README.md:301 error MD046/code-block-style Code block style [Expected: fenced; Actual: indented]
README.md:328:1 error MD045/no-alt-text Images should have alternate text (alt text)

⚠️ PYTHON / mypy - 5 errors

github_dependents_info/gh_dependents_info.py:50: error: Need type annotation for "packages" (hint: "packages: list[<type>] = ...")  [var-annotated]
github_dependents_info/gh_dependents_info.py:51: error: Need type annotation for "all_public_dependent_repos" (hint: "all_public_dependent_repos: list[<type>] = ...")  [var-annotated]
github_dependents_info/gh_dependents_info.py:52: error: Need type annotation for "badges" (hint: "badges: dict[<type>, <type>] = ...")  [var-annotated]
github_dependents_info/gh_dependents_info.py:53: error: Need type annotation for "result" (hint: "result: dict[<type>, <type>] = ...")  [var-annotated]
github_dependents_info/gh_dependents_info.py:240: error: Item "None" of "Path | None" has no attribute "mkdir"  [union-attr]
Found 5 errors in 1 file (checked 7 source files)

⚠️ PYTHON / pyright - 4 errors

github_dependents_info/__main__.py
  github_dependents_info/__main__.py:7:6 - error: Import "rich.console" could not be resolved (reportMissingImports)
github_dependents_info/gh_dependents_info.py
  github_dependents_info/gh_dependents_info.py:13:8 - error: Import "pandas" could not be resolved (reportMissingImports)
  github_dependents_info/gh_dependents_info.py:14:6 - error: Import "bs4" could not be resolved (reportMissingImports)
  github_dependents_info/gh_dependents_info.py:240:32 - error: "mkdir" is not a known attribute of "None" (reportOptionalMemberAccess)
4 errors, 0 warnings, 0 informations

See detailed reports in MegaLinter artifacts

Your project could benefit from a custom flavor, which would allow you to run only the linters you need, and thus improve runtime performances. (Skip this info by defining FLAVOR_SUGGESTIONS: false)

• Documentation: Custom Flavors
• Command: npx mega-linter-runner@beta --custom-flavor-setup --custom-flavor-linters PYTHON_PYLINT,PYTHON_BLACK,PYTHON_FLAKE8,PYTHON_ISORT,PYTHON_BANDIT,PYTHON_MYPY,PYTHON_PYRIGHT,PYTHON_RUFF,ACTION_ACTIONLINT,COPYPASTE_JSCPD,DOCKERFILE_HADOLINT,JSON_JSONLINT,JSON_V8R,JSON_PRETTIER,MARKDOWN_MARKDOWNLINT,MARKDOWN_MARKDOWN_TABLE_FORMATTER,REPOSITORY_CHECKOV,REPOSITORY_GIT_DIFF,REPOSITORY_GITLEAKS,REPOSITORY_GRYPE,REPOSITORY_SECRETLINT,REPOSITORY_SYFT,REPOSITORY_TRIVY,REPOSITORY_TRIVY_SBOM,REPOSITORY_TRUFFLEHOG,SPELL_CSPELL,SPELL_LYCHEE,YAML_PRETTIER,YAML_YAMLLINT,YAML_V8R

Show us your support by starring ⭐ the repository