[1.3.3] - 2026-06-17
Maintenance release. No functional change to the integration — runtime code,
entities and the config-entry schema are identical to 1.3.1. Dependency,
test-tooling and CI-action updates only. Full suite (474 tests), the ruff
lint + format gates and the pip-audit dependency audit re-verified green
against every bumped pin.
Supersedes the unreleased
1.3.2commit: its release pipeline failed on the
securitygate (a fresh batch of aiohttp test-only advisories landed) before
any tag or artifact was published. This release folds in that audit fix.
Changed
ruff0.15.16 → 0.15.17 (requirements.txt, Dependabot #30) — lint + format gates re-verified clean.pip>=26.1.1 → >=26.1.2 (requirements.txt, Dependabot #35).pytest>=9.0.3 → >=9.1.0 (requirements_test.txt, Dependabot #33, upper bound<10retained).pytest-asyncio>=1.3.0 → >=1.4.0 (requirements_test.txt, Dependabot #32, upper bound<2retained).codecov/codecov-actionv6.0.1 → v7.0.0 (Dependabot #37) — removes an internal license-compliance workflow; no input/output changes for callers.gitleaks/gitleaks-actionv2 → v3.0.0 (Dependabot #34) — runtime Node 20 → Node 24, no input/output/behaviour changes; clears the Node 20 deprecation ahead of GitHub's 2026-09-16 runner removal.home-assistant/actions/hassfestpinned SHA refreshed to upstreammaster(Dependabot #36).
Security
- 11 aiohttp advisories now affect the pinned test dependency
aiohttp<3.14(requirements_test.txt): the original CVE-2026-34993 / CVE-2026-47265 plus a fresh batch (CVE-2026-50269 and CVE-2026-54273…54280), every one fixed only in aiohttp 3.14.0/3.14.1. The upgrade to aiohttp 3.14 (Dependabot #31) was verified to break the entire test suite —aioresponses0.7.8 (its latest release) does not pass thestream_writerkwarg that aiohttp 3.14 made mandatory. End users are unaffected: the integration ships"requirements": []; the patched aiohttp is provided by Home Assistant core at runtime. The advisories are scoped to the test harness — thesecurity.yamltest-deps audit now ignores all 11 (runtime audit stays--strictwith zero ignores), and the matching Dependabot alerts are dismissed astolerable_risk— untilaioresponsesships a 3.14-compatible release. The durable fix (migrating offaioresponses) is tracked in the backlog.