Features

• Make configuration options in AppRunner also available in run_app()
  -- by :user:Cycloctane.

  Related issues and pull requests on GitHub:
  #11633.

Bug fixes

• Switched to backports.zstd for Python <3.14 and fixed zstd decompression for chunked zstd streams -- by :user:ZhaoMJ.

  Note: Users who installed zstandard for support on Python <3.14 will now need to install
  backports.zstd instead (installing aiohttp[speedups] will do this automatically).

  Related issues and pull requests on GitHub:
  #11623.

• Updated Content-Type header parsing to return application/octet-stream when header contains invalid syntax.
  See :rfc:9110#section-8.3-5.

  -- by :user:sgaist.

  Related issues and pull requests on GitHub:
  #10889.

• Fixed Python 3.14 support when built without zstd support -- by :user:JacobHenner.

  Related issues and pull requests on GitHub:
  #11603.

• Fixed blocking I/O in the event loop when using netrc authentication by moving netrc file lookup to an executor -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  #11634.

• Fixed routing to a sub-application added via .add_domain() not working
  if the same path exists on the parent app. -- by :user:Dreamsorcerer.

  Related issues and pull requests on GitHub:
  #11673.

Packaging updates and notes for downstreams

• Moved core packaging metadata from :file:setup.cfg to :file:pyproject.toml per :pep:621
  -- by :user:cdce8p.

  Related issues and pull requests on GitHub:
  #9951.

Features

• Added support for Python 3.14.

  Related issues and pull requests on GitHub:
  #10851, #10872.

• Added support for free-threading in Python 3.14+ -- by :user:kumaraditya303.

  Related issues and pull requests on GitHub:
  #11466, #11464.

• Added support for Zstandard (aka Zstd) compression
  -- by :user:KGuillaume-chaps.

  Related issues and pull requests on GitHub:
  #11161.

• Added StreamReader.total_raw_bytes to check the number of bytes downloaded
  -- by :user:robpats.

  Related issues and pull requests on GitHub:
  #11483.

Bug fixes

• Fixed pytest plugin to not use deprecated :py:mod:asyncio policy APIs.

  Related issues and pull requests on GitHub:
  #10851.

• Updated Content-Disposition header parsing to handle trailing semicolons and empty parts
  -- by :user:PLPeeters.

  Related issues and pull requests on GitHub:
  #11243.

• Fixed saved CookieJar failing to be loaded if cookies have partitioned flag when
  http.cookie does not have partitioned cookies supports. -- by :user:Cycloctane.

  Related issues and pull requests on GitHub:
  #11523.

Improved documentation

• Added Wireup to third-party libraries -- by :user:maldoinc.

  Related issues and pull requests on GitHub:
  #11233.

Packaging updates and notes for downstreams

• The blockbuster test dependency is now optional; the corresponding test fixture is disabled when it is unavailable
  -- by :user:musicinybrain.

  Related issues and pull requests on GitHub:
  #11363.

• Added riscv64 build to releases -- by :user:eshattow.

  Related issues and pull requests on GitHub:
  #11425.

Contributor-facing changes

• Fixed test_send_compress_text failing when alternative zlib implementation
  is used. (zlib-ng in python 3.14 windows build) -- by :user:Cycloctane.

  Related issues and pull requests on GitHub:
  #11546.

Bug fixes

• Fixed :class:~aiohttp.DigestAuthMiddleware to preserve the algorithm case from the server's challenge in the authorization response. This improves compatibility with servers that perform case-sensitive algorithm matching (e.g., servers expecting algorithm=MD5-sess instead of algorithm=MD5-SESS)
  -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  #11352.

Improved documentation

• Remove outdated contents of aiohttp-devtools and aiohttp-swagger
  from Web_advanced docs.
  -- by :user:Cycloctane

  Related issues and pull requests on GitHub:
  #11347.

Packaging updates and notes for downstreams

• Started including the llhttp :file:LICENSE file in wheels by adding vendor/llhttp/LICENSE to license-files in :file:setup.cfg -- by :user:threexc.

  Related issues and pull requests on GitHub:
  #11226.

Contributor-facing changes

• Updated a regex in test_aiohttp_request_coroutine for Python 3.14.

  Related issues and pull requests on GitHub:
  #11271.

