upgrade aiohttp to 3.13.3 to prevent zip bomb DoS

[rpancham]

Addresses : https://issues.redhat.com/browse/RHOAIENG-43597

This PR addresses RHOAIENG-43597 by fixing a denial-of-service vulnerability in the transitive dependency aiohttp. Versions ≤3.13.2 are vulnerable to a zip-bomb attack via automatic decompression, which can lead to memory exhaustion. The dependency has been pinned to aiohttp 3.13.3, which includes the upstream fix, and the lockfile has been updated to ensure the resolved version is used at runtime. The fix was verified by confirming the installed aiohttp version inside the built container.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rpancham

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [rpancham]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[RH-steve-grubb]

/lgtm