Skip to content

Bump aiohttp from 3.12.15 to 3.13.4#301

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/uv/aiohttp-3.13.4
Open

Bump aiohttp from 3.12.15 to 3.13.4#301
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/uv/aiohttp-3.13.4

Conversation

@dependabot
Copy link
Copy Markdown

@dependabot dependabot bot commented on behalf of github Apr 1, 2026
edited by greptile-apps bot
Loading

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Greptile Summary

Dependabot PR to bump aiohttp from 3.12.15 to 3.13.4. However, the version specifier in pyproject.toml was changed to the invalid "aiohttp*" (not valid PEP 508 syntax), replacing the previous correct "aiohttp>=3.10.10,<4". This will cause build/install failures with standard Python packaging tools.

  • Critical: "aiohttp*" on line 29 of pyproject.toml is not a valid PEP 508 dependency specifier and must be corrected (e.g. "aiohttp>=3.13.4,<4")
  • The uv.lock file was updated with correct hashes for aiohttp 3.13.4, but the requires-dist metadata still references the old >=3.10.10,<4 specifier, creating an inconsistency with pyproject.toml
  • The lock file should be regenerated after fixing the specifier in pyproject.toml

Confidence Score: 1/5
  • This PR introduces an invalid dependency specifier that will break package builds and should not be merged as-is.
  • The aiohttp* specifier in pyproject.toml is not valid PEP 508 syntax (confirmed via the packaging library). This is a critical issue that will cause build failures for any consumer of the package using standard Python tooling. The lock file also has an inconsistency in its requires-dist metadata.
  • pyproject.toml requires immediate attention to fix the invalid dependency specifier on line 29.

Important Files Changed

Filename Overview
pyproject.toml The aiohttp dependency specifier was changed from a valid >=3.10.10,<4 to an invalid aiohttp*, which is not valid PEP 508 syntax and will break builds.
uv.lock Lock file updated aiohttp from 3.12.15 to 3.13.4 with new wheel hashes. The requires-dist metadata still references the old >=3.10.10,<4 specifier, which is inconsistent with the pyproject.toml change.

Flowchart

 
%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A["pyproject.toml\naiohttp dependency"] -->|"Changed to invalid\naiohttp*"| B["PEP 508 Parse Error"]
    A -->|"Should be\naiohttp>=3.13.4,<4"| C["Valid Specifier"]
    C --> D["uv lock regeneration"]
    D --> E["uv.lock\naiohttp 3.13.4 hashes"]
    B -->|"Breaks"| F["pip install / hatch build"]
Loading
Prompt To Fix All With AI 
This is a comment left during a code review.
Path: pyproject.toml
Line: 29

Comment:
**Invalid PEP 508 version specifier**

`"aiohttp*"` is not a valid PEP 508 dependency specifier. The `*` wildcard is not part of the PEP 440/508 version specification syntax. I confirmed this locally — Python's `packaging` library raises `InvalidRequirement: Expected semicolon (after name with no version specifier) or end` when parsing `aiohttp*`.

The previous specifier was `"aiohttp>=3.10.10,<4"`, which correctly constrained the version to the 3.x range. This should be restored with the lower bound bumped if desired, e.g.:

```suggestion
    "aiohttp>=3.13.4,<4",
```

This will pin to `>=3.13.4` (the target version of this bump) while still preventing a future breaking `4.x` upgrade. Without this fix, builds using standard PEP 508 tooling (pip, hatch, etc.) may fail to parse the dependency.

How can I resolve this? If you propose a fix, please make it concise.

Reviews (1): Last reviewed commit: "Bump aiohttp from 3.12.15 to 3.13.4" | Re-trigger Greptile

@dependabot
Bump aiohttp from 3.12.15 to 3.13.4
960d868 
---
updated-dependencies:
- dependency-name: aiohttp
  dependency-version: 3.13.4
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code labels Apr 1, 2026
@dependabot dependabot bot mentioned this pull request Apr 1, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants