Skip to content

LCORE-1187: bump-up AIOHTTP library for Konflux build #1056

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
tisnik merged 1 commit into from
Jan 25, 2026
+14 −11
Merged

LCORE-1187: bump-up AIOHTTP library for Konflux build #1056

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .tekton/lightspeed-stack-pull-request.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ spec:
],
"requirements_build_files": ["requirements-build.txt"],
"binary": {
"packages": "accelerate,aiohappyeyeballs,aiohttp,aiosignal,aiosqlite,annotated-doc,annotated-types,anyio,asyncpg,attrs,autoevals,cachetools,cffi,charset-normalizer,chevron,click,cryptography,datasets,dill,distro,dnspython,durationpy,einops,faiss-cpu,fire,frozenlist,fsspec,googleapis-common-protos,grpcio,h11,hf-xet,httpcore,httpx,httpx-sse,huggingface-hub,idna,jinja2,jiter,joblib,jsonschema-specifications,llama-stack-client,lxml,markdown-it-py,mdurl,mpmath,multidict,networkx,nltk,numpy,oauthlib,opentelemetry-api,opentelemetry-exporter-otlp,opentelemetry-exporter-otlp-proto-common,opentelemetry-exporter-otlp-proto-grpc,opentelemetry-exporter-otlp-proto-http,opentelemetry-instrumentation,opentelemetry-proto,opentelemetry-sdk,opentelemetry-semantic-conventions,packaging,pandas,pillow,ply,polyleven,prompt-toolkit,propcache,proto-plus,psycopg2-binary,pyaml,pyarrow,pyasn1,pyasn1-modules,pydantic,pydantic-core,pydantic-settings,pygments,pyjwt,python-dateutil,python-dotenv,python-multipart,pytz,pyyaml,referencing,requests,requests-oauthlib,rpds-py,rsa,safetensors,scikit-learn,scipy,sentence-transformers,setuptools,six,sniffio,sqlalchemy,starlette,sympy,threadpoolctl,tiktoken,tokenizers,torch,tqdm,transformers,triton,typing-extensions,typing-inspection,tzdata,websocket-client,wrapt,xxhash,yarl,zipp,uv,pip,maturin",
"packages": "accelerate,aiohappyeyeballs,aiohttp,aiosignal,aiosqlite,annotated-doc,annotated-types,anyio,asyncpg,attrs,autoevals,cachetools,cffi,charset-normalizer,chevron,click,cryptography,datasets,dill,distro,dnspython,durationpy,einops,faiss-cpu,fire,frozenlist,fsspec,googleapis-common-protos,grpcio,h11,hf-xet,httpcore,httpx,httpx-sse,huggingface-hub,idna,jinja2,jiter,joblib,jsonschema-specifications,llama-stack-client,lxml,markdown-it-py,mdurl,mpmath,multidict,networkx,nltk,numpy,oauthlib,opentelemetry-api,opentelemetry-exporter-otlp,opentelemetry-exporter-otlp-proto-common,opentelemetry-exporter-otlp-proto-grpc,opentelemetry-exporter-otlp-proto-http,opentelemetry-instrumentation,opentelemetry-proto,opentelemetry-sdk,opentelemetry-semantic-conventions,packaging,pandas,pillow,ply,polyleven,prompt-toolkit,propcache,proto-plus,psycopg2-binary,pyaml,pyarrow,pyasn1,pyasn1-modules,pydantic,pydantic-core,pydantic-settings,pygments,pyjwt,python-dateutil,python-dotenv,pytz,pyyaml,referencing,requests,requests-oauthlib,rpds-py,rsa,safetensors,scikit-learn,scipy,sentence-transformers,setuptools,six,sniffio,sqlalchemy,starlette,sympy,threadpoolctl,tiktoken,tokenizers,torch,tqdm,transformers,triton,typing-extensions,typing-inspection,tzdata,websocket-client,wrapt,xxhash,yarl,zipp,uv,pip,maturin",
"os": "linux",
"arch": "x86_64,aarch64",
"py_version": "312"
Expand Down
2 changes: 1 addition & 1 deletion .tekton/lightspeed-stack-push.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ spec:
],
"requirements_build_files": ["requirements-build.txt"],
"binary": {
