Skip to content

Update urllib3 to 2.6.3 #568

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
pyup-bot wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update urllib3 to 2.6.3 #568

pyup-bot wants to merge 1 commit into from

Conversation

@pyup-bot
Copy link
Collaborator

@pyup-bot pyup-bot commented Jan 7, 2026

This PR updates urllib3 from 2.0.4 to 2.6.3.

Changelog

2.6.3

==================

- Fixed a high-severity security issue where decompression-bomb safeguards of
the streaming API were bypassed when HTTP redirects were followed.
(`GHSA-38jv-5279-wg99 <https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99>`__)
- Started treating ``Retry-After`` times greater than 6 hours as 6 hours by
default. (`3743 <https://github.com/urllib3/urllib3/issues/3743>`__)
- Fixed ``urllib3.connection.VerifiedHTTPSConnection`` on Emscripten.
(`3752 <https://github.com/urllib3/urllib3/issues/3752>`__)

2.6.2

==================

- Fixed ``HTTPResponse.read_chunked()`` to properly handle leftover data in
the decoder's buffer when reading compressed chunked responses.
(`3734 <https://github.com/urllib3/urllib3/issues/3734>`__)

2.6.1

==================

- Restore previously removed ``HTTPResponse.getheaders()`` and
``HTTPResponse.getheader()`` methods.
(`3731 <https://github.com/urllib3/urllib3/issues/3731>`__)

2.6.0

==================

Security
--------

- Fixed a security issue where streaming API could improperly handle highly
compressed HTTP content ("decompression bombs") leading to excessive resource
consumption even when a small amount of data was requested. Reading small
chunks of compressed data is safer and much more efficient now.
(`GHSA-2xpw-w6gg-jr37 <https://github.com/urllib3/urllib3/security/advisories/GHSA-2xpw-w6gg-jr37>`__)
- Fixed a security issue where an attacker could compose an HTTP response with
virtually unlimited links in the ``Content-Encoding`` header, potentially
leading to a denial of service (DoS) attack by exhausting system resources
during decoding. The number of allowed chained encodings is now limited to 5.
(`GHSA-gm62-xv2j-4w53 <https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53>`__)

.. caution::
- If urllib3 is not installed with the optional `urllib3[brotli]` extra, but
 your environment contains a Brotli/brotlicffi/brotlipy package anyway, make
 sure to upgrade it to at least Brotli 1.2.0 or brotlicffi 1.2.0.0 to
 benefit from the security fixes and avoid warnings. Prefer using
 `urllib3[brotli]` to install a compatible Brotli package automatically.

- If you use custom decompressors, please make sure to update them to
 respect the changed API of ``urllib3.response.ContentDecoder``.


Features
--------

- Enabled retrieval, deletion, and membership testing in ``HTTPHeaderDict`` using bytes keys. (`3653 <https://github.com/urllib3/urllib3/issues/3653>`__)
- Added host and port information to string representations of ``HTTPConnection``. (`3666 <https://github.com/urllib3/urllib3/issues/3666>`__)
- Added support for Python 3.14 free-threading builds explicitly. (`3696 <https://github.com/urllib3/urllib3/issues/3696>`__)


Removals
--------

- Removed the ``HTTPResponse.getheaders()`` method in favor of ``HTTPResponse.headers``.
Removed the ``HTTPResponse.getheader(name, default)`` method in favor of ``HTTPResponse.headers.get(name, default)``. (`3622 <https://github.com/urllib3/urllib3/issues/3622>`__)


Bugfixes
--------

- Fixed redirect handling in ``urllib3.PoolManager`` when an integer is passed
for the retries parameter. (`3649 <https://github.com/urllib3/urllib3/issues/3649>`__)
- Fixed ``HTTPConnectionPool`` when used in Emscripten with no explicit port. (`3664 <https://github.com/urllib3/urllib3/issues/3664>`__)
- Fixed handling of ``SSLKEYLOGFILE`` with expandable variables. (`3700 <https://github.com/urllib3/urllib3/issues/3700>`__)


Misc
----

- Changed the ``zstd`` extra to install ``backports.zstd`` instead of ``zstandard`` on Python 3.13 and before. (`3693 <https://github.com/urllib3/urllib3/issues/3693>`__)
- Improved the performance of content decoding by optimizing ``BytesQueueBuffer`` class. (`3710 <https://github.com/urllib3/urllib3/issues/3710>`__)
- Allowed building the urllib3 package with newer setuptools-scm v9.x. (`3652 <https://github.com/urllib3/urllib3/issues/3652>`__)
- Ensured successful urllib3 builds by setting Hatchling requirement to >= 1.27.0. (`3638 <https://github.com/urllib3/urllib3/issues/3638>`__)

2.5.0

==================

Features
--------

- Added support for the ``compression.zstd`` module that is new in Python 3.14.
See `PEP 784 <https://peps.python.org/pep-0784/>`_ for more information. (`#3610 <https://github.com/urllib3/urllib3/issues/3610>`__)
- Added support for version 0.5 of ``hatch-vcs`` (`3612 <https://github.com/urllib3/urllib3/issues/3612>`__)


Bugfixes
--------

- Fixed a security issue where restricting the maximum number of followed
redirects at the ``urllib3.PoolManager`` level via the ``retries`` parameter
did not work.
- Made the Node.js runtime respect redirect parameters such as ``retries``
and ``redirects``.
- Raised exception for ``HTTPResponse.shutdown`` on a connection already released to the pool. (`3581 <https://github.com/urllib3/urllib3/issues/3581>`__)
- Fixed incorrect `CONNECT` statement when using an IPv6 proxy with `connection_from_host`. Previously would not be wrapped in `[]`. (`3615 <https://github.com/urllib3/urllib3/issues/3615>`__)

2.4.0

==================

Features
--------

- Applied PEP 639 by specifying the license fields in pyproject.toml. (`3522 <https://github.com/urllib3/urllib3/issues/3522>`__)
- Updated exceptions to save and restore more properties during the pickle/serialization process. (`3567 <https://github.com/urllib3/urllib3/issues/3567>`__)
- Added ``verify_flags`` option to ``create_urllib3_context`` with a default of ``VERIFY_X509_PARTIAL_CHAIN`` and ``VERIFY_X509_STRICT`` for Python 3.13+. (`3571 <https://github.com/urllib3/urllib3/issues/3571>`__)


Bugfixes
--------

- Fixed a bug with partial reads of streaming data in Emscripten. (`3555 <https://github.com/urllib3/urllib3/issues/3555>`__)


Misc
----

- Switched to uv for installing development dependecies. (`3550 <https://github.com/urllib3/urllib3/issues/3550>`__)
- Removed the ``multiple.intoto.jsonl`` asset from GitHub releases. Attestation of release files since v2.3.0 can be found on PyPI. (`3566 <https://github.com/urllib3/urllib3/issues/3566>`__)

2.3.0

==================

Features
--------

- Added ``HTTPResponse.shutdown()`` to stop any ongoing or future reads for a specific response. It calls ``shutdown(SHUT_RD)`` on the underlying socket. This feature was `sponsored by LaunchDarkly <https://opencollective.com/urllib3/contributions/815307>`__. (`#2868 <https://github.com/urllib3/urllib3/issues/2868>`__)
- Added support for JavaScript Promise Integration on Emscripten. This enables more efficient WebAssembly
requests and streaming, and makes it possible to use in Node.js if you launch it as  ``node --experimental-wasm-stack-switching``. (`3400 <https://github.com/urllib3/urllib3/issues/3400>`__)
- Added the ``proxy_is_tunneling`` property to ``HTTPConnection`` and ``HTTPSConnection``. (`3285 <https://github.com/urllib3/urllib3/issues/3285>`__)
- Added pickling support to ``NewConnectionError`` and ``NameResolutionError``. (`3480 <https://github.com/urllib3/urllib3/issues/3480>`__)


Bugfixes
--------

- Fixed an issue in debug logs where the HTTP version was rendering as "HTTP/11" instead of "HTTP/1.1". (`3489 <https://github.com/urllib3/urllib3/issues/3489>`__)


Deprecations and Removals
-------------------------

- Removed support for Python 3.8. (`3492 <https://github.com/urllib3/urllib3/issues/3492>`__)

2.2.3

==================

Features
--------

- Added support for Python 3.13. (`3473 <https://github.com/urllib3/urllib3/issues/3473>`__)

Bugfixes
--------

- Fixed the default encoding of chunked request bodies to be UTF-8 instead of ISO-8859-1.
All other methods of supplying a request body already use UTF-8 starting in urllib3 v2.0. (`3053 <https://github.com/urllib3/urllib3/issues/3053>`__)
- Fixed ResourceWarning on CONNECT with Python < 3.11.4 by backporting https://github.com/python/cpython/issues/103472. (`#3252 <https://github.com/urllib3/urllib3/issues/3252>`__)
- Adjust tolerance for floating-point comparison on Windows to avoid flakiness in CI (`3413 <https://github.com/urllib3/urllib3/issues/3413>`__)
- Fixed a crash where certain standard library hash functions were absent in restricted environments. (`3432 <https://github.com/urllib3/urllib3/issues/3432>`__)
- Fixed mypy error when adding to ``HTTPConnection.default_socket_options``. (`3448 <https://github.com/urllib3/urllib3/issues/3448>`__)

HTTP/2 (experimental)
---------------------

HTTP/2 support is still in early development.

- Excluded Transfer-Encoding: chunked from HTTP/2 request body (`3425 <https://github.com/urllib3/urllib3/issues/3425>`__)
- Added version checking for ``h2`` (https://pypi.org/project/h2/) usage.

Now only accepting supported h2 major version 4.x.x. (`3290 <https://github.com/urllib3/urllib3/issues/3290>`__)
- Added a probing mechanism for determining whether a given target origin
supports HTTP/2 via ALPN. (`3301 <https://github.com/urllib3/urllib3/issues/3301>`__)
- Add support for sending a request body with HTTP/2 (`3302 <https://github.com/urllib3/urllib3/issues/3302>`__)


Deprecations and Removals
-------------------------

- Note for downstream distributors: the ``_version.py`` file has been removed and is now created at build time by hatch-vcs. (`3412 <https://github.com/urllib3/urllib3/issues/3412>`__)
- Drop support for end-of-life PyPy3.8 and PyPy3.9. (`3475 <https://github.com/urllib3/urllib3/issues/3475>`__)

2.2.2

==================

- Added the ``Proxy-Authorization`` header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via ``Retry.remove_headers_on_redirect``.
- Allowed passing negative integers as ``amt`` to read methods of ``http.client.HTTPResponse`` as an alternative to ``None``. (`3122 <https://github.com/urllib3/urllib3/issues/3122>`__)
- Fixed return types representing copying actions to use ``typing.Self``. (`3363 <https://github.com/urllib3/urllib3/issues/3363>`__)

2.2.1

==================

- Fixed issue where ``InsecureRequestWarning`` was emitted for HTTPS connections when using Emscripten. (`3331 <https://github.com/urllib3/urllib3/issues/3331>`__)
- Fixed ``HTTPConnectionPool.urlopen`` to stop automatically casting non-proxy headers to ``HTTPHeaderDict``. This change was premature as it did not apply to proxy headers and ``HTTPHeaderDict`` does not handle byte header values correctly yet. (`3343 <https://github.com/urllib3/urllib3/issues/3343>`__)
- Changed ``InvalidChunkLength`` to ``ProtocolError`` when response terminates before the chunk length is sent. (`2860 <https://github.com/urllib3/urllib3/issues/2860>`__)
- Changed ``ProtocolError`` to be more verbose on incomplete reads with excess content. (`3261 <https://github.com/urllib3/urllib3/issues/3261>`__)

