fix(deps): update dependency aiohttp to v3.10.2 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
aiohttp	3.10.1 -> 3.10.2

GitHub Vulnerability Alerts

CVE-2024-42367

Summary

Static routes which contain files with compressed variants (.gz or .br extension) were vulnerable to path traversal outside the root directory if those variants are symbolic links.

Details

The server protects static routes from path traversal outside the root directory when follow_symlinks=False (default). It does this by resolving the requested URL to an absolute path and then checking that path relative to the root. However, these checks are not performed when looking for compressed variants in the FileResponse class, and symbolic links are then automatically followed when performing Path.stat() and Path.open() to send the file.

Impact

Servers with static routes that contain compressed variants as symbolic links, pointing outside the root directory, or that permit users to upload or create such links, are impacted.

---

Patch: https://github.com/aio-libs/aiohttp/pull/8653/files

---

Release Notes

aio-libs/aiohttp (aiohttp)

v3.10.2: 3.10.2

Compare Source

Bug fixes

• Fixed server checks for circular symbolic links to be compatible with Python 3.13 -- by :user:steverep.

  Related issues and pull requests on GitHub:
  #​8565.

• Fixed request body not being read when ignoring an Upgrade request -- by :user:Dreamsorcerer.

  Related issues and pull requests on GitHub:
  #​8597.

• Fixed an edge case where shutdown would wait for timeout when the handler was already completed -- by :user:Dreamsorcerer.

  Related issues and pull requests on GitHub:
  #​8611.

• Fixed connecting to npipe://, tcp://, and unix:// urls -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  #​8632.

• Fixed WebSocket ping tasks being prematurely garbage collected -- by :user:bdraco.

  There was a small risk that WebSocket ping tasks would be prematurely garbage collected because the event loop only holds a weak reference to the task. The garbage collection risk has been fixed by holding a strong reference to the task. Additionally, the task is now scheduled eagerly with Python 3.12+ to increase the chance it can be completed immediately and avoid having to hold any references to the task.

  Related issues and pull requests on GitHub:
  #​8641.

• Fixed incorrectly following symlinks for compressed file variants -- by :user:steverep.

  Related issues and pull requests on GitHub:
  #​8652.

Removals and backward incompatible breaking changes

• Removed Request.wait_for_disconnection(), which was mistakenly added briefly in 3.10.0 -- by :user:Dreamsorcerer.

  Related issues and pull requests on GitHub:
  #​8636.

Contributor-facing changes

• Fixed monkey patches for Path.stat() and Path.is_dir() for Python 3.13 compatibility -- by :user:steverep.

  Related issues and pull requests on GitHub:
  #​8551.

Miscellaneous internal changes

• Improved WebSocket performance when messages are sent or received frequently -- by :user:bdraco.

  The WebSocket heartbeat scheduling algorithm was improved to reduce the asyncio scheduling overhead by decreasing the number of asyncio.TimerHandle creations and cancellations.

  Related issues and pull requests on GitHub:
  #​8608.

• Minor improvements to various type annotations -- by :user:Dreamsorcerer.

  Related issues and pull requests on GitHub:
  #​8634.

---

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.