Skip to content

Bump urllib3 from 1.26.5 to 2.7.0#19

Merged
JonathanPorta merged 1 commit into
masterfrom
dependabot/pip/urllib3-2.7.0
Jul 7, 2026
Merged

Bump urllib3 from 1.26.5 to 2.7.0#19
JonathanPorta merged 1 commit into
masterfrom
dependabot/pip/urllib3-2.7.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 7, 2026

Copy link
Copy Markdown
Contributor

Bumps urllib3 from 1.26.5 to 2.7.0.

Release notes

Sourced from urllib3's releases.

2.7.0

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Security

Addressed high-severity security issues. Impact was limited to specific use cases detailed in the accompanying advisories; overall user exposure was estimated to be marginal.

  • Decompression-bomb safeguards of the streaming API were bypassed:

    1. When HTTPResponse.drain_conn() was called after the response had been read and decompressed partially. (Reported by @​Cycloctane)
    2. During the second HTTPResponse.read(amt=N) or HTTPResponse.stream(amt=N) call when the response was decompressed using the official Brotli library. (Reported by @​kimkou2024)

    See GHSA-mf9v-mfxr-j63j for details.

  • HTTP pools created using ProxyManager.connection_from_url did not strip sensitive headers specified in Retry.remove_headers_on_redirect when redirecting to a different host. (GHSA-qccp-gfcp-xxvc reported by @​christos-spearbit)

Deprecations and Removals

  • Used FutureWarning instead of DeprecationWarning for better visibility of existing deprecation notices. Rescheduled the removal of deprecated features to version 3.0. (urllib3/urllib3#3763)
  • Removed support for end-of-life Python 3.9. (urllib3/urllib3#3720)
  • Removed support for end-of-life PyPy3.10. (urllib3/urllib3#4979)
  • Bumped the minimum supported pyOpenSSL version to 19.0.0. (urllib3/urllib3#3777)

Bugfixes

  • Fixed a bug where HTTPResponse.read(amt=None) was ignoring decompressed data buffered from previous partial reads. (urllib3/urllib3#3636)
  • Fixed a bug where HTTPResponse.read() could cache only part of the response after a partial read when cache_content=True. (urllib3/urllib3#4967)
  • Fixed HTTPResponse.stream() and HTTPResponse.read_chunked() to handle amt=0. (urllib3/urllib3#3793)
  • Updated _TYPE_BODY type alias to include missing Iterable[str], matching the documented and runtime behavior of chunked request bodies. (urllib3/urllib3#3798)
  • Fixed LocationParseError when paths resembling schemeless URIs were passed to HTTPConnectionPool.urlopen(). (urllib3/urllib3#3352)
  • Fixed BaseHTTPResponse.readinto() type annotation to accept memoryview in addition to bytearray, matching the io.RawIOBase.readinto contract and enabling use with io.BufferedReader without type errors. (urllib3/urllib3#3764)

2.6.3

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Changes

2.6.2

... (truncated)

Changelog

Sourced from urllib3's changelog.

2.7.0 (2026-05-07)

Security

Addressed high-severity security issues. Impact was limited to specific use cases detailed in the accompanying advisories; overall user exposure was estimated to be marginal.

  • Decompression-bomb safeguards of the streaming API were bypassed:

    1. When HTTPResponse.drain_conn() was called after the response had been read and decompressed partially.
    2. During the second HTTPResponse.read(amt=N) or HTTPResponse.stream(amt=N) call when the response was decompressed using the official Brotli <https://pypi.org/project/brotli/>__ library.

    See GHSA-mf9v-mfxr-j63j <https://github.com/urllib3/urllib3/security/advisories/GHSA-mf9v-mfxr-j63j>__ for details.

  • HTTP pools created using ProxyManager.connection_from_url did not strip sensitive headers specified in Retry.remove_headers_on_redirect when redirecting to a different host. (GHSA-qccp-gfcp-xxvc <https://github.com/urllib3/urllib3/security/advisories/GHSA-qccp-gfcp-xxvc>__)

Deprecations and Removals

  • Used FutureWarning instead of DeprecationWarning for better visibility of existing deprecation notices. Rescheduled the removal of deprecated features to version 3.0. ([#3763](https://github.com/urllib3/urllib3/issues/3763) <https://github.com/urllib3/urllib3/issues/3763>__)
  • Removed support for end-of-life Python 3.9. ([#3720](https://github.com/urllib3/urllib3/issues/3720) <https://github.com/urllib3/urllib3/issues/3720>__)
  • Removed support for end-of-life PyPy3.10. ([#4979](https://github.com/urllib3/urllib3/issues/4979) <https://github.com/urllib3/urllib3/issues/4979>__)
  • Bumped the minimum supported pyOpenSSL version to 19.0.0. ([#3777](https://github.com/urllib3/urllib3/issues/3777) <https://github.com/urllib3/urllib3/issues/3777>__)

Bugfixes

  • Fixed a bug where HTTPResponse.read(amt=None) was ignoring decompressed data buffered from previous partial reads. ([#3636](https://github.com/urllib3/urllib3/issues/3636) <https://github.com/urllib3/urllib3/issues/3636>__)
  • Fixed a bug where HTTPResponse.read() could cache only part of the response after a partial read when cache_content=True.

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [urllib3](https://github.com/urllib3/urllib3) from 1.26.5 to 2.7.0.
- [Release notes](https://github.com/urllib3/urllib3/releases)
- [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst)
- [Commits](urllib3/urllib3@1.26.5...2.7.0)

---
updated-dependencies:
- dependency-name: urllib3
  dependency-version: 2.7.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update python code labels Jul 7, 2026
@socket-security

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Updatedpypi/​urllib3@​1.26.5 ⏵ 2.7.097 +2100 +50100100100

View full report

@JonathanPorta

Copy link
Copy Markdown
Owner

PR Review

Summary

This PR bumps urllib3 from 1.26.5 to 2.7.0 in requirements.txt. The security motivation is understandable, but the implementation is not compatible with this repository as it stands: the project still targets Python 3.6 for the Lambda build path, and the pinned requests==2.20.0 dependency explicitly rejects urllib3 2.x.

Findings

  • Severity: Blocking

  • Location: requirements.txt, Makefile deps, Dockerfile, and setup.py package metadata

  • Problem: urllib3==2.7.0 requires Python >=3.10, but the repo still creates a Python 3.6 virtualenv in Makefile, builds from lambci/lambda:build-python3.6, manually installs Python 3.6.1 in the Docker image, and advertises Python 3.6 support in setup.py.

  • Why it matters: the package manager will not install this version for the Python runtime the project is explicitly built around. Since this package exists to prebuild Lambda-compatible image dependencies, accepting a runtime-incompatible dependency breaks the core build/release path.

  • Suggested fix: either migrate the Lambda/build/package target to a supported Python >=3.10 runtime and validate the Docker/package build there, or choose a patched urllib3 version that still supports the repo's actual Python target.

  • Severity: Blocking

  • Location: requirements.txt

  • Problem: requests==2.20.0 is still pinned, and that release requires urllib3>=1.21.1,<1.25; urllib3==2.7.0 is outside that range.

  • Why it matters: even on a modern Python interpreter, the requirements set is internally unsatisfiable. A scratch resolver check for just requests==2.20.0 plus urllib3==2.7.0 fails with ResolutionImpossible.

  • Suggested fix: update requests and the related HTTP dependency pins as a tested set, or keep urllib3 inside the version range accepted by the existing requests pin.

Test / Verification Notes

Checked the PR metadata, diff, package pins, build files, Lambda runtime assumptions, package metadata, and the requests call site in lambda_image_utils_prebuilt/unpack.py.

Ran:

  • gh pr checks 19 --repo JonathanPorta/lambda_image_utils_prebuilt: Socket Security checks pass; no repo build/test check is reported.
  • tar -xOf urllib3-2.7.0/PKG-INFO | rg -n "Requires-Python|Classifier: Programming Language :: Python": confirmed Requires-Python: >=3.10.
  • tar -xOf requests-2.20.0/setup.py | rg -n "urllib3|requires": confirmed urllib3>=1.21.1,<1.25.
  • Scratch venv resolver check for requests==2.20.0 and urllib3==2.7.0: failed with a direct dependency conflict.
  • git diff --check origin/master...HEAD: passed.
  • python3 -m py_compile lambda_image_utils_prebuilt/unpack.py version.py setup.py: passed.
  • make test: failed because the repo has no test target.

Blessed-CICD review: because this is dependency automation, I checked policies/tracked-artifacts.md, standards/github-actions/dependabot-secret-guards.md, and docs/project-standards.md. The tracked-artifacts policy explicitly does not cover ordinary package-manager library pins, the Dependabot secret-guard standard is GitHub Actions-specific and this PR only reports Socket checks, and docs/project-standards.md treats AWS Lambda as an emerging precedent rather than a detailed dependency-runtime standard.

Overall Recommendation

Needs changes before merge.

@JonathanPorta JonathanPorta self-assigned this Jul 7, 2026
@JonathanPorta JonathanPorta merged commit d163ee9 into master Jul 7, 2026
2 checks passed
@JonathanPorta JonathanPorta deleted the dependabot/pip/urllib3-2.7.0 branch July 7, 2026 13:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file python Pull requests that update python code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant