fix(deps): update dependency urllib3 to >=2.7.0,<3.0.0

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
urllib3 (changelog)	>=2.1.0,<3.0.0 → >=2.7.0,<3.0.0
urllib3 (changelog)	>=2.1.0,<3.0.0 → >=2.7.0,<3.0.0

---

Release Notes

urllib3/urllib3 (urllib3)

v2.7.0

Compare Source

=======================

Security

Addressed high-severity security issues.
Impact was limited to specific use cases detailed in the accompanying
advisories; overall user exposure was estimated to be marginal.

• Decompression-bomb safeguards of the streaming API were bypassed:

  1. When HTTPResponse.drain_conn() was called after the response had been
     read and decompressed partially.
  2. During the second HTTPResponse.read(amt=N) or
     HTTPResponse.stream(amt=N) call when the response was decompressed
     using the official Brotli <https://pypi.org/project/brotli/>__ library.

  See GHSA-mf9v-mfxr-j63j <https://github.com/urllib3/urllib3/security/advisories/GHSA-mf9v-mfxr-j63j>__
  for details.

• HTTP pools created using ProxyManager.connection_from_url did not strip
  sensitive headers specified in Retry.remove_headers_on_redirect when
  redirecting to a different host.
  (GHSA-qccp-gfcp-xxvc <https://github.com/urllib3/urllib3/security/advisories/GHSA-qccp-gfcp-xxvc>__)

Deprecations and Removals

• Used FutureWarning instead of DeprecationWarning for better
  visibility of existing deprecation notices. Rescheduled the removal of
  deprecated features to version 3.0.
  (#&#8203;3763 <https://github.com/urllib3/urllib3/issues/3763>__)
• Removed support for end-of-life Python 3.9.
  (#&#8203;3720 <https://github.com/urllib3/urllib3/issues/3720>__)
• Removed support for end-of-life PyPy3.10.
  (#&#8203;4979 <https://github.com/urllib3/urllib3/issues/4979>__)
• Bumped the minimum supported pyOpenSSL version to 19.0.0.
  (#&#8203;3777 <https://github.com/urllib3/urllib3/issues/3777>__)

Bugfixes

• Fixed a bug where HTTPResponse.read(amt=None) was ignoring decompressed
  data buffered from previous partial reads.
  (#&#8203;3636 <https://github.com/urllib3/urllib3/issues/3636>__)
• Fixed a bug where HTTPResponse.read() could cache only part of the
  response after a partial read when cache_content=True.
  (#&#8203;4967 <https://github.com/urllib3/urllib3/issues/4967>__)
• Fixed HTTPResponse.stream() and HTTPResponse.read_chunked() to handle
  amt=0.
  (#&#8203;3793 <https://github.com/urllib3/urllib3/issues/3793>__)
• Updated _TYPE_BODY type alias to include missing Iterable[str],
  matching the documented and runtime behavior of chunked request bodies.
  (#&#8203;3798 <https://github.com/urllib3/urllib3/issues/3798>__)
• Fixed LocationParseError when paths resembling schemeless URIs were
  passed to HTTPConnectionPool.urlopen().
  (#&#8203;3352 <https://github.com/urllib3/urllib3/issues/3352>__)
• Fixed BaseHTTPResponse.readinto() type annotation to accept
  memoryview in addition to bytearray, matching the
  io.RawIOBase.readinto contract and enabling use with
  io.BufferedReader without type errors.
  (#&#8203;3764 <https://github.com/urllib3/urllib3/issues/3764>__)

v2.6.3

Compare Source

==================

• Fixed a high-severity security issue where decompression-bomb safeguards of
  the streaming API were bypassed when HTTP redirects were followed.
  (GHSA-38jv-5279-wg99 <https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99>__)
• Started treating Retry-After times greater than 6 hours as 6 hours by
  default. (#&#8203;3743 <https://github.com/urllib3/urllib3/issues/3743>__)
• Fixed urllib3.connection.VerifiedHTTPSConnection on Emscripten.
  (#&#8203;3752 <https://github.com/urllib3/urllib3/issues/3752>__)

v2.6.2

Compare Source

==================

• Fixed HTTPResponse.read_chunked() to properly handle leftover data in
  the decoder's buffer when reading compressed chunked responses.
  (#&#8203;3734 <https://github.com/urllib3/urllib3/issues/3734>__)

v2.6.1

Compare Source

==================

• Restore previously removed HTTPResponse.getheaders() and
  HTTPResponse.getheader() methods.
  (#&#8203;3731 <https://github.com/urllib3/urllib3/issues/3731>__)

v2.6.0

Compare Source

==================

Security

• Fixed a security issue where streaming API could improperly handle highly
  compressed HTTP content ("decompression bombs") leading to excessive resource
  consumption even when a small amount of data was requested. Reading small
  chunks of compressed data is safer and much more efficient now.
  (GHSA-2xpw-w6gg-jr37 <https://github.com/urllib3/urllib3/security/advisories/GHSA-2xpw-w6gg-jr37>__)
• Fixed a security issue where an attacker could compose an HTTP response with
  virtually unlimited links in the Content-Encoding header, potentially
  leading to a denial of service (DoS) attack by exhausting system resources
  during decoding. The number of allowed chained encodings is now limited to 5.
  (GHSA-gm62-xv2j-4w53 <https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53>__)

.. caution::

• If urllib3 is not installed with the optional urllib3[brotli] extra, but
  your environment contains a Brotli/brotlicffi/brotlipy package anyway, make
  sure to upgrade it to at least Brotli 1.2.0 or brotlicffi 1.2.0.0 to
  benefit from the security fixes and avoid warnings. Prefer using
  urllib3[brotli] to install a compatible Brotli package automatically.

• If you use custom decompressors, please make sure to update them to
  respect the changed API of urllib3.response.ContentDecoder.

Features

• Enabled retrieval, deletion, and membership testing in HTTPHeaderDict using bytes keys. (#&#8203;3653 <https://github.com/urllib3/urllib3/issues/3653>__)
• Added host and port information to string representations of HTTPConnection. (#&#8203;3666 <https://github.com/urllib3/urllib3/issues/3666>__)
• Added support for Python 3.14 free-threading builds explicitly. (#&#8203;3696 <https://github.com/urllib3/urllib3/issues/3696>__)

Removals

• Removed the HTTPResponse.getheaders() method in favor of HTTPResponse.headers.
  Removed the HTTPResponse.getheader(name, default) method in favor of HTTPResponse.headers.get(name, default). (#&#8203;3622 <https://github.com/urllib3/urllib3/issues/3622>__)

Bugfixes

• Fixed redirect handling in urllib3.PoolManager when an integer is passed
  for the retries parameter. (#&#8203;3649 <https://github.com/urllib3/urllib3/issues/3649>__)
• Fixed HTTPConnectionPool when used in Emscripten with no explicit port. (#&#8203;3664 <https://github.com/urllib3/urllib3/issues/3664>__)
• Fixed handling of SSLKEYLOGFILE with expandable variables. (#&#8203;3700 <https://github.com/urllib3/urllib3/issues/3700>__)

Misc

• Changed the zstd extra to install backports.zstd instead of zstandard on Python 3.13 and before. (#&#8203;3693 <https://github.com/urllib3/urllib3/issues/3693>__)
• Improved the performance of content decoding by optimizing BytesQueueBuffer class. (#&#8203;3710 <https://github.com/urllib3/urllib3/issues/3710>__)
• Allowed building the urllib3 package with newer setuptools-scm v9.x. (#&#8203;3652 <https://github.com/urllib3/urllib3/issues/3652>__)
• Ensured successful urllib3 builds by setting Hatchling requirement to >= 1.27.0. (#&#8203;3638 <https://github.com/urllib3/urllib3/issues/3638>__)

v2.5.0

Compare Source

==================

Features

• Added support for the compression.zstd module that is new in Python 3.14.
  See PEP 784 <https://peps.python.org/pep-0784/>_ for more information. (#&#8203;3610 <https://github.com/urllib3/urllib3/issues/3610>__)
• Added support for version 0.5 of hatch-vcs (#&#8203;3612 <https://github.com/urllib3/urllib3/issues/3612>__)