Bug fixes

• Fixed file uploads failing with HTTP 422 errors when encountering 307/308 redirects, and 301/302 redirects for non-POST methods, by preserving the request body when appropriate per :rfc:9110#section-15.4.3-3.1 -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  #11270.

• Fixed :py:meth:ClientSession.close() <aiohttp.ClientSession.close> hanging indefinitely when using HTTPS requests through HTTP proxies -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  #11273.

• Bumped minimum version of aiosignal to 1.4+ to resolve typing issues -- by :user:Dreamsorcerer.

  Related issues and pull requests on GitHub:
  #11280.

Features

• Added initial trailer parsing logic to Python HTTP parser -- by :user:Dreamsorcerer.

  Related issues and pull requests on GitHub:
  #11269.

Improved documentation

• Clarified exceptions raised by WebSocketResponse.send_frame et al.
  -- by :user:DoctorJohn.

  Related issues and pull requests on GitHub:
  #11234.

Bug fixes

• Fixed auto-created :py:class:~aiohttp.TCPConnector not using the session's event loop when :py:class:~aiohttp.ClientSession is created without an explicit connector -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  #11147.

Bug fixes

• Fixed cookie unquoting to properly handle octal escape sequences in cookie values (e.g., \012 for newline) by vendoring the correct _unquote implementation from Python's http.cookies module -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  #11173.

• Fixed Cookie header parsing to treat attribute names as regular cookies per :rfc:6265#section-5.4 -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  #11178.

Features

• Improved SSL connection handling by changing the default ssl_shutdown_timeout
  from 0.1 to 0 seconds. SSL connections now use Python's default graceful
  shutdown during normal operation but are aborted immediately when the connector
  is closed, providing optimal behavior for both cases. Also added support for
  ssl_shutdown_timeout=0 on all Python versions. Previously, this value was
  rejected on Python 3.11+ and ignored on earlier versions. Non-zero values on
  Python < 3.11 now trigger a RuntimeWarning -- by :user:bdraco.

  The ssl_shutdown_timeout parameter is now deprecated and will be removed in
  aiohttp 4.0 as there is no clear use case for changing the default.

  Related issues and pull requests on GitHub:
  #11148.

Deprecations (removal in next major release)

• Improved SSL connection handling by changing the default ssl_shutdown_timeout
  from 0.1 to 0 seconds. SSL connections now use Python's default graceful
  shutdown during normal operation but are aborted immediately when the connector
  is closed, providing optimal behavior for both cases. Also added support for
  ssl_shutdown_timeout=0 on all Python versions. Previously, this value was
  rejected on Python 3.11+ and ignored on earlier versions. Non-zero values on
  Python < 3.11 now trigger a RuntimeWarning -- by :user:bdraco.

  The ssl_shutdown_timeout parameter is now deprecated and will be removed in
  aiohttp 4.0 as there is no clear use case for changing the default.

  Related issues and pull requests on GitHub:
  #11148.

Bug fixes

• Fixed leak of aiodns.DNSResolver when :py:class:~aiohttp.TCPConnector is closed and no resolver was passed when creating the connector -- by :user:Tasssadar.

  This was a regression introduced in version 3.12.0 (:pr:10897).

  Related issues and pull requests on GitHub:
  #11150.

Bug fixes

• Fixed IOBasePayload and TextIOPayload reading entire files into memory when streaming large files -- by :user:bdraco.

  When using file-like objects with the aiohttp client, the entire file would be read into memory if the file size was provided in the Content-Length header. This could cause out-of-memory errors when uploading large files. The payload classes now correctly read data in chunks of READ_SIZE (64KB) regardless of the total content length.

  Related issues and pull requests on GitHub:
  #11138.

Features

• Added preemptive digest authentication to :class:~aiohttp.DigestAuthMiddleware -- by :user:bdraco.

  The middleware now reuses authentication credentials for subsequent requests to the same
  protection space, improving efficiency by avoiding extra authentication round trips.
  This behavior matches how web browsers handle digest authentication and follows
  :rfc:7616#section-3.6.

  Preemptive authentication is enabled by default but can be disabled by passing
  preemptive=False to the middleware constructor.

  Related issues and pull requests on GitHub:
  #11128, #11129.