Skip to content

chore(deps): bump urllib3 from 2.6.0 to 2.6.3 #1493

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
github-actions merged 1 commit into from
Jan 8, 2026
Merged

chore(deps): bump urllib3 from 2.6.0 to 2.6.3 #1493

github-actions merged 1 commit into from
Jan 8, 2026

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Jan 8, 2026
edited by greptile-apps bot
Loading

Greptile Overview

Greptile Summary

This dependency update upgrades urllib3 from version 2.6.0 to 2.6.3, addressing a high-severity security vulnerability and several bug fixes. urllib3 is a transitive dependency through the requests library.

Key changes:

  • Security fix (CVE-2026-21441, 8.9 High): Patches a vulnerability where decompression-bomb safeguards were bypassed during HTTP redirects in the streaming API
  • Improved Retry-After header handling by capping values at 6 hours
  • Fixed HTTPResponse.read_chunked() for compressed chunked responses
  • Restored previously removed HTTPResponse.getheaders() and HTTPResponse.getheader() methods
  • Fixed VerifiedHTTPSConnection on Emscripten

Impact assessment:

  • No breaking changes identified - all changes are backward-compatible fixes
  • The codebase uses httpx and requests but does not directly import or use urllib3 APIs
  • The security fix is critical and should be applied promptly

Confidence Score: 5/5

  • This PR is safe to merge - it's a security patch with backward-compatible fixes
  • This is a standard dependency version bump from Dependabot that patches a high-severity security vulnerability (CVE-2026-21441). All changes in urllib3 2.6.1-2.6.3 are bug fixes and security patches with no breaking changes. The library is only used transitively through requests and does not affect the codebase's direct functionality.
  • No files require special attention

Important Files Changed

File Analysis

Filename Score Overview
poetry.lock 5/5 Updated urllib3 from 2.6.0 to 2.6.3 (patches CVE-2026-21441, high-severity security fix)

Sequence Diagram

sequenceDiagram
    participant Dev as Developer
    participant Dep as Dependabot
    participant Lock as poetry.lock
    participant Req as requests Library
    participant URL as urllib3 (2.6.0→2.6.3)
    
    Dev->>Dep: Monitors security advisories
    Dep->>Dep: Detects CVE-2026-21441 in urllib3 2.6.0
    Dep->>Lock: Updates urllib3 dependency
    Lock->>Lock: Changes hash for urllib3 2.6.3
    Note over URL: Security Fix: Decompression-bomb<br/>safeguard bypass patched<br/>(CVE-2026-21441, 8.9 High)
    Note over URL: Bug Fixes: Retry-After capping,<br/>read_chunked() fixes,<br/>restored getheaders() methods
    Req->>URL: Uses urllib3 as dependency
    Dev->>Lock: Reviews and approves change
    Dev->>Dev: Merges security patch
Loading

@dependabot
chore(deps): bump urllib3 from 2.6.0 to 2.6.3
2f96664 
Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.6.0 to 2.6.3.
- [Release notes](https://github.com/urllib3/urllib3/releases)
- [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst)
- [Commits](urllib3/urllib3@2.6.0...2.6.3)

---
updated-dependencies:
- dependency-name: urllib3
  dependency-version: 2.6.3
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file python Pull requests that update python code labels Jan 8, 2026
@github-actions github-actions bot enabled auto-merge (squash) January 8, 2026 06:34
greptile-apps[bot]
greptile-apps bot reviewed Jan 8, 2026
View reviewed changes
Copy link
Contributor

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No files reviewed, no comments

Edit Code Review Agent Settings | Greptile

@github-actions github-actions bot merged commit 280b831 into main Jan 8, 2026
12 checks passed
@github-actions github-actions bot deleted the dependabot/pip/urllib3-2.6.3 branch January 8, 2026 06:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python Pull requests that update python code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant