Merge pull request #93 from mongodb/security/fix-aiohttp-cve-2026-34525-dev

fix(python-fastapi): bump aiohttp for CVE-2026-34525 (GHSA-c427-h43c-vf67)

Author: cbullinger

mflix/server/python-fastapi/requirements.in

@@ -62,7 +62,7 @@ rich-toolkit~=0.15.1    # Extensions for the 'rich' library
 # Minimum versions for indirect dependencies.
 # ------------------------------------------------------------------------------
 filelock>=3.20.3        # Transitive dep via huggingface-hub
-aiohttp>=3.13.3         # Transitive dep via voyageai
+aiohttp>=3.13.4         # Transitive dep via voyageai (CVE-2026-34525)
 orjson>=3.11.7          # Transitive dep via langsmith (CVE fix)
 langchain-core>=1.2.11  # Transitive dep via langchain-text-splitters (CVE-2026-26013 fix)
 pillow>=12.1.1          # Transitive dep via voyageai (CVE-2026-25990 fix)

mflix/server/python-fastapi/requirements.txt

@@ -6,7 +6,7 @@
 #
 aiohappyeyeballs==2.6.1
     # via aiohttp
-aiohttp==3.13.3
+aiohttp==3.13.5
     # via
     #   -r requirements.in
     #   voyageai