Bugfixes

• Fixed a security issue where restricting the maximum number of followed
  redirects at the urllib3.PoolManager level via the retries parameter
  did not work.
• Made the Node.js runtime respect redirect parameters such as retries
  and redirects.
• Raised exception for HTTPResponse.shutdown on a connection already released to the pool. (#&#8203;3581 <https://github.com/urllib3/urllib3/issues/3581>__)
• Fixed incorrect CONNECT statement when using an IPv6 proxy with connection_from_host. Previously would not be wrapped in []. (#&#8203;3615 <https://github.com/urllib3/urllib3/issues/3615>__)

v2.4.0

Compare Source

==================

Features

• Applied PEP 639 by specifying the license fields in pyproject.toml. (#&#8203;3522 <https://github.com/urllib3/urllib3/issues/3522>__)
• Updated exceptions to save and restore more properties during the pickle/serialization process. (#&#8203;3567 <https://github.com/urllib3/urllib3/issues/3567>__)
• Added verify_flags option to create_urllib3_context with a default of VERIFY_X509_PARTIAL_CHAIN and VERIFY_X509_STRICT for Python 3.13+. (#&#8203;3571 <https://github.com/urllib3/urllib3/issues/3571>__)

Bugfixes

• Fixed a bug with partial reads of streaming data in Emscripten. (#&#8203;3555 <https://github.com/urllib3/urllib3/issues/3555>__)

Misc

• Switched to uv for installing development dependecies. (#&#8203;3550 <https://github.com/urllib3/urllib3/issues/3550>__)
• Removed the multiple.intoto.jsonl asset from GitHub releases. Attestation of release files since v2.3.0 can be found on PyPI. (#&#8203;3566 <https://github.com/urllib3/urllib3/issues/3566>__)

v2.3.0

Compare Source

==================

Features

• Applied PEP 639 by specifying the license fields in pyproject.toml. (#&#8203;3522 <https://github.com/urllib3/urllib3/issues/3522>__)
• Updated exceptions to save and restore more properties during the pickle/serialization process. (#&#8203;3567 <https://github.com/urllib3/urllib3/issues/3567>__)
• Added verify_flags option to create_urllib3_context with a default of VERIFY_X509_PARTIAL_CHAIN and VERIFY_X509_STRICT for Python 3.13+. (#&#8203;3571 <https://github.com/urllib3/urllib3/issues/3571>__)

Bugfixes

• Fixed a bug with partial reads of streaming data in Emscripten. (#&#8203;3555 <https://github.com/urllib3/urllib3/issues/3555>__)

Misc

• Switched to uv for installing development dependecies. (#&#8203;3550 <https://github.com/urllib3/urllib3/issues/3550>__)
• Removed the multiple.intoto.jsonl asset from GitHub releases. Attestation of release files since v2.3.0 can be found on PyPI. (#&#8203;3566 <https://github.com/urllib3/urllib3/issues/3566>__)

v2.2.3

Compare Source

==================

Features

• Added support for Python 3.13. (#&#8203;3473 <https://github.com/urllib3/urllib3/issues/3473>__)

Bugfixes

• Fixed the default encoding of chunked request bodies to be UTF-8 instead of ISO-8859-1.
  All other methods of supplying a request body already use UTF-8 starting in urllib3 v2.0. (#&#8203;3053 <https://github.com/urllib3/urllib3/issues/3053>__)
• Fixed ResourceWarning on CONNECT with Python < 3.11.4 by backporting python/cpython#103472. (#&#8203;3252 <https://github.com/urllib3/urllib3/issues/3252>__)
• Adjust tolerance for floating-point comparison on Windows to avoid flakiness in CI (#&#8203;3413 <https://github.com/urllib3/urllib3/issues/3413>__)
• Fixed a crash where certain standard library hash functions were absent in restricted environments. (#&#8203;3432 <https://github.com/urllib3/urllib3/issues/3432>__)
• Fixed mypy error when adding to HTTPConnection.default_socket_options. (#&#8203;3448 <https://github.com/urllib3/urllib3/issues/3448>__)

HTTP/2 (experimental)

HTTP/2 support is still in early development.

• Excluded Transfer-Encoding: chunked from HTTP/2 request body (#&#8203;3425 <https://github.com/urllib3/urllib3/issues/3425>__)

• Added version checking for h2 (https://pypi.org/project/h2/) usage.

  Now only accepting supported h2 major version 4.x.x. (#&#8203;3290 <https://github.com/urllib3/urllib3/issues/3290>__)

• Added a probing mechanism for determining whether a given target origin
  supports HTTP/2 via ALPN. (#&#8203;3301 <https://github.com/urllib3/urllib3/issues/3301>__)

• Add support for sending a request body with HTTP/2 (#&#8203;3302 <https://github.com/urllib3/urllib3/issues/3302>__)

Deprecations and Removals

• Note for downstream distributors: the _version.py file has been removed and is now created at build time by hatch-vcs. (#&#8203;3412 <https://github.com/urllib3/urllib3/issues/3412>__)
• Drop support for end-of-life PyPy3.8 and PyPy3.9. (#&#8203;3475 <https://github.com/urllib3/urllib3/issues/3475>__)

v2.2.2

Compare Source

==================

• Added the Proxy-Authorization header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via Retry.remove_headers_on_redirect.
• Allowed passing negative integers as amt to read methods of http.client.HTTPResponse as an alternative to None. (#&#8203;3122 <https://github.com/urllib3/urllib3/issues/3122>__)
• Fixed return types representing copying actions to use typing.Self. (#&#8203;3363 <https://github.com/urllib3/urllib3/issues/3363>__)

v2.2.1

Compare Source

==================

• Fixed issue where InsecureRequestWarning was emitted for HTTPS connections when using Emscripten. (#&#8203;3331 <https://github.com/urllib3/urllib3/issues/3331>__)
• Fixed HTTPConnectionPool.urlopen to stop automatically casting non-proxy headers to HTTPHeaderDict. This change was premature as it did not apply to proxy headers and HTTPHeaderDict does not handle byte header values correctly yet. (#&#8203;3343 <https://github.com/urllib3/urllib3/issues/3343>__)
• Changed InvalidChunkLength to ProtocolError when response terminates before the chunk length is sent. (#&#8203;2860 <https://github.com/urllib3/urllib3/issues/2860>__)
• Changed ProtocolError to be more verbose on incomplete reads with excess content. (#&#8203;3261 <https://github.com/urllib3/urllib3/issues/3261>__)

v2.2.0

Compare Source

==================

• Added support for Emscripten and Pyodide <https://urllib3.readthedocs.io/en/latest/reference/contrib/emscripten.html>, including streaming support in cross-origin isolated browser environments where threading is enabled. (#&#8203;2951 <https://github.com/urllib3/urllib3/issues/2951>)
• Added support for HTTPResponse.read1() method. (#&#8203;3186 <https://github.com/urllib3/urllib3/issues/3186>__)
• Added rudimentary support for HTTP/2. (#&#8203;3284 <https://github.com/urllib3/urllib3/issues/3284>__)
• Fixed issue where requests against urls with trailing dots were failing due to SSL errors
  when using proxy. (#&#8203;2244 <https://github.com/urllib3/urllib3/issues/2244>__)
• Fixed HTTPConnection.proxy_is_verified and HTTPSConnection.proxy_is_verified
  to be always set to a boolean after connecting to a proxy. It could be
  None in some cases previously. (#&#8203;3130 <https://github.com/urllib3/urllib3/issues/3130>__)
• Fixed an issue where headers passed in a request with json= would be mutated (#&#8203;3203 <https://github.com/urllib3/urllib3/issues/3203>__)
• Fixed HTTPSConnection.is_verified to be set to False when connecting
  from a HTTPS proxy to an HTTP target. It was set to True previously. (#&#8203;3267 <https://github.com/urllib3/urllib3/issues/3267>__)
• Fixed handling of new error message from OpenSSL 3.2.0 when configuring an HTTP proxy as HTTPS (#&#8203;3268 <https://github.com/urllib3/urllib3/issues/3268>__)
• Fixed TLS 1.3 post-handshake auth when the server certificate validation is disabled (#&#8203;3325 <https://github.com/urllib3/urllib3/issues/3325>__)
• Note for downstream distributors: To run integration tests, you now need to run the tests a second
  time with the --integration pytest flag. (#&#8203;3181 <https://github.com/urllib3/urllib3/issues/3181>__)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.