From eb7e5a1052860848289a2e4f1d30f5551cb270a2 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 9 Jul 2026 11:16:42 +0000 Subject: [PATCH 1/4] Bump python-discovery from 1.4.3 to 1.4.4 (#13113) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bumps [python-discovery](https://github.com/tox-dev/python-discovery) from 1.4.3 to 1.4.4.
Release notes

Sourced from python-discovery's releases.

v1.4.4

What's Changed

New Contributors

Full Changelog: https://github.com/tox-dev/python-discovery/compare/1.4.3...1.4.4

Changelog

Sourced from python-discovery's changelog.

Bug fixes - 1.4.4


v1.4.3 (2026-07-03)


Commits

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=python-discovery&package-manager=pip&previous-version=1.4.3&new-version=1.4.4)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements/constraints.txt | 2 +- requirements/dev.txt | 2 +- requirements/lint.txt | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/requirements/constraints.txt b/requirements/constraints.txt index 2dedb6e2f42..3c479c982e6 100644 --- a/requirements/constraints.txt +++ b/requirements/constraints.txt @@ -233,7 +233,7 @@ pytest-xdist==3.8.0 # via -r requirements/test-common.in python-dateutil==2.9.0.post0 # via freezegun -python-discovery==1.4.3 +python-discovery==1.4.4 # via virtualenv python-on-whales==0.81.0 # via diff --git a/requirements/dev.txt b/requirements/dev.txt index ca38b7bab11..45fb17490d1 100644 --- a/requirements/dev.txt +++ b/requirements/dev.txt @@ -228,7 +228,7 @@ pytest-xdist==3.8.0 # via -r requirements/test-common.in python-dateutil==2.9.0.post0 # via freezegun -python-discovery==1.4.3 +python-discovery==1.4.4 # via virtualenv python-on-whales==0.81.0 # via diff --git a/requirements/lint.txt b/requirements/lint.txt index 5efdfbf7c37..8e193437d49 100644 --- a/requirements/lint.txt +++ b/requirements/lint.txt @@ -123,7 +123,7 @@ pytest-mock==3.15.1 # via -r requirements/lint.in python-dateutil==2.9.0.post0 # via freezegun -python-discovery==1.4.3 +python-discovery==1.4.4 # via virtualenv python-on-whales==0.81.0 # via -r requirements/lint.in From f3f227a51b3390db2573197ee7973e29543252f0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 9 Jul 2026 11:23:52 +0000 Subject: [PATCH 2/4] Bump build from 1.5.0 to 1.5.1 (#13114) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bumps [build](https://github.com/pypa/build) from 1.5.0 to 1.5.1.
Release notes

Sourced from build's releases.

1.5.1

What's Changed

... (truncated)

Changelog

Sourced from build's changelog.

#################### 1.5.1 (2026-07-09) ####################


Features


  • Add --report=PATH to write a machine-readable JSON report of built artifacts; --metadata now also accepts .whl files - by :user:gaborbernat (:issue:198)
  • The srcdir argument now accepts .tar.gz source distributions, extracting and building from them - by :user:gaborbernat (:issue:311)
  • The "Unmet dependencies" error from --no-isolation builds now shows the wanted version, found version, and interpreter - by :user:gaborbernat (:issue:504)
  • Add --sdist-extract-dir to extract the intermediate sdist into a persistent directory, enabling compiler cache reuse across rebuilds - by :user:gaborbernat (:issue:614)
  • Add --env-dir to place the isolated build environment at a fixed path, enabling compiler cache reuse across builds - by :user:gaborbernat (:issue:655)
  • Print a summary of resolved dependency versions (name==version) after installing them in isolated builds - by :user:gaborbernat (:issue:959)
  • On build failure, print a tip pointing to --env-dir and --sdist-extract-dir for debugging and link to the "Debug a failed build" how-to - reported by :user:dimpase, implemented by :user:gaborbernat (:issue:966)

Bugfixes


  • Drain verbose subprocess output inline instead of using a ThreadPoolExecutor, which silently swallowed logging errors - by :user:henryiii (:issue:1098)
  • Reject a file passed as --env-dir with a clear error instead of a raw FileExistsError - by :user:henryiii (:issue:1100)
  • Emit CLI warnings to stderr instead of stdout, so they no longer corrupt --metadata JSON output on stdout - by :user:ymyzk (:issue:1111)
  • Fix the Windows symlink support probe always returning False due to a stale object interpolated into the destination path - by :user:henryiii (:issue:1118)
  • Fix metadata_path's build-backend fallback returning a nonexistent dist-info path for wheels with a build tag - by :user:henryiii (:issue:1119)
  • Write pip/uv requirements and constraints files with \n instead of os.linesep, avoiding doubled \r\r\n line endings on Windows - by :user:henryiii (:issue:1120)
  • Batch of small robustness fixes: correct macOS release parsing for the minimum pip version, avoid sharing the mutable default build-system table between builders, keep the original error when isolated-environment setup fails early, and raise BuildException for an invalid wheel - by :user:henryiii (:issue:1121)
  • Decide color support independently for stdout and stderr instead of only checking stdout.isatty(), so redirecting one stream no longer disables or leaks ANSI colors on the other - by :user:henryiii (:issue:1123)