"packages": "accelerate,aiohappyeyeballs,aiohttp,aiosignal,aiosqlite,annotated-doc,annotated-types,anyio,asyncpg,attrs,autoevals,cachetools,cffi,charset-normalizer,chevron,click,cryptography,datasets,dill,distro,dnspython,durationpy,einops,faiss-cpu,fire,frozenlist,fsspec,googleapis-common-protos,grpcio,h11,hf-xet,httpcore,httpx,httpx-sse,huggingface-hub,idna,jinja2,jiter,joblib,jsonschema-specifications,llama-stack-client,lxml,markdown-it-py,mdurl,mpmath,multidict,networkx,nltk,numpy,oauthlib,opentelemetry-api,opentelemetry-exporter-otlp,opentelemetry-exporter-otlp-proto-common,opentelemetry-exporter-otlp-proto-grpc,opentelemetry-exporter-otlp-proto-http,opentelemetry-instrumentation,opentelemetry-proto,opentelemetry-sdk,opentelemetry-semantic-conventions,packaging,pandas,pillow,ply,polyleven,prompt-toolkit,propcache,proto-plus,psycopg2-binary,pyaml,pyarrow,pyasn1,pyasn1-modules,pydantic,pydantic-core,pydantic-settings,pygments,pyjwt,python-dateutil,python-dotenv,python-multipart,pytz,pyyaml,referencing,requests,requests-oauthlib,rpds-py,rsa,safetensors,scikit-learn,scipy,sentence-transformers,setuptools,six,sniffio,sqlalchemy,starlette,sympy,threadpoolctl,tiktoken,tokenizers,torch,tqdm,transformers,triton,typing-extensions,typing-inspection,tzdata,websocket-client,wrapt,xxhash,yarl,zipp,uv,pip,maturin",
"packages": "accelerate,aiohappyeyeballs,aiohttp,aiosignal,aiosqlite,annotated-doc,annotated-types,anyio,asyncpg,attrs,autoevals,cachetools,cffi,charset-normalizer,chevron,click,cryptography,datasets,dill,distro,dnspython,durationpy,einops,faiss-cpu,fire,frozenlist,fsspec,googleapis-common-protos,grpcio,h11,hf-xet,httpcore,httpx,httpx-sse,huggingface-hub,idna,jinja2,jiter,joblib,jsonschema-specifications,llama-stack-client,lxml,markdown-it-py,mdurl,mpmath,multidict,networkx,nltk,numpy,oauthlib,opentelemetry-api,opentelemetry-exporter-otlp,opentelemetry-exporter-otlp-proto-common,opentelemetry-exporter-otlp-proto-grpc,opentelemetry-exporter-otlp-proto-http,opentelemetry-instrumentation,opentelemetry-proto,opentelemetry-sdk,opentelemetry-semantic-conventions,packaging,pandas,pillow,ply,polyleven,prompt-toolkit,propcache,proto-plus,psycopg2-binary,pyaml,pyarrow,pyasn1,pyasn1-modules,pydantic,pydantic-core,pydantic-settings,pygments,pyjwt,python-dateutil,python-dotenv,pytz,pyyaml,referencing,requests,requests-oauthlib,rpds-py,rsa,safetensors,scikit-learn,scipy,sentence-transformers,setuptools,six,sniffio,sqlalchemy,starlette,sympy,threadpoolctl,tiktoken,tokenizers,torch,tqdm,transformers,triton,typing-extensions,typing-inspection,tzdata,websocket-client,wrapt,xxhash,yarl,zipp,uv,pip,maturin",
"os": "linux",
"arch": "x86_64,aarch64",
"py_version": "312"
Expand Down
2 changes: 2 additions & 0 deletions requirements-build.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@ hatchling==1.28.0
# hatch-vcs
# jsonschema
# mcp
# python-multipart
# termcolor
# urllib3
# uv-dynamic-versioning
Expand All @@ -52,6 +53,7 @@ maturin==1.10.2
# via fastuuid
packaging==26.0
# via
# dunamai
# hatchling
# setuptools-scm
# wheel
Expand Down
3 changes: 3 additions & 0 deletions requirements.hashes.source.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -402,6 +402,9 @@ pycryptodomex==3.23.0 \
pythainlp==5.2.0 \
--hash=sha256:04c6e4bdd806204be742f139b1f2e666411c4509c270dfff1a8b5afa69d36d2b \
--hash=sha256:fd64d6b3d33973782390822e74b8e2c9b867760eeed19d0d218945165b431e35
python-multipart==0.0.22 \
--hash=sha256:2b2cd894c83d21bf49d702499531c7bafd057d730c201782048f7945d82de155 \
--hash=sha256:7340bef99a7e0032613f56dc36027b959fd3b30a787ed62d310e951f7c3a3a58
Comment on lines +405 to +407
Copy link
Contributor

