Originally created by: dependabot[bot]
Bumps urllib3 from 2.6.3 to 2.7.0.
Sourced from urllib3's releases.
2.7.0
🚀 urllib3 is fundraising for HTTP/2 support
urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.
Thank you for your support.
Security
Addressed high-severity security issues. Impact was limited to specific use cases detailed in the accompanying advisories; overall user exposure was estimated to be marginal.
Decompression-bomb safeguards of the streaming API were bypassed:
- When
HTTPResponse.drain_conn()was called after the response had been read and decompressed partially. (Reported by@Cycloctane)- During the second
HTTPResponse.read(amt=N)orHTTPResponse.stream(amt=N)call when the response was decompressed using the official Brotli library. (Reported by@kimkou2024)See GHSA-mf9v-mfxr-j63j for details.
HTTP pools created using
ProxyManager.connection_from_urldid not strip sensitive headers specified inRetry.remove_headers_on_redirectwhen redirecting to a different host. (GHSA-qccp-gfcp-xxvc reported by@christos-spearbit)Deprecations and Removals
- Used
FutureWarninginstead ofDeprecationWarningfor better visibility of existing deprecation notices. Rescheduled the removal of deprecated features to version 3.0. (urllib3/urllib3#3763](https://github.com/href="https://redirect.github.com/urllib3/urllib3/issues/3763">urllib3/urllib3/issues/3763))- Removed support for end-of-life Python 3.9. (urllib3/urllib3#3720](https://github.com/href="https://redirect.github.com/urllib3/urllib3/issues/3720">urllib3/urllib3/issues/3720))
- Removed support for end-of-life PyPy3.10. (urllib3/urllib3#4979](https://github.com/href="https://redirect.github.com/urllib3/urllib3/issues/4979">urllib3/urllib3/issues/4979))
- Bumped the minimum supported pyOpenSSL version to 19.0.0. (urllib3/urllib3#3777](https://github.com/href="https://redirect.github.com/urllib3/urllib3/issues/3777">urllib3/urllib3/issues/3777))
Bugfixes
- Fixed a bug where
HTTPResponse.read(amt=None)was ignoring decompressed data buffered from previous partial reads. (urllib3/urllib3#3636](https://github.com/href="https://redirect.github.com/urllib3/urllib3/issues/3636">urllib3/urllib3/issues/3636))- Fixed a bug where
HTTPResponse.read()could cache only part of the response after a partial read whencache_content=True. (urllib3/urllib3#4967](https://github.com/href="https://redirect.github.com/urllib3/urllib3/issues/4967">urllib3/urllib3/issues/4967))- Fixed
HTTPResponse.stream()andHTTPResponse.read_chunked()to handleamt=0. (urllib3/urllib3#3793](https://github.com/href="https://redirect.github.com/urllib3/urllib3/issues/3793">urllib3/urllib3/issues/3793))- Updated
_TYPE_BODYtype alias to include missingIterable[str], matching the documented and runtime behavior of chunked request bodies. (urllib3/urllib3#3798](https://github.com/href="https://redirect.github.com/urllib3/urllib3/issues/3798">urllib3/urllib3/issues/3798))- Fixed
LocationParseErrorwhen paths resembling schemeless URIs were passed toHTTPConnectionPool.urlopen(). (urllib3/urllib3#3352](https://github.com/href="https://redirect.github.