From a8bb617f7d9944ed6a4cd0c961fdcc5c615a8b86 Mon Sep 17 00:00:00 2001 From: Isaac Schepp Date: Thu, 11 Jun 2026 19:05:47 -0500 Subject: [PATCH] chore(general): allow aiohttp 3.14 by widening the version range aiohttp 3.13.x has two known vulnerabilities (CVE-2026-34993, CVE-2026-47265) that are only fixed in 3.14.0, but the <3.14.0 cap prevents any consumer from resolving the fixed version alongside checkov. Widen the range to >=3.8.0,<4.0.0 instead of requiring >=3.14.0 because aiohttp 3.14 needs Python >=3.10 while checkov still supports 3.9 - environments on 3.10+ can now resolve 3.14.x, while 3.9 keeps 3.13.x. Pipfile.lock is untouched: it still pins 3.13.5 (installable everywhere) and its _meta hash already corresponds to the <4.0.0 range that was in the Pipfile before the cap was added. The only 3.14 incompatibility is in tests: aioresponses cannot build a mocked response for aiohttp>=3.14 (pnuckowski/aioresponses#289), so the one test that mocks a successful aiohttp response is skipped on that combination until aioresponses ships a fix. checkov's own aiohttp usage is unaffected (verified: full test_http_utils pass on 3.13.5, 15 pass/1 skip on 3.14.0, end-to-end scan works on 3.14.0). Fixes #7577 --- Pipfile | 2 +- setup.py | 2 +- tests/common/utils/test_http_utils.py | 16 ++++++++++++++++ 3 files changed, 18 insertions(+), 2 deletions(-) diff --git a/Pipfile b/Pipfile index 613b535f8a..e7c2edff8c 100644 --- a/Pipfile +++ b/Pipfile @@ -68,7 +68,7 @@ cachetools = ">=5.2.0,<6.0.0" cyclonedx-python-lib = ">=6.0.0,<8.0.0" packageurl-python = ">=0.11.1,<0.14.0" click = ">=8.1.0,<9.0.0" -aiohttp = ">=3.8.0,<3.14.0" +aiohttp = ">=3.8.0,<4.0.0" aiodns = ">=3.0.0,<4.0.0" aiomultiprocess = ">=0.9.0,<0.10.0" schema = "<=0.7.5" diff --git a/setup.py b/setup.py index 74693ec215..f96b3ceb6f 100644 --- a/setup.py +++ b/setup.py @@ -92,7 +92,7 @@ def run(self) -> None: "cyclonedx-python-lib<8.0.0,>=6.0.0", "packageurl-python<0.14.0,>=0.11.1", "click<9.0.0,>=8.1.0", - "aiohttp<3.14.0,>=3.8.0", + "aiohttp<4.0.0,>=3.8.0", "aiodns<4.0.0,>=3.0.0", "aiomultiprocess>=0.9.0,<0.10.0", "schema<=0.7.5", diff --git a/tests/common/utils/test_http_utils.py b/tests/common/utils/test_http_utils.py index ac6abf14bf..3bfed50475 100644 --- a/tests/common/utils/test_http_utils.py +++ b/tests/common/utils/test_http_utils.py @@ -5,10 +5,22 @@ import pytest from pytest_mock import MockerFixture from aioresponses import aioresponses +from aioresponses import __version__ as aioresponses_version import aiohttp +from packaging import version + from checkov.common.util.http_utils import request_wrapper, aiohttp_client_session_wrapper, valid_url +# aioresponses can't build a mock response for aiohttp>=3.14 yet (its mocked +# ClientResponse is missing the new required 'stream_writer' argument), see +# https://github.com/pnuckowski/aioresponses/issues/289. Tests that only mock +# exceptions are unaffected. Remove once aioresponses releases a fix. +AIORESPONSES_LACKS_AIOHTTP_314_SUPPORT = ( + version.parse(aiohttp.__version__) >= version.parse("3.14.0") + and version.parse(aioresponses_version) <= version.parse("0.7.8") +) + def get_report_url() -> str: base_url = "https://www.bridgecrew.cloud/api/v1/vulnerabilities" @@ -127,6 +139,10 @@ def test_request_wrapper_with_success_for_post_scan(mock_bc_integration, scan_re responses.assert_call_count(mock_url, 1) +@pytest.mark.skipif( + AIORESPONSES_LACKS_AIOHTTP_314_SUPPORT, + reason="aioresponses can't mock a successful response under aiohttp>=3.14 (pnuckowski/aioresponses#289)", +) @pytest.mark.asyncio async def test_aiohttp_client_session_wrapper_with_one_handled_exception(mocker: MockerFixture, mock_bc_integration): # given