@coderabbitai coderabbitai bot Jan 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

python-multipart 0.0.22 release notes changelog

💡 Result:

python-multipart 0.0.22 was released on Jan 25, 2026 (PyPI “Latest version”). [1]

The upstream changelog is intended to be in the repo at tag refs/tags/0.0.22 (file CHANGELOG.md). [1][2]

However, I couldn’t retrieve the contents of CHANGELOG.md for 0.0.22 via the available web sources/tools (GitHub returned a load error), so I can’t reliably list the actual 0.0.22 changes here. [2]

Sources: [1] [2]

🌐 Web query:

python-multipart 0.0.21 0.0.22 wheel hash PyPI

💡 Result:

  • python-multipart 0.0.21 wheel (python_multipart-0.0.21-py3-none-any.whl) SHA256: cf7a6713e01c87aa35387f4774e812c4361150938d20d232800f75ffcf266090 [1]
  • python-multipart 0.0.22 wheel hash: No 0.0.22 release/files are currently listed for python-multipart on PyPI (latest shown is 0.0.21, uploaded Dec 17, 2025). [1]

Sources: [1] PyPI project page for python-multipart (includes file details + hashes).

🌐 Web query:

site:pypi.org python-multipart latest version 0.0.22

💡 Result:

The latest released version of python-multipart on PyPI is 0.0.21 (uploaded Dec 17, 2025). There is no 0.0.22 release shown in the PyPI release history. [1][2]

Fix python-multipart version: 0.0.22 does not exist on PyPI.

Version 0.0.22 is not available on PyPI; the latest released version is 0.0.21 (Dec 17, 2025). This pin will cause installation to fail. Either update to 0.0.21 or confirm whether 0.0.22 is a planned/unreleased version.

🤖 Prompt for AI Agents 
In `@requirements.hashes.source.txt` around lines 405 - 407, The requirements pin
for python-multipart references a non-existent version
"python-multipart==0.0.22"; update the requirement entry to a valid released
version (e.g., "python-multipart==0.0.21") and replace the accompanying --hash
values with the correct hashes for that version, or if 0.0.22 is intentionally
planned, add a comment and hold the change until it is published; locate the
package line containing "python-multipart==0.0.22" to make this edit and ensure
the two --hash=sha256:... entries are updated to match the chosen version.

regex==2026.1.15 \
--hash=sha256:0057de9eaef45783ff69fa94ae9f0fd906d629d0bd4c3217048f46d1daa32e9b \
--hash=sha256:008b185f235acd1e53787333e5690082e4f156c44c87d894f880056089e9bc7c \
Expand Down
12 changes: 5 additions & 7 deletions requirements.hashes.wheel.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,11 +6,11 @@ accelerate==1.12.0 \
--hash=sha256:85289227dfc6b606bd3abee7863744b9c43db45cd335b939d77de0496db7fa8f
aiohappyeyeballs==2.6.1 \
--hash=sha256:e63730c7e8303fe9b9b25dfdf72f49ed74380176609a5d11cf7b634058e986d9
aiohttp==3.13.2 \
--hash=sha256:6156a48c07a314feeb0c89444dfafb6f297c2ae5a502c91fff83209110bb4c47 \
--hash=sha256:a3fe218ef7da354a8e0564dc0b48b07d5d9e6819a03c4c3388bce6041009c3b6 \
--hash=sha256:b253fd276c4be03c6f7e318e9e53dc65fc5827e30f86bfba31e1ff8e07859477 \
--hash=sha256:f4962e2f1cbcabf9d4154ba03bf4ce7b5e6ce16f1c4cfe5b13bc81c6d78e476e
aiohttp==3.13.3 \
--hash=sha256:19f57e62cb4ee5baf6463ea09a386f91fd82d18bbb6f01fd69462ebb7493f1c6 \
--hash=sha256:3ad7241c57279824a2811527054c8c9ee7ed9d4c6d5fbdaba0e3a8ea95d294a4 \
--hash=sha256:94979f5fa2dc9851d95b17e261751c89b015755965c4fc4cfb8f74bc16ab56e9 \
--hash=sha256:f5822387dc614d75cd1b5526b4810e6c6657683fc483de0d83f87a9b0bc46ee5
aiosignal==1.4.0 \
--hash=sha256:3c0c9158993d1dce3bb3dc3f83687bbc7c9bcb2b335b7f31f58ecdbb238ef522
aiosqlite==0.22.0 \
Expand Down Expand Up @@ -205,8 +205,6 @@ python-dateutil==2.9.0.post0 \
--hash=sha256:9f85618b077d3ffc8beecb57c9444d7e4a25143764ed73647ea6cdf407fd58c0
python-dotenv==1.2.1 \
--hash=sha256:cea039eb10fd1e872cd774e75e99de4e80533a489a01f1a1d772427997e7b564
python-multipart==0.0.21 \
--hash=sha256:367cf1ac1f7c32221fb23a9b432d66c5d9750dbb1e9997bc641b4adb39200eae
pytz==2025.2 \
--hash=sha256:53b6d53c47751e853a76d9939a64db5be16f4ba3b896bf6f420dfa6e3aafad75
pyyaml==6.0.3 \
Expand Down
4 changes: 2 additions & 2 deletions requirements.overrides.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
transformers==4.57.3
tokenizers==0.22.1
scipy==1.16.3
aiohttp==3.13.2
aiohttp==3.13.3
Copy link
Contributor

