LCORE-1187: bump-up AIOHTTP library for Konflux build

[tisnik]

Description

LCORE-1187: bump-up AIOHTTP library for Konflux build

Type of change

• Refactor
• New feature
• Bug fix
• CVE fix
• Optimization
• Documentation Update
• Configuration Update
• Bump-up service version
• Bump-up dependent library
• Bump-up library or tool used for development (does not change the final image)
• CI configuration change
• Konflux configuration change
• Unit tests improvement
• Integration tests improvement
• End to end tests improvement

Tools used to create PR

• Assisted-by: N/A
• Generated by: N/A

Related Tickets & Documents

• Related Issue #LCORE-1187

Summary by CodeRabbit

• Chores
  • Updated aiohttp dependency to version 3.13.3
  • Added python-multipart dependency
  • Normalized formatting in build configuration files

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Changes involve upgrading aiohttp from 3.13.2 to 3.13.3 across multiple dependency manifests, adding python-multipart==0.0.22 to source hashes, removing python-multipart==0.0.21 from wheel hashes, and applying whitespace normalization to Tekton pipeline configuration files.

Changes

Cohort / File(s)	Summary
Tekton Pipeline Configuration .tekton/lightspeed-stack-pull-request.yaml, .tekton/lightspeed-stack-push.yaml	Whitespace normalization and formatting adjustments to pip prefetch binary packages string; no semantic changes to package content
Python Dependency Manifests requirements-build.txt	Added two commented reference lines for python-multipart and dunamai within existing comment blocks
Hashed Source Dependencies requirements.hashes.source.txt	Inserted new dependency block for python-multipart==0.0.22 with two sha256 hashes; positioned between pycryptodomex and regex entries
Hashed Wheel Dependencies requirements.hashes.wheel.txt	Upgraded aiohttp from 3.13.2 to 3.13.3 with updated hashes; removed python-multipart==0.0.21 entry
Dependency Overrides requirements.overrides.txt	Bumped aiohttp from 3.13.2 to 3.13.3; added missing newline at end of file

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• LCORE-1140: Update dependencies #957: Includes matching aiohttp version bump from 3.13.2 to 3.13.3 with corresponding package and hash updates
• LCORE-1108: updated Konflux requirements #1053: Modifies the same .tekton lightspeed-stack pipeline binary packages pip prefetch string with formatting and entry changes
• LCORE-858: hermetic build with CPU torch #852: Affects Tekton pipeline prefetch pip and package declarations with requirements normalization

Suggested reviewers

• radofuchs

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: bumping the AIOHTTP library version from 3.13.2 to 3.13.3 for Konflux build, which is reflected across multiple dependency files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In `@requirements.hashes.source.txt`:
- Around line 405-407: The requirements pin for python-multipart references a
non-existent version "python-multipart==0.0.22"; update the requirement entry to
a valid released version (e.g., "python-multipart==0.0.21") and replace the
accompanying --hash values with the correct hashes for that version, or if
0.0.22 is intentionally planned, add a comment and hold the change until it is
published; locate the package line containing "python-multipart==0.0.22" to make
this edit and ensure the two --hash=sha256:... entries are updated to match the
chosen version.

In `@requirements.overrides.txt`:
- Line 6: The requirements override adds aiohttp==3.13.3 which requires
Brotli/brotlicffi >=1.2; update requirements.overrides.txt to pin the Brotli
implementation your project uses (e.g., add brotlicffi>=1.2 or Brotli>=1.2, or a
specific patch pin like brotlicffi==1.2.*) so the minimum version constraint is
satisfied; check whether your code or dependencies import brotlicffi vs Brotli
and choose the matching package name (brotlicffi or Brotli), add the line next
to aiohttp, and regenerate/update your dependency lock/CI artifacts to ensure
the new constraint is applied.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

python-multipart 0.0.22 release notes changelog

💡 Result:

python-multipart 0.0.22 was released on Jan 25, 2026 (PyPI “Latest version”). [1]

The upstream changelog is intended to be in the repo at tag refs/tags/0.0.22 (file CHANGELOG.md). [1][2]

However, I couldn’t retrieve the contents of CHANGELOG.md for 0.0.22 via the available web sources/tools (GitHub returned a load error), so I can’t reliably list the actual 0.0.22 changes here. [2]

Sources: [1] [2]

---

🌐 Web query:

python-multipart 0.0.21 0.0.22 wheel hash PyPI

💡 Result:

• python-multipart 0.0.21 wheel (python_multipart-0.0.21-py3-none-any.whl) SHA256: cf7a6713e01c87aa35387f4774e812c4361150938d20d232800f75ffcf266090 [1]
• python-multipart 0.0.22 wheel hash: No 0.0.22 release/files are currently listed for python-multipart on PyPI (latest shown is 0.0.21, uploaded Dec 17, 2025). [1]

Sources: [1] PyPI project page for python-multipart (includes file details + hashes).

