fix(deps): require patched aiohttp on Python 3.10+#3515
Conversation
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 782a1efd3f
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| if sys.version_info < (3, 10): | ||
| pytest.skip("the aiohttp client requires Python 3.10 or later") |
There was a problem hiding this comment.
Exercise aiohttp on a supported CI interpreter
The sole test job in .github/workflows/ci.yml bootstraps the repository's .python-version (3.9.18), so this condition now skips every {"http_client": "aiohttp"} test variant in CI. Consequently, neither DefaultAioHttpClient nor the newly required aiohttp 3.14.1/httpx-aiohttp combination is exercised by the automated suite; add a Python 3.10+ test job, or otherwise run these variants on a supported interpreter.
Useful? React with 👍 / 👎.
HAYDEN-OAI
left a comment
There was a problem hiding this comment.
looks good, thanks for keeping the core sdk installable on python 3.9 while constraining the aiohttp backend and cleaning up the locks.
Summary
aiohttp>=3.14.1for the optional aiohttp backendhttpx-aiohttpbridge to Python 3.10+, while preserving core SDK support for Python 3.9uv.lock,requirements.lock, andrequirements-dev.lockso no vulnerable aiohttp 3.13.x version remainsContext
The repository has 11 open Dependabot alerts for aiohttp (7 moderate, 4 low). They share the same root cause: the universal lockfile retained aiohttp 3.13.5 for Python 3.9 even though Python 3.10+ already resolved to the patched 3.14.1 release.
The first version patched for every open advisory is aiohttp 3.14.1, which requires Python 3.10+. Applying that minimum unconditionally would make the entire SDK's optional dependency set unsatisfiable on Python 3.9. This change instead narrows only the aiohttp backend, keeping the core SDK installable on Python 3.9.
User impact and tradeoffs
openai[aiohttp]remains possible, but the backend dependencies are omitted andDefaultAioHttpClient()raises a targeted version error.uv.lockalso synchronizes the already-declared Bedrock extra and current package version, which were absent/stale in the previous lockfile.Validation
./scripts/lint— passed (Ruff, Pyright, MyPy)pytest -q tests/test_client.py tests/test_module_client.py— 196 passed.[aiohttp]— resolved and ran with aiohttp 3.14.1rye build— passed; wheel metadata contains the Python 3.10+ markers and aiohttp 3.14.1 minimumThe local full test harness could not fetch its Steady OpenAPI spec because that host is blocked in the execution environment; the complete GitHub CI suite passed on commit
782a1efd.OkTest baseline note
The ready-for-review OkTest run reported 234/237 passing. Its three failures are confined to
responses-input-items-list.test.tsandresponses-input-items-options.test.ts, where the current SDK returns the newly generatedprompt_cache_breakpoint: nullfield. This is not introduced by this PR: the current base PR (#3514) and the v2.46.0 release PR (#3501) produced the same 234/237 result in the same test files against the same OkTest revision.