@coderabbitai coderabbitai bot Jan 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

aiohttp 3.13.3 release notes CVE security fixes

💡 Result:

aiohttp 3.13.3 was released on 2026-01-03 and the upstream changelog states it “contains fixes for several vulnerabilities” and recommends upgrading ASAP. It also raises the minimum Brotli/brotlicffi version to 1.2 and sets a default 32 MiB maximum output per decompress call (security-hardening against decompression bombs). [1]

Security issues (CVE) fixed in 3.13.3:

  • CVE-2025-69223: “zip bomb” / memory-exhaustion DoS via compressed request bodies; fixed in 3.13.3. [2]
  • CVE-2025-69227: DoS via an infinite loop when Python assertions are stripped (e.g., -O) during Request.post() processing; fixed in 3.13.3. [3]
  • CVE-2025-69229: DoS risk via excessive blocking CPU when handling chunked messages with many chunks (notably when using request.read()); fixed in 3.13.3. [4]
  • CVE-2025-69230: DoS-style impact via cookie parsing warning log storms when cookies is accessed; fixed in 3.13.3. [5]

Sources: aiohttp changelog + CVE records. [1–5]

References:
[1] (docs.aiohttp.org)
[2] (ubuntu.com)
[3] (nvd.nist.gov)
[4] (nvd.nist.gov)
[5] (nvd.nist.gov)

Citations:

Verify Brotli/brotlicffi version requirement is also updated.

aiohttp 3.13.3 (released 2026-01-03) is confirmed as a security release fixing four CVEs (CVE-2025-69223, CVE-2025-69227, CVE-2025-69229, CVE-2025-69230) and upstream recommends upgrading ASAP. However, this release also raises the minimum Brotli/brotlicffi version to 1.2 as a security hardening measure against decompression bombs. Confirm whether Brotli or brotlicffi should also be pinned in requirements.overrides.txt to match this constraint.

🤖 Prompt for AI Agents 
In `@requirements.overrides.txt` at line 6, The requirements override adds
aiohttp==3.13.3 which requires Brotli/brotlicffi >=1.2; update
requirements.overrides.txt to pin the Brotli implementation your project uses
(e.g., add brotlicffi>=1.2 or Brotli>=1.2, or a specific patch pin like
brotlicffi==1.2.*) so the minimum version constraint is satisfied; check whether
your code or dependencies import brotlicffi vs Brotli and choose the matching
package name (brotlicffi or Brotli), add the line next to aiohttp, and
regenerate/update your dependency lock/CI artifacts to ensure the new constraint
is applied.

aiosqlite==0.22.0
anyio==4.12.0
datasets==4.4.1
Expand All @@ -12,4 +12,4 @@ pyarrow==22.0.0
pillow==12.0.0
faiss-cpu==1.12.0
sqlalchemy==2.0.45
setuptools==80.9
setuptools==80.9
Loading