…CloudPlatform#1423)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [aiohttp](https://redirect.github.com/aio-libs/aiohttp) | `3.10.8` ->
`3.10.11` |
[![age](https://developer.mend.io/api/mc/badges/age/pypi/aiohttp/3.10.11?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/pypi/aiohttp/3.10.11?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/pypi/aiohttp/3.10.8/3.10.11?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/aiohttp/3.10.8/3.10.11?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

---

> [!WARNING]
> Some dependencies could not be looked up. Check the warning logs for
more information.

### GitHub Vulnerability Alerts

####
[CVE-2024-52303](https://redirect.github.com/aio-libs/aiohttp/security/advisories/GHSA-27mf-ghqm-j3j8)

### Summary

A memory leak can occur when a request produces a `MatchInfoError`. This
was caused by adding an entry to a cache on each request, due to the
building of each `MatchInfoError` producing a unique cache entry.

### Impact

If the user is making use of any middlewares with `aiohttp.web` then it
is advisable to upgrade immediately.

An attacker may be able to exhaust the memory resources of a server by
sending a substantial number (100,000s to millions) of such requests.

-----

Patch:
aio-libs/aiohttp@bc15db6

####
[CVE-2024-52304](https://redirect.github.com/aio-libs/aiohttp/security/advisories/GHSA-8495-4g3g-x7pr)

### Summary
The Python parser parses newlines in chunk extensions incorrectly which
can lead to request smuggling vulnerabilities under certain conditions.

### Impact
If a pure Python version of aiohttp is installed (i.e. without the usual
C extensions) or `AIOHTTP_NO_EXTENSIONS` is enabled, then an attacker
may be able to execute a request smuggling attack to bypass certain
firewalls or proxy protections.

-----

Patch:
aio-libs/aiohttp@259edc3

---

### Release Notes

<details>
<summary>aio-libs/aiohttp (aiohttp)</summary>

###
[`v3.10.11`](https://redirect.github.com/aio-libs/aiohttp/blob/HEAD/CHANGES.rst#31011-2024-11-13)

[Compare
Source](https://redirect.github.com/aio-libs/aiohttp/compare/v3.10.10...v3.10.11)

\====================

## Bug fixes

- Authentication provided by a redirect now takes precedence over
provided `auth` when making requests with the client -- by
:user:`PLPeeters`.

    *Related issues and pull requests on GitHub:*
    :issue:`9436`.

- Fixed :py:meth:`WebSocketResponse.close()
<aiohttp.web.WebSocketResponse.close>` to discard non-close messages
within its timeout window after sending close -- by
:user:`lenard-mosys`.

    *Related issues and pull requests on GitHub:*
    :issue:`9506`.

- Fixed a deadlock that could occur while attempting to get a new
connection slot after a timeout -- by :user:`bdraco`.

    The connector was not cancellation-safe.

    *Related issues and pull requests on GitHub:*
    :issue:`9670`, :issue:`9671`.

- Fixed the WebSocket flow control calculation undercounting with
multi-byte data -- by :user:`bdraco`.

    *Related issues and pull requests on GitHub:*
    :issue:`9686`.

- Fixed incorrect parsing of chunk extensions with the pure Python
parser -- by :user:`bdraco`.

    *Related issues and pull requests on GitHub:*
    :issue:`9851`.

- Fixed system routes polluting the middleware cache -- by
:user:`bdraco`.

    *Related issues and pull requests on GitHub:*
    :issue:`9852`.

## Removals and backward incompatible breaking changes

- Improved performance of the connector when a connection can be reused
-- by :user:`bdraco`.

If `BaseConnector.connect` has been subclassed and replaced with custom
logic, the `ceil_timeout` must be added.

    *Related issues and pull requests on GitHub:*
    :issue:`9600`.

## Miscellaneous internal changes

- Improved performance of the client request lifecycle when there are no
cookies -- by :user:`bdraco`.

    *Related issues and pull requests on GitHub:*
    :issue:`9470`.

- Improved performance of sending client requests when the writer can
finish synchronously -- by :user:`bdraco`.

    *Related issues and pull requests on GitHub:*
    :issue:`9485`.

- Improved performance of serializing HTTP headers -- by :user:`bdraco`.

    *Related issues and pull requests on GitHub:*
    :issue:`9603`.

- Passing `enable_cleanup_closed` to :py:class:`aiohttp.TCPConnector` is
now ignored on Python 3.12.7+ and 3.13.1+ since the underlying bug that
caused asyncio to leak SSL connections has been fixed upstream -- by
:user:`bdraco`.

    *Related issues and pull requests on GitHub:*
    :issue:`9726`, :issue:`9736`.

***

###
[`v3.10.10`](https://redirect.github.com/aio-libs/aiohttp/blob/HEAD/CHANGES.rst#31010-2024-10-10)

[Compare
Source](https://redirect.github.com/aio-libs/aiohttp/compare/v3.10.9...v3.10.10)

\====================

## Bug fixes

- Fixed error messages from :py:class:`~aiohttp.resolver.AsyncResolver`
being swallowed -- by :user:`bdraco`.

    *Related issues and pull requests on GitHub:*
    :issue:`9451`, :issue:`9455`.

## Features

- Added :exc:`aiohttp.ClientConnectorDNSError` for differentiating DNS
resolution errors from other connector errors -- by :user:`mstojcevich`.

    *Related issues and pull requests on GitHub:*
    :issue:`8455`.

## Miscellaneous internal changes

- Simplified DNS resolution throttling code to reduce chance of race
conditions -- by :user:`bdraco`.

    *Related issues and pull requests on GitHub:*
    :issue:`9454`.

***

###
[`v3.10.9`](https://redirect.github.com/aio-libs/aiohttp/blob/HEAD/CHANGES.rst#3109-2024-10-04)

[Compare
Source](https://redirect.github.com/aio-libs/aiohttp/compare/v3.10.8...v3.10.9)

\===================

## Bug fixes

- Fixed proxy headers being used in the `ConnectionKey` hash when a
proxy was not being used -- by :user:`bdraco`.

If default headers are used, they are also used for proxy headers. This
could have led to creating connections that were not needed when one was
already available.

    *Related issues and pull requests on GitHub:*
    :issue:`9368`.

-   Widened the type of the `trace_request_ctx` parameter of
:meth:`ClientSession.request() <aiohttp.ClientSession.request>` and
friends
    \-- by :user:`layday`.

    *Related issues and pull requests on GitHub:*
    :issue:`9397`.

## Removals and backward incompatible breaking changes

- Fixed failure to try next host after single-host connection timeout --
by :user:`brettdh`.

The default client :class:`aiohttp.ClientTimeout` params has changed to
include a `sock_connect` timeout of 30 seconds so that this correct
behavior happens by default.

    *Related issues and pull requests on GitHub:*
    :issue:`7342`.

## Miscellaneous internal changes

- Improved performance of resolving hosts with Python 3.12+ -- by
:user:`bdraco`.

    *Related issues and pull requests on GitHub:*
    :issue:`9342`.

- Reduced memory required for timer objects created during the client
request lifecycle -- by :user:`bdraco`.

    *Related issues and pull requests on GitHub:*
    :issue:`9406`.

***

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/GoogleCloudPlatform/generative-ai).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4xOS4wIiwidXBkYXRlZEluVmVyIjoiMzkuMTkuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->

Co-authored-by: Holt Skinner <13262395+holtskinner@users.noreply.github.com>