Deprecations and Removals


  • Deprecate :func:build.util.project_wheel_metadata; use python -m build --metadata instead - by :user:gaborbernat (:issue:557)
  • Warn on config settings without a value (e.g. -C--my-flag); use -C--my-flag= instead for compatibility with pip

... (truncated)

Commits

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=build&package-manager=pip&previous-version=1.5.0&new-version=1.5.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements/constraints.txt | 2 +- requirements/dev.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/requirements/constraints.txt b/requirements/constraints.txt index 3c479c982e6..50823f3d953 100644 --- a/requirements/constraints.txt +++ b/requirements/constraints.txt @@ -45,7 +45,7 @@ blockbuster==1.5.26 # -r requirements/test-common.in brotli==1.2.0 ; platform_python_implementation == "CPython" and sys_platform != "android" and sys_platform != "ios" # via -r requirements/runtime-deps.in -build==1.5.0 +build==1.5.1 # via pip-tools certifi==2026.6.17 # via requests diff --git a/requirements/dev.txt b/requirements/dev.txt index 45fb17490d1..2c851493df9 100644 --- a/requirements/dev.txt +++ b/requirements/dev.txt @@ -45,7 +45,7 @@ blockbuster==1.5.26 # -r requirements/test-common.in brotli==1.2.0 ; platform_python_implementation == "CPython" and sys_platform != "android" and sys_platform != "ios" # via -r requirements/runtime-deps.in -build==1.5.0 +build==1.5.1 # via pip-tools certifi==2026.6.17 # via requests From b74150784809712fe718971d05b49b6707c87dc2 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 9 Jul 2026 11:29:08 +0000 Subject: [PATCH 3/4] Bump librt from 0.12.0 to 0.13.0 (#13117) Bumps [librt](https://github.com/mypyc/librt) from 0.12.0 to 0.13.0.
Commits