---

🌐 Web query:

site:pypi.org python-multipart latest version 0.0.22

💡 Result:

The latest released version of python-multipart on PyPI is 0.0.21 (uploaded Dec 17, 2025). There is no 0.0.22 release shown in the PyPI release history. [1][2]

---

Fix python-multipart version: 0.0.22 does not exist on PyPI.

Version 0.0.22 is not available on PyPI; the latest released version is 0.0.21 (Dec 17, 2025). This pin will cause installation to fail. Either update to 0.0.21 or confirm whether 0.0.22 is a planned/unreleased version.

🤖 Prompt for AI Agents

In `@requirements.hashes.source.txt` around lines 405 - 407, The requirements pin
for python-multipart references a non-existent version
"python-multipart==0.0.22"; update the requirement entry to a valid released
version (e.g., "python-multipart==0.0.21") and replace the accompanying --hash
values with the correct hashes for that version, or if 0.0.22 is intentionally
planned, add a comment and hold the change until it is published; locate the
package line containing "python-multipart==0.0.22" to make this edit and ensure
the two --hash=sha256:... entries are updated to match the chosen version.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

aiohttp 3.13.3 release notes CVE security fixes

💡 Result:

aiohttp 3.13.3 was released on 2026-01-03 and the upstream changelog states it “contains fixes for several vulnerabilities” and recommends upgrading ASAP. It also raises the minimum Brotli/brotlicffi version to 1.2 and sets a default 32 MiB maximum output per decompress call (security-hardening against decompression bombs). [1]

Security issues (CVE) fixed in 3.13.3:

• CVE-2025-69223: “zip bomb” / memory-exhaustion DoS via compressed request bodies; fixed in 3.13.3. [2]
• CVE-2025-69227: DoS via an infinite loop when Python assertions are stripped (e.g., -O) during Request.post() processing; fixed in 3.13.3. [3]
• CVE-2025-69229: DoS risk via excessive blocking CPU when handling chunked messages with many chunks (notably when using request.read()); fixed in 3.13.3. [4]
• CVE-2025-69230: DoS-style impact via cookie parsing warning log storms when cookies is accessed; fixed in 3.13.3. [5]

Sources: aiohttp changelog + CVE records. [1–5]

References:
[1] (docs.aiohttp.org)
[2] (ubuntu.com)
[3] (nvd.nist.gov)
[4] (nvd.nist.gov)
[5] (nvd.nist.gov)

Citations:

• 1: https://docs.aiohttp.org/en/stable/changes.html?utm_source=openai
• 2: https://ubuntu.com/security/CVE-2025-69223?utm_source=openai
• 3: https://nvd.nist.gov/vuln/detail/CVE-2025-69227?utm_source=openai
• 4: https://nvd.nist.gov/vuln/detail/CVE-2025-69229?utm_source=openai
• 5: https://nvd.nist.gov/vuln/detail/CVE-2025-69230?utm_source=openai

---

Verify Brotli/brotlicffi version requirement is also updated.

aiohttp 3.13.3 (released 2026-01-03) is confirmed as a security release fixing four CVEs (CVE-2025-69223, CVE-2025-69227, CVE-2025-69229, CVE-2025-69230) and upstream recommends upgrading ASAP. However, this release also raises the minimum Brotli/brotlicffi version to 1.2 as a security hardening measure against decompression bombs. Confirm whether Brotli or brotlicffi should also be pinned in requirements.overrides.txt to match this constraint.

🤖 Prompt for AI Agents

In `@requirements.overrides.txt` at line 6, The requirements override adds
aiohttp==3.13.3 which requires Brotli/brotlicffi >=1.2; update
requirements.overrides.txt to pin the Brotli implementation your project uses
(e.g., add brotlicffi>=1.2 or Brotli>=1.2, or a specific patch pin like
brotlicffi==1.2.*) so the minimum version constraint is satisfied; check whether
your code or dependencies import brotlicffi vs Brotli and choose the matching
package name (brotlicffi or Brotli), add the line next to aiohttp, and
regenerate/update your dependency lock/CI artifacts to ensure the new constraint
is applied.