fix(python-fastapi): bump aiohttp to >=3.13.4 for CVE-2026-34525

cbullinger · cbullinger · commit 0f141a35beda · 2026-04-02T08:02:57.000-04:00
Raises the transitive aiohttp floor to the patched series so duplicate Host headers are rejected (GHSA-c427-h43c-vf67). Regenerated requirements.txt with pip-compile. Resolves Dependabot alerts #31-40. Made-with: Cursor
diff --git a/mflix/server/python-fastapi/requirements.in b/mflix/server/python-fastapi/requirements.in
@@ -62,7 +62,7 @@ rich-toolkit~=0.15.1    # Extensions for the 'rich' library
 # Minimum versions for indirect dependencies.
 # ------------------------------------------------------------------------------
 filelock>=3.20.3        # Transitive dep via huggingface-hub
-aiohttp>=3.13.3         # Transitive dep via voyageai
+aiohttp>=3.13.4         # Transitive dep via voyageai (CVE-2026-34525)
 orjson>=3.11.7          # Transitive dep via langsmith (CVE fix)
 langchain-core>=1.2.11  # Transitive dep via langchain-text-splitters (CVE-2026-26013 fix)
 pillow>=12.1.1          # Transitive dep via voyageai (CVE-2026-25990 fix)
diff --git a/mflix/server/python-fastapi/requirements.txt b/mflix/server/python-fastapi/requirements.txt
@@ -6,7 +6,7 @@
 #
 aiohappyeyeballs==2.6.1
     # via aiohttp
-aiohttp==3.13.3
+aiohttp==3.13.5
     # via
     #   -r requirements.in
     #   voyageai

Original file line number	Diff line number	Diff line change
`@@ -6,7 +6,7 @@`
`6`	`6`	`#`
`7`	`7`	`aiohappyeyeballs==2.6.1`
`8`	`8`	`# via aiohttp`
`9`		`-aiohttp==3.13.3`
	`9`	`+aiohttp==3.13.5`
`10`	`10`	`# via`
`11`	`11`	`# -r requirements.in`
`12`	`12`	`# voyageai`