Avoid adding Content-Type to non-body responses

The current code sets the content-type header for all responses
to the result's content_type property if upstream does not set a
content_type. The default value for content_type is
"application/octet-stream".

For responses that do not have a body (like 204 No Content or
304 Not Modified), setting a content-type header is unnecessary and
potentially misleading. Follow HTTP standards by only adding the
content-type header to responses that actually contain a body.

.github/workflows/builder.yml

@@ -107,7 +107,7 @@ jobs:
       # home-assistant/wheels doesn't support sha pinning
       - name: Build wheels
         if: needs.init.outputs.requirements == 'true'
-        uses: home-assistant/wheels@2025.09.1
+        uses: home-assistant/wheels@2025.10.0
         with:
           abi: cp313
           tag: musllinux_1_2
@@ -132,7 +132,7 @@ jobs:
 
       - name: Install Cosign
         if: needs.init.outputs.publish == 'true'
-        uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0
+        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
         with:
           cosign-release: "v2.5.3"
 

.github/workflows/ci.yaml

@@ -346,7 +346,7 @@ jobs:
         with:
           python-version: ${{ needs.prepare.outputs.python-version }}
       - name: Install Cosign
-        uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0
+        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
         with:
           cosign-release: "v2.5.3"
       - name: Restore Python virtual environment

.github/workflows/stale.yml

@@ -16,6 +16,7 @@ jobs:
           days-before-close: 7
           stale-issue-label: "stale"
           exempt-issue-labels: "no-stale,Help%20wanted,help-wanted,pinned,rfc,security"
+          only-issue-types: "bug"
           stale-issue-message: >
             There hasn't been any activity on this issue recently. Due to the
             high number of incoming GitHub notifications, we have to clean some

requirements.txt

@@ -1,14 +1,14 @@
 aiodns==3.5.0
-aiohttp==3.13.0
+aiohttp==3.13.1
 atomicwrites-homeassistant==1.4.1
 attrs==25.4.0
 awesomeversion==25.8.0
 blockbuster==1.5.25
 brotli==1.1.0
 ciso8601==2.3.3
-colorlog==6.9.0
+colorlog==6.10.1
 cpe==1.3.1
-cryptography==46.0.2
+cryptography==46.0.3
 debugpy==1.8.17
 deepmerge==2.0
 dirhash==0.5.0
@@ -19,11 +19,11 @@ jinja2==3.1.6
 log-rate-limit==1.4.2
 orjson==3.11.3
 pulsectl==24.12.0
-pyudev==0.24.3
+pyudev==0.24.4
 PyYAML==6.0.3
 requests==2.32.5
 securetar==2025.2.1
-sentry-sdk==2.40.0
+sentry-sdk==2.42.1
 setuptools==80.9.0
 voluptuous==0.15.2
 dbus-fast==2.44.5

requirements_tests.txt

@@ -1,16 +1,16 @@
-astroid==3.3.11
-coverage==7.10.7
+astroid==4.0.1
+coverage==7.11.0
 mypy==1.18.2
 pre-commit==4.3.0
-pylint==3.3.9
+pylint==4.0.2
 pytest-aiohttp==1.1.0
 pytest-asyncio==0.25.2
 pytest-cov==7.0.0
 pytest-timeout==2.4.0
 pytest==8.4.2
-ruff==0.14.0
+ruff==0.14.1
 time-machine==2.19.0
-types-docker==7.1.0.20250916
+types-docker==7.1.0.20251009
 types-pyyaml==6.0.12.20250915
 types-requests==2.32.4.20250913
 urllib3==2.5.0

supervisor/api/ingress.py

@@ -253,6 +253,16 @@ class APIIngress(CoreSysAttributes):
             skip_auto_headers={hdrs.CONTENT_TYPE},
         ) as result:
             headers = _response_header(result)
+
+            # Empty body responses (304, 204, HEAD, etc.) should not be streamed,
+            # otherwise aiohttp < 3.9.0 may generate an invalid "0\r\n\r\n" chunk
+            # This also avoids setting content_type for empty responses.
+            if must_be_empty_body(request.method, result.status):
+                return web.Response(
+                    headers=headers,
+                    status=result.status,
+                )
+
             # Avoid parsing content_type in simple cases for better performance
             if maybe_content_type := result.headers.get(hdrs.CONTENT_TYPE):
                 content_type = (maybe_content_type.partition(";"))[0].strip()
@@ -260,11 +270,7 @@ class APIIngress(CoreSysAttributes):
                 content_type = result.content_type
             # Simple request
             if (
-                # empty body responses should not be streamed,
-                # otherwise aiohttp < 3.9.0 may generate
-                # an invalid "0\r\n\r\n" chunk instead of an empty response.
-                must_be_empty_body(request.method, result.status)
-                or hdrs.CONTENT_LENGTH in result.headers
+                hdrs.CONTENT_LENGTH in result.headers
                 and int(result.headers.get(hdrs.CONTENT_LENGTH, 0)) < 4_194_000
             ):
                 # Return Response

supervisor/api/supervisor.py

@@ -108,7 +108,8 @@ class APISupervisor(CoreSysAttributes):
             ATTR_AUTO_UPDATE: self.sys_updater.auto_update,
             ATTR_DETECT_BLOCKING_IO: BlockBusterManager.is_enabled(),
             ATTR_COUNTRY: self.sys_config.country,
-            # Deprecated
+            # Depricated
+            ATTR_WAIT_BOOT: self.sys_config.wait_boot,
             ATTR_ADDONS: [
                 {
                     ATTR_NAME: addon.name,
@@ -122,6 +123,10 @@ class APISupervisor(CoreSysAttributes):
                 }
                 for addon in self.sys_addons.local.values()
             ],
+            ATTR_ADDONS_REPOSITORIES: [
+                {ATTR_NAME: store.name, ATTR_SLUG: store.slug}
+                for store in self.sys_store.all
+            ],
         }
 
     @api_process
@@ -177,10 +182,20 @@ class APISupervisor(CoreSysAttributes):
                 self.sys_config.detect_blocking_io = False
                 BlockBusterManager.deactivate()
 
+        # Deprecated
+        if ATTR_WAIT_BOOT in body:
+            self.sys_config.wait_boot = body[ATTR_WAIT_BOOT]
+
         # Save changes before processing addons in case of errors
         await self.sys_updater.save_data()
         await self.sys_config.save_data()
 
+        # Remove: 2022.9
+        if ATTR_ADDONS_REPOSITORIES in body:
+            await asyncio.shield(
+                self.sys_store.update_repositories(set(body[ATTR_ADDONS_REPOSITORIES]))
+            )
+
         await self.sys_resolution.evaluate.evaluate_system()
 
     @api_process

supervisor/resolution/evaluations/docker_configuration.py

@@ -8,7 +8,7 @@ from ..const import UnsupportedReason
 from .base import EvaluateBase
 
 EXPECTED_LOGGING = "journald"
-EXPECTED_STORAGE = "overlay2"
+EXPECTED_STORAGE = ("overlay2", "overlayfs")
 
 _LOGGER: logging.Logger = logging.getLogger(__name__)
 
@@ -41,14 +41,18 @@ class EvaluateDockerConfiguration(EvaluateBase):
         storage_driver = self.sys_docker.info.storage
         logging_driver = self.sys_docker.info.logging
 
-        if storage_driver != EXPECTED_STORAGE:
+        is_unsupported = False
+
+        if storage_driver not in EXPECTED_STORAGE:
+            is_unsupported = True
             _LOGGER.warning(
                 "Docker storage driver %s is not supported!", storage_driver
             )
 
         if logging_driver != EXPECTED_LOGGING:
+            is_unsupported = True
             _LOGGER.warning(
                 "Docker logging driver %s is not supported!", logging_driver
             )
 
-        return storage_driver != EXPECTED_STORAGE or logging_driver != EXPECTED_LOGGING
+        return is_unsupported

tests/api/test_supervisor.py

@@ -12,8 +12,9 @@ import pytest
 from supervisor.const import CoreState
 from supervisor.core import Core
 from supervisor.coresys import CoreSys
-from supervisor.exceptions import HassioError, HostNotSupportedError
+from supervisor.exceptions import HassioError, HostNotSupportedError, StoreGitError
 from supervisor.homeassistant.const import WSEvent
+from supervisor.store.repository import Repository
 from supervisor.supervisor import Supervisor
 from supervisor.updater import Updater
 
@@ -34,6 +35,81 @@ async def test_api_supervisor_options_debug(api_client: TestClient, coresys: Cor
     assert coresys.config.debug
 
 
+async def test_api_supervisor_options_add_repository(
+    api_client: TestClient, coresys: CoreSys, supervisor_internet: AsyncMock
+):
+    """Test add a repository via POST /supervisor/options REST API."""
+    assert REPO_URL not in coresys.store.repository_urls
+
+    with (
+        patch("supervisor.store.repository.RepositoryGit.load", return_value=None),
+        patch("supervisor.store.repository.RepositoryGit.validate", return_value=True),
+    ):
+        response = await api_client.post(
+            "/supervisor/options", json={"addons_repositories": [REPO_URL]}
+        )
+
+    assert response.status == 200
+    assert REPO_URL in coresys.store.repository_urls
+
+
+async def test_api_supervisor_options_remove_repository(
+    api_client: TestClient, coresys: CoreSys, test_repository: Repository
+):
+    """Test remove a repository via POST /supervisor/options REST API."""
+    assert test_repository.source in coresys.store.repository_urls
+    assert test_repository.slug in coresys.store.repositories
+
+    response = await api_client.post(
+        "/supervisor/options", json={"addons_repositories": []}
+    )
+
+    assert response.status == 200
+    assert test_repository.source not in coresys.store.repository_urls
+    assert test_repository.slug not in coresys.store.repositories
+
+
+@pytest.mark.parametrize("git_error", [None, StoreGitError()])
+async def test_api_supervisor_options_repositories_skipped_on_error(
+    api_client: TestClient, coresys: CoreSys, git_error: StoreGitError
+):
+    """Test repositories skipped on error via POST /supervisor/options REST API."""
+    with (
+        patch("supervisor.store.repository.RepositoryGit.load", side_effect=git_error),
+        patch("supervisor.store.repository.RepositoryGit.validate", return_value=False),
+        patch("supervisor.store.repository.RepositoryCustom.remove"),
+    ):
+        response = await api_client.post(
+            "/supervisor/options", json={"addons_repositories": [REPO_URL]}
+        )
+
+    assert response.status == 400
+    assert len(coresys.resolution.suggestions) == 0
+    assert REPO_URL not in coresys.store.repository_urls
+
+
+async def test_api_supervisor_options_repo_error_with_config_change(
+    api_client: TestClient, coresys: CoreSys
+):
+    """Test config change with add repository error via POST /supervisor/options REST API."""
+    assert not coresys.config.debug
+
+    with patch(
+        "supervisor.store.repository.RepositoryGit.load", side_effect=StoreGitError()
+    ):
+        response = await api_client.post(
+            "/supervisor/options",
+            json={"debug": True, "addons_repositories": [REPO_URL]},
+        )
+
+    assert response.status == 400
+    assert REPO_URL not in coresys.store.repository_urls
+
+    assert coresys.config.debug
+    coresys.updater.save_data.assert_called_once()
+    coresys.config.save_data.assert_called_once()
+
+
 async def test_api_supervisor_options_auto_update(
     api_client: TestClient, coresys: CoreSys
 ):

tests/resolution/evaluation/test_evaluate_docker_configuration.py

@@ -25,13 +25,18 @@ async def test_evaluation(coresys: CoreSys):
     assert docker_configuration.reason in coresys.resolution.unsupported
     coresys.resolution.unsupported.clear()
 
-    coresys.docker.info.storage = EXPECTED_STORAGE
+    coresys.docker.info.storage = EXPECTED_STORAGE[0]
     coresys.docker.info.logging = "unsupported"
     await docker_configuration()
     assert docker_configuration.reason in coresys.resolution.unsupported
     coresys.resolution.unsupported.clear()
 
-    coresys.docker.info.storage = EXPECTED_STORAGE
+    coresys.docker.info.storage = "overlay2"
+    coresys.docker.info.logging = EXPECTED_LOGGING
+    await docker_configuration()
+    assert docker_configuration.reason not in coresys.resolution.unsupported
+
+    coresys.docker.info.storage = "overlayfs"
     coresys.docker.info.logging = EXPECTED_LOGGING
     await docker_configuration()
     assert docker_configuration.reason not in coresys.resolution.unsupported