2.2.0

==================

- Added support for `Emscripten and Pyodide <https://urllib3.readthedocs.io/en/latest/reference/contrib/emscripten.html>`__, including streaming support in cross-origin isolated browser environments where threading is enabled. (`#2951 <https://github.com/urllib3/urllib3/issues/2951>`__)
- Added support for ``HTTPResponse.read1()`` method. (`3186 <https://github.com/urllib3/urllib3/issues/3186>`__)
- Added rudimentary support for HTTP/2. (`3284 <https://github.com/urllib3/urllib3/issues/3284>`__)
- Fixed issue where requests against urls with trailing dots were failing due to SSL errors
when using proxy. (`2244 <https://github.com/urllib3/urllib3/issues/2244>`__)
- Fixed ``HTTPConnection.proxy_is_verified`` and ``HTTPSConnection.proxy_is_verified``
to be always set to a boolean after connecting to a proxy. It could be
``None`` in some cases previously. (`3130 <https://github.com/urllib3/urllib3/issues/3130>`__)
- Fixed an issue where ``headers`` passed in a request with ``json=`` would be mutated (`3203 <https://github.com/urllib3/urllib3/issues/3203>`__)
- Fixed ``HTTPSConnection.is_verified`` to be set to ``False`` when connecting
from a HTTPS proxy to an HTTP target. It was set to ``True`` previously. (`3267 <https://github.com/urllib3/urllib3/issues/3267>`__)
- Fixed handling of new error message from OpenSSL 3.2.0 when configuring an HTTP proxy as HTTPS (`3268 <https://github.com/urllib3/urllib3/issues/3268>`__)
- Fixed TLS 1.3 post-handshake auth when the server certificate validation is disabled (`3325 <https://github.com/urllib3/urllib3/issues/3325>`__)
- Note for downstream distributors: To run integration tests, you now need to run the tests a second
time with the ``--integration`` pytest flag. (`3181 <https://github.com/urllib3/urllib3/issues/3181>`__)

2.1.0

==================

- Removed support for the deprecated urllib3[secure] extra. (`2680 <https://github.com/urllib3/urllib3/issues/2680>`__)
- Removed support for the deprecated SecureTransport TLS implementation. (`2681 <https://github.com/urllib3/urllib3/issues/2681>`__)
- Removed support for the end-of-life Python 3.7. (`3143 <https://github.com/urllib3/urllib3/issues/3143>`__)
- Allowed loading CA certificates from memory for proxies. (`3065 <https://github.com/urllib3/urllib3/issues/3065>`__)
- Fixed decoding Gzip-encoded responses which specified ``x-gzip`` content-encoding. (`3174 <https://github.com/urllib3/urllib3/issues/3174>`__)

2.0.7

==================

* Made body stripped from HTTP requests changing the request method to GET after HTTP 303 "See Other" redirect responses.

2.0.6

==================

* Added the ``Cookie`` header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via ``Retry.remove_headers_on_redirect``.

2.0.5

==================

- Allowed pyOpenSSL third-party module without any deprecation warning. (`3126 <https://github.com/urllib3/urllib3/issues/3126>`__)
- Fixed default ``blocksize`` of ``HTTPConnection`` classes to match high-level classes. Previously was 8KiB, now 16KiB. (`3066 <https://github.com/urllib3/urllib3/issues/3066>`__)
Links

@pyup-bot pyup-bot mentioned this pull request Jan 7, 2026
Closed
@codecov
Copy link

codecov bot commented Jan 7, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (5f02dc7) to head (4fa9fd7).

Additional details and impacted files 
@@            Coverage Diff            @@
##            master      #568   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files           12        12           
  Lines          126       126           
=========================================
  Hits           126       126
Flag Coverage Δ
?

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@pyup-bot