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=librt&package-manager=pip&previous-version=0.12.0&new-version=0.13.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements/constraints.txt | 2 +- requirements/dev.txt | 2 +- requirements/lint.txt | 2 +- requirements/test-common.txt | 2 +- requirements/test-ft.txt | 2 +- requirements/test.txt | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/requirements/constraints.txt b/requirements/constraints.txt index 50823f3d953..c9fee14512e 100644 --- a/requirements/constraints.txt +++ b/requirements/constraints.txt @@ -118,7 +118,7 @@ jinja2==3.1.6 # sphinx # sphinxcontrib-mermaid # towncrier -librt==0.12.0 +librt==0.13.0 # via mypy markdown-it-py==3.0.0 # via diff --git a/requirements/dev.txt b/requirements/dev.txt index 2c851493df9..49dd89869b4 100644 --- a/requirements/dev.txt +++ b/requirements/dev.txt @@ -116,7 +116,7 @@ jinja2==3.1.6 # sphinx # sphinxcontrib-mermaid # towncrier -librt==0.12.0 +librt==0.13.0 # via mypy markdown-it-py==3.0.0 # via diff --git a/requirements/lint.txt b/requirements/lint.txt index 8e193437d49..63507975fb1 100644 --- a/requirements/lint.txt +++ b/requirements/lint.txt @@ -60,7 +60,7 @@ iniconfig==2.3.0 # via pytest isal==1.8.0 # via -r requirements/lint.in -librt==0.12.0 +librt==0.13.0 # via mypy markdown-it-py==4.2.0 # via rich diff --git a/requirements/test-common.txt b/requirements/test-common.txt index 9bf331379d8..d90f13720e2 100644 --- a/requirements/test-common.txt +++ b/requirements/test-common.txt @@ -50,7 +50,7 @@ iniconfig==2.3.0 # via pytest isal==1.8.0 ; python_version < "3.14" and implementation_name == "cpython" # via -r requirements/test-common.in -librt==0.12.0 +librt==0.13.0 # via mypy markdown-it-py==4.2.0 # via rich diff --git a/requirements/test-ft.txt b/requirements/test-ft.txt index 280b9266273..e820e63109d 100644 --- a/requirements/test-ft.txt +++ b/requirements/test-ft.txt @@ -67,7 +67,7 @@ iniconfig==2.3.0 # via pytest isal==1.8.0 ; python_version < "3.14" and implementation_name == "cpython" # via -r requirements/test-common.in -librt==0.12.0 +librt==0.13.0 # via mypy markdown-it-py==4.2.0 # via rich diff --git a/requirements/test.txt b/requirements/test.txt index 30722b73010..e1c3cce7aca 100644 --- a/requirements/test.txt +++ b/requirements/test.txt @@ -67,7 +67,7 @@ iniconfig==2.3.0 # via pytest isal==1.8.0 ; python_version < "3.14" and implementation_name == "cpython" # via -r requirements/test-common.in -librt==0.12.0 +librt==0.13.0 # via mypy markdown-it-py==4.2.0 # via rich From 64313cfc5024a316d85f34e7e77c9995a683e35f Mon Sep 17 00:00:00 2001 From: Javid Khan Date: Thu, 9 Jul 2026 19:51:23 +0530 Subject: [PATCH 4/4] reject websocket close codes above the valid range (#12895) --- CHANGES/12895.bugfix.rst | 4 ++++ CONTRIBUTORS.txt | 1 + aiohttp/_websocket/reader_py.py | 5 ++++- tests/test_websocket_parser.py | 16 ++++++++++++++-- 4 files changed, 23 insertions(+), 3 deletions(-) create mode 100644 CHANGES/12895.bugfix.rst diff --git a/CHANGES/12895.bugfix.rst b/CHANGES/12895.bugfix.rst new file mode 100644 index 00000000000..af206e7f443 --- /dev/null +++ b/CHANGES/12895.bugfix.rst @@ -0,0 +1,4 @@ +Rejected WebSocket ``CLOSE`` frames carrying a status code above the +valid range (greater than ``4999``) with a protocol error, matching the +existing handling of out-of-range low codes, per :rfc:`6455#section-7.4.1` +-- by :user:`dxbjavid`. diff --git a/CONTRIBUTORS.txt b/CONTRIBUTORS.txt index 88875d58397..66015395713 100644 --- a/CONTRIBUTORS.txt +++ b/CONTRIBUTORS.txt @@ -123,6 +123,7 @@ Dmitry Trofimov Dmytro Bohomiakov Dmytro Kuznetsov Dustin J. Mitchell +dxbjavid Earle Lowe Eduard Iskandarov Eli Ribble diff --git a/aiohttp/_websocket/reader_py.py b/aiohttp/_websocket/reader_py.py index 82b5b65af60..9fd1e334896 100644 --- a/aiohttp/_websocket/reader_py.py +++ b/aiohttp/_websocket/reader_py.py @@ -293,7 +293,10 @@ def _handle_frame( payload_len = len(payload) if payload_len >= 2: close_code = UNPACK_CLOSE_CODE(payload[:2])[0] - if close_code < 3000 and close_code not in ALLOWED_CLOSE_CODES: + # https://datatracker.ietf.org/doc/html/rfc6455#section-7.4.2 + if close_code > 4999 or ( + close_code < 3000 and close_code not in ALLOWED_CLOSE_CODES + ): raise WebSocketError( WSCloseCode.PROTOCOL_ERROR, f"Invalid close code: {close_code}", diff --git a/tests/test_websocket_parser.py b/tests/test_websocket_parser.py index b703232fd71..a89a2210f31 100644 --- a/tests/test_websocket_parser.py +++ b/tests/test_websocket_parser.py @@ -287,9 +287,9 @@ def test_close_frame(out: WebSocketDataQueue, parser: PatchableWebSocketReader) def test_close_frame_info( out: WebSocketDataQueue, parser: PatchableWebSocketReader ) -> None: - parser._handle_frame(True, WSMsgType.CLOSE, b"0112345", 0) + parser._handle_frame(True, WSMsgType.CLOSE, b"\x03\xe912345", 0) res = out._buffer[0] - assert res == WSMessageClose(data=12337, size=7, extra="12345") + assert res == WSMessageClose(data=1001, size=7, extra="12345") def test_close_frame_invalid( @@ -311,6 +311,18 @@ def test_close_frame_invalid_2( assert ctx.value.code == WSCloseCode.PROTOCOL_ERROR +@pytest.mark.parametrize("code", (5000, 9999, 65535)) +def test_close_frame_invalid_code_above_range( + parser: PatchableWebSocketReader, code: int +) -> None: + data = build_close_frame(code=code) + + with pytest.raises(WebSocketError) as ctx: + parser._feed_data(data) + + assert ctx.value.code == WSCloseCode.PROTOCOL_ERROR + + def test_close_frame_unicode_err(parser: PatchableWebSocketReader) -> None: data = build_close_frame(code=1000, message=b"\xf4\x90\x80\x80")