From 2b7b83c771701e63b6d5d154da2ebecf07417595 Mon Sep 17 00:00:00 2001
From: Alice Wong <alice.wong@thedatalab.org>
Date: Thu, 8 Jan 2026 15:40:16 +0000
Subject: [PATCH] Bump urllib3 to address security vulnerability

`urllib3 <v2.6.3` has a security vulnerability reported in
https://github.com/advisories/GHSA-38jv-5279-wg99, so we are bumping
the version to `2.6.3` without waiting for a 7-day cooldown period.

The `exclude-newer-package` timestamp should be removed once it is 7
days old, as per the guidelines in `DEVELOPERS.md`.
---
 pyproject.toml            | 2 +-
 requirements.uvmirror.txt | 2 +-
 uv.lock                   | 9 ++++++---
 3 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/pyproject.toml b/pyproject.toml
index 08aefe6..b525d03 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -60,7 +60,7 @@ isort.lines-after-imports = 2
 # See https://github.com/opensafely-core/repo-template/blob/main/DEVELOPERS.md for details
 [tool.uv]
 exclude-newer = "2025-12-31T00:00:00Z"
-exclude-newer-package = {}
+exclude-newer-package = {"urllib3"="2026-01-07T16:31:00Z"}
 
 [dependency-groups]
 dev = [
diff --git a/requirements.uvmirror.txt b/requirements.uvmirror.txt
index edbebe2..12ece3a 100644
--- a/requirements.uvmirror.txt
+++ b/requirements.uvmirror.txt
@@ -45,7 +45,7 @@ sqlglot==28.5.0
     # via sqlrunner
 structlog==25.5.0
     # via sqlrunner
-urllib3==2.6.2
+urllib3==2.6.3
     # via
     #   docker
     #   requests
diff --git a/uv.lock b/uv.lock
index 4b86292..6ddd514 100644
--- a/uv.lock
+++ b/uv.lock
@@ -5,6 +5,9 @@ requires-python = ">=3.14"
 [options]
 exclude-newer = "2025-12-31T00:00:00Z"
 
+[options.exclude-newer-package]
+urllib3 = "2026-01-07T16:31:00Z"
+
 [[package]]
 name = "certifi"
 version = "2025.11.12"
@@ -376,11 +379,11 @@ wheels = [
 
 [[package]]
 name = "urllib3"
-version = "2.6.2"
+version = "2.6.3"
 source = { registry = "https://pypi.org/simple" }
-sdist = { url = "https://files.pythonhosted.org/packages/1e/24/a2a2ed9addd907787d7aa0355ba36a6cadf1768b934c652ea78acbd59dcd/urllib3-2.6.2.tar.gz", hash = "sha256:016f9c98bb7e98085cb2b4b17b87d2c702975664e4f060c6532e64d1c1a5e797", size = 432930, upload-time = "2025-12-11T15:56:40.252Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/c7/24/5f1b3bdffd70275f6661c76461e25f024d5a38a46f04aaca912426a2b1d3/urllib3-2.6.3.tar.gz", hash = "sha256:1b62b6884944a57dbe321509ab94fd4d3b307075e0c2eae991ac71ee15ad38ed", size = 435556, upload-time = "2026-01-07T16:24:43.925Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/6d/b9/4095b668ea3678bf6a0af005527f39de12fb026516fb3df17495a733b7f8/urllib3-2.6.2-py3-none-any.whl", hash = "sha256:ec21cddfe7724fc7cb4ba4bea7aa8e2ef36f607a4bab81aa6ce42a13dc3f03dd", size = 131182, upload-time = "2025-12-11T15:56:38.584Z" },
+    { url = "https://files.pythonhosted.org/packages/39/08/aaaad47bc4e9dc8c725e68f9d04865dbcb2052843ff09c97b08904852d84/urllib3-2.6.3-py3-none-any.whl", hash = "sha256:bf272323e553dfb2e87d9bfd225ca7b0f467b919d7bbd355436d3fd37cb0acd4", size = 131584, upload-time = "2026-01-07T16:24:42.685Z" },
 ]
 
 [[package]]