buckbanzai/kuow-mastodon-bot
1
0
Fork 0
Code Issues 2 Pull requests 1 Projects Releases Packages 1 Wiki Activity

Update dependency urllib3 to v2.7.0 #130

Merged
renovate_bot merged 1 commit from renovate/urllib3-2.x into main 2026-05-07 10:00:58 -07:00
Conversation 0 Commits 1 Files changed 2 +5 -5
renovate_bot commented 2026-05-07 10:00:29 -07:00
Collaborator
Copy link

This PR contains the following updates:

Package Change Age Confidence
urllib3 (changelog) ==2.6.3==2.7.0 age confidence

Release Notes

urllib3/urllib3 (urllib3)

v2.7.0

Compare Source

=======================

Security

Addressed high-severity security issues.
Impact was limited to specific use cases detailed in the accompanying
advisories; overall user exposure was estimated to be marginal.

  • Decompression-bomb safeguards of the streaming API were bypassed:

    1. When HTTPResponse.drain_conn() was called after the response had been
      read and decompressed partially.
    2. During the second HTTPResponse.read(amt=N) or
      HTTPResponse.stream(amt=N) call when the response was decompressed
      using the official Brotli <https://pypi.org/project/brotli/>__ library.

    See GHSA-mf9v-mfxr-j63j <https://github.com/urllib3/urllib3/security/advisories/GHSA-mf9v-mfxr-j63j>__
    for details.

  • HTTP pools created using ProxyManager.connection_from_url did not strip
    sensitive headers specified in Retry.remove_headers_on_redirect when
    redirecting to a different host.
    (GHSA-qccp-gfcp-xxvc <https://github.com/urllib3/urllib3/security/advisories/GHSA-qccp-gfcp-xxvc>__)

Deprecations and Removals

  • Used FutureWarning instead of DeprecationWarning for better
    visibility of existing deprecation notices. Rescheduled the removal of
    deprecated features to version 3.0.
    (#&#8203;3764 <https://github.com/urllib3/urllib3/issues/3764>__)
  • Removed support for end-of-life Python 3.9.
    (#&#8203;3720 <https://github.com/urllib3/urllib3/issues/3720>__)
  • Removed support for end-of-life PyPy3.10.
    (#&#8203;4979 <https://github.com/urllib3/urllib3/issues/4979>__)
  • Bumped the minimum supported pyOpenSSL version to 19.0.0.
    (#&#8203;3777 <https://github.com/urllib3/urllib3/issues/3777>__)

Bugfixes

  • Fixed a bug where HTTPResponse.read(amt=None) was ignoring decompressed
    data buffered from previous partial reads.
    (#&#8203;3636 <https://github.com/urllib3/urllib3/issues/3636>__)
  • Fixed a bug where HTTPResponse.read() could cache only part of the
    response after a partial read when cache_content=True.
    (#&#8203;4967 <https://github.com/urllib3/urllib3/issues/4967>__)
  • Fixed HTTPResponse.stream() and HTTPResponse.read_chunked() to handle
    amt=0.
    (#&#8203;3793 <https://github.com/urllib3/urllib3/issues/3793>__)
  • Updated _TYPE_BODY type alias to include missing Iterable[str],
    matching the documented and runtime behavior of chunked request bodies.
    (#&#8203;3798 <https://github.com/urllib3/urllib3/issues/3798>__)
  • Fixed LocationParseError when paths resembling schemeless URIs were
    passed to HTTPConnectionPool.urlopen().
    (#&#8203;3352 <https://github.com/urllib3/urllib3/issues/3352>__)
  • Fixed BaseHTTPResponse.readinto() type annotation to accept
    memoryview in addition to bytearray, matching the
    io.RawIOBase.readinto contract and enabling use with
    io.BufferedReader without type errors.
    (#&#8203;3764 <https://github.com/urllib3/urllib3/issues/3764>__)

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [urllib3](https://github.com/urllib3/urllib3) ([changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst)) | `==2.6.3` → `==2.7.0` | ![age](https://developer.mend.io/api/mc/badges/age/pypi/urllib3/2.7.0?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/urllib3/2.6.3/2.7.0?slim=true) | --- ### Release Notes <details> <summary>urllib3/urllib3 (urllib3)</summary> ### [`v2.7.0`](https://github.com/urllib3/urllib3/blob/HEAD/CHANGES.rst#270-2026-05-07) [Compare Source](https://github.com/urllib3/urllib3/compare/2.6.3...2.7.0) \======================= ## Security Addressed high-severity security issues. Impact was limited to specific use cases detailed in the accompanying advisories; overall user exposure was estimated to be marginal. - Decompression-bomb safeguards of the streaming API were bypassed: 1. When `HTTPResponse.drain_conn()` was called after the response had been read and decompressed partially. 2. During the second `HTTPResponse.read(amt=N)` or `HTTPResponse.stream(amt=N)` call when the response was decompressed using the official `Brotli <https://pypi.org/project/brotli/>`\_\_ library. See `GHSA-mf9v-mfxr-j63j <https://github.com/urllib3/urllib3/security/advisories/GHSA-mf9v-mfxr-j63j>`\_\_ for details. - HTTP pools created using `ProxyManager.connection_from_url` did not strip sensitive headers specified in `Retry.remove_headers_on_redirect` when redirecting to a different host. (`GHSA-qccp-gfcp-xxvc <https://github.com/urllib3/urllib3/security/advisories/GHSA-qccp-gfcp-xxvc>`\_\_) ## Deprecations and Removals - Used `FutureWarning` instead of `DeprecationWarning` for better visibility of existing deprecation notices. Rescheduled the removal of deprecated features to version 3.0. (`#&#8203;3764 <https://github.com/urllib3/urllib3/issues/3764>`\_\_) - Removed support for end-of-life Python 3.9. (`#&#8203;3720 <https://github.com/urllib3/urllib3/issues/3720>`\_\_) - Removed support for end-of-life PyPy3.10. (`#&#8203;4979 <https://github.com/urllib3/urllib3/issues/4979>`\_\_) - Bumped the minimum supported pyOpenSSL version to 19.0.0. (`#&#8203;3777 <https://github.com/urllib3/urllib3/issues/3777>`\_\_) ## Bugfixes - Fixed a bug where `HTTPResponse.read(amt=None)` was ignoring decompressed data buffered from previous partial reads. (`#&#8203;3636 <https://github.com/urllib3/urllib3/issues/3636>`\_\_) - Fixed a bug where `HTTPResponse.read()` could cache only part of the response after a partial read when `cache_content=True`. (`#&#8203;4967 <https://github.com/urllib3/urllib3/issues/4967>`\_\_) - Fixed `HTTPResponse.stream()` and `HTTPResponse.read_chunked()` to handle `amt=0`. (`#&#8203;3793 <https://github.com/urllib3/urllib3/issues/3793>`\_\_) - Updated `_TYPE_BODY` type alias to include missing `Iterable[str]`, matching the documented and runtime behavior of chunked request bodies. (`#&#8203;3798 <https://github.com/urllib3/urllib3/issues/3798>`\_\_) - Fixed `LocationParseError` when paths resembling schemeless URIs were passed to `HTTPConnectionPool.urlopen()`. (`#&#8203;3352 <https://github.com/urllib3/urllib3/issues/3352>`\_\_) - Fixed `BaseHTTPResponse.readinto()` type annotation to accept `memoryview` in addition to `bytearray`, matching the `io.RawIOBase.readinto` contract and enabling use with `io.BufferedReader` without type errors. (`#&#8203;3764 <https://github.com/urllib3/urllib3/issues/3764>`\_\_) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDIuMSIsInVwZGF0ZWRJblZlciI6IjQzLjE0Mi4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->
Update dependency urllib3 to v2.7.0
Some checks failed
ci/woodpecker/pr/lint Pipeline was successful
Details
ci/woodpecker/pr/docker-buildx Pipeline failed
Details
82ee8cf2ac
renovate_bot scheduled this pull request to auto merge when all checks succeed 2026-05-07 10:00:30 -07:00
renovate_bot deleted branch renovate/urllib3-2.x 2026-05-07 10:00:58 -07:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
buckbanzai/kuow-mastodon-bot!130
No description provided.