Skip to content

chore(deps): bump urllib3 from 2.6.0 to 2.6.3#1493

Merged
github-actions[bot] merged 1 commit into
mainfrom
dependabot/pip/urllib3-2.6.3
Jan 8, 2026
Merged

chore(deps): bump urllib3 from 2.6.0 to 2.6.3#1493
github-actions[bot] merged 1 commit into
mainfrom
dependabot/pip/urllib3-2.6.3

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jan 8, 2026

Copy link
Copy Markdown
Contributor

Greptile Overview

Greptile Summary

This dependency update upgrades urllib3 from version 2.6.0 to 2.6.3, addressing a high-severity security vulnerability and several bug fixes. urllib3 is a transitive dependency through the requests library.

Key changes:

  • Security fix (CVE-2026-21441, 8.9 High): Patches a vulnerability where decompression-bomb safeguards were bypassed during HTTP redirects in the streaming API
  • Improved Retry-After header handling by capping values at 6 hours
  • Fixed HTTPResponse.read_chunked() for compressed chunked responses
  • Restored previously removed HTTPResponse.getheaders() and HTTPResponse.getheader() methods
  • Fixed VerifiedHTTPSConnection on Emscripten

Impact assessment:

  • No breaking changes identified - all changes are backward-compatible fixes
  • The codebase uses httpx and requests but does not directly import or use urllib3 APIs
  • The security fix is critical and should be applied promptly

Confidence Score: 5/5

  • This PR is safe to merge - it's a security patch with backward-compatible fixes
  • This is a standard dependency version bump from Dependabot that patches a high-severity security vulnerability (CVE-2026-21441). All changes in urllib3 2.6.1-2.6.3 are bug fixes and security patches with no breaking changes. The library is only used transitively through requests and does not affect the codebase's direct functionality.
  • No files require special attention

Important Files Changed

File Analysis

Filename Score Overview
poetry.lock 5/5 Updated urllib3 from 2.6.0 to 2.6.3 (patches CVE-2026-21441, high-severity security fix)

Sequence Diagram

sequenceDiagram
    participant Dev as Developer
    participant Dep as Dependabot
    participant Lock as poetry.lock
    participant Req as requests Library
    participant URL as urllib3 (2.6.0→2.6.3)
    
    Dev->>Dep: Monitors security advisories
    Dep->>Dep: Detects CVE-2026-21441 in urllib3 2.6.0
    Dep->>Lock: Updates urllib3 dependency
    Lock->>Lock: Changes hash for urllib3 2.6.3
    Note over URL: Security Fix: Decompression-bomb<br/>safeguard bypass patched<br/>(CVE-2026-21441, 8.9 High)
    Note over URL: Bug Fixes: Retry-After capping,<br/>read_chunked() fixes,<br/>restored getheaders() methods
    Req->>URL: Uses urllib3 as dependency
    Dev->>Lock: Reviews and approves change
    Dev->>Dev: Merges security patch
Loading

Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.6.0 to 2.6.3.
- [Release notes](https://github.com/urllib3/urllib3/releases)
- [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst)
- [Commits](urllib3/urllib3@2.6.0...2.6.3)

---
updated-dependencies:
- dependency-name: urllib3
  dependency-version: 2.6.3
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update python code labels Jan 8, 2026
@github-actions github-actions Bot enabled auto-merge (squash) January 8, 2026 06:34

@greptile-apps greptile-apps Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No files reviewed, no comments

Edit Code Review Agent Settings | Greptile

@github-actions github-actions Bot merged commit 280b831 into main Jan 8, 2026
12 checks passed
@github-actions github-actions Bot deleted the dependabot/pip/urllib3-2.6.3 branch January 8, 2026 06:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file python Pull requests that update python code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants