Skip to content

Constrain urllib3 to urllib3>=2.6.0 to address two CVEs #454

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
lawrence-u10d merged 1 commit into from
Dec 31, 2025
Merged

Constrain urllib3 to urllib3>=2.6.0 to address two CVEs #454

lawrence-u10d merged 1 commit into from
Dec 31, 2025

Conversation

@lawrence-u10d
Copy link
Contributor

@lawrence-u10d lawrence-u10d commented Dec 30, 2025
edited by cursor bot
Loading

Constrain urllib3 to urllib3>=2.6.0 to address CVE-2025-66471 and CVE-2025-66418

Note

Addresses security vulnerabilities and updates packaging metadata.

  • Constrains urllib3 to >=2.6.0 (resolved to 2.6.2) via new requirements/constraints.in; updates base.txt, dev.txt, and test.txt accordingly
  • Bumps package version to 1.1.4 and updates CHANGELOG.md with CVE references (CVE-2025-66471, CVE-2025-66418)
  • Raises supported Python to >=3.10 in setup.py and updates classifiers; regen requirements with uv ... --python-version 3.10

Written by Cursor Bugbot for commit 95f7faa. This will update automatically on new commits. Configure here.

@socket-security
Copy link

socket-security bot commented Dec 30, 2025
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatedpypi/​urllib3@​2.5.0 ⏵ 2.6.297 +1100 +22100100100
Addedpypi/​zipp@​3.23.0100100100100100
Addedpypi/​importlib-metadata@​8.7.1100100100100100

View full report

cursor[bot]
cursor bot reviewed Dec 30, 2025
View reviewed changes
@lawrence-u10d lawrence-u10d force-pushed the urllib3-cve branch 2 times, most recently from 95f7faa to 4265d6d Compare December 30, 2025 22:33
@lawrence-u10d lawrence-u10d merged commit 7c37bab into main Dec 31, 2025
33 checks passed
@lawrence-u10d lawrence-u10d deleted the urllib3-cve branch December 31, 2025 03:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

@william-u10d william-u10d william-u10d approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@lawrence-u10d @william-u10d