Skip to content

chore(deps): update urllib3 requirement from <3,>=2.0 to >=2.7.0,<3 in /python#25

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/pip/python/urllib3-gte-2.7.0-and-lt-3
Open

chore(deps): update urllib3 requirement from <3,>=2.0 to >=2.7.0,<3 in /python#25
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/pip/python/urllib3-gte-2.7.0-and-lt-3

Conversation

@dependabot
Copy link
Copy Markdown

@dependabot dependabot Bot commented on behalf of github May 7, 2026

Updates the requirements on urllib3 to permit the latest version.

Changelog

Sourced from urllib3's changelog.

2.7.0 (2026-05-07)

Security

Addressed high-severity security issues. Impact was limited to specific use cases detailed in the accompanying advisories; overall user exposure was estimated to be marginal.

  • Decompression-bomb safeguards of the streaming API were bypassed:

    1. When HTTPResponse.drain_conn() was called after the response had been read and decompressed partially.
    2. During the second HTTPResponse.read(amt=N) or HTTPResponse.stream(amt=N) call when the response was decompressed using the official Brotli <https://pypi.org/project/brotli/>__ library.

    See GHSA-mf9v-mfxr-j63j <https://github.com/urllib3/urllib3/security/advisories/GHSA-mf9v-mfxr-j63j>__ for details.

  • HTTP pools created using ProxyManager.connection_from_url did not strip sensitive headers specified in Retry.remove_headers_on_redirect when redirecting to a different host. (GHSA-qccp-gfcp-xxvc <https://github.com/urllib3/urllib3/security/advisories/GHSA-qccp-gfcp-xxvc>__)

Deprecations and Removals

  • Used FutureWarning instead of DeprecationWarning for better visibility of existing deprecation notices. Rescheduled the removal of deprecated features to version 3.0. ([#3764](https://github.com/urllib3/urllib3/issues/3764) <https://github.com/urllib3/urllib3/issues/3764>__)
  • Removed support for end-of-life Python 3.9. ([#3720](https://github.com/urllib3/urllib3/issues/3720) <https://github.com/urllib3/urllib3/issues/3720>__)
  • Removed support for end-of-life PyPy3.10. ([#4979](https://github.com/urllib3/urllib3/issues/4979) <https://github.com/urllib3/urllib3/issues/4979>__)
  • Bumped the minimum supported pyOpenSSL version to 19.0.0. ([#3777](https://github.com/urllib3/urllib3/issues/3777) <https://github.com/urllib3/urllib3/issues/3777>__)

Bugfixes

  • Fixed a bug where HTTPResponse.read(amt=None) was ignoring decompressed data buffered from previous partial reads. ([#3636](https://github.com/urllib3/urllib3/issues/3636) <https://github.com/urllib3/urllib3/issues/3636>__)
  • Fixed a bug where HTTPResponse.read() could cache only part of the response after a partial read when cache_content=True.

... (truncated)

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
chore(deps): update urllib3 requirement in /python
d3ece67 
Updates the requirements on [urllib3](https://github.com/urllib3/urllib3) to permit the latest version.
- [Release notes](https://github.com/urllib3/urllib3/releases)
- [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst)
- [Commits](urllib3/urllib3@2.0.0...2.7.0)

---
updated-dependencies:
- dependency-name: urllib3
  dependency-version: 2.7.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update python code labels May 7, 2026
@dependabot dependabot Bot requested a review from hvinn as a code owner May 7, 2026 16:14
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update python code labels May 7, 2026
@dependabot dependabot Bot mentioned this pull request May 7, 2026
Closed
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 7, 2026

Test Report missing or unfilled.

This PR touches python/, ansible/, or terraform/, so a populated Test Report section is required in the PR body. See TESTING.md for what to capture (environment, ONTAP version, first-run output, idempotency check, teardown).

This is a soft gate - your CI checks are unaffected - but reviewers will not approve until the report is filled in.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hvinn hvinn Awaiting requested review from hvinn hvinn is a code owner

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file needs-test-report python Pull requests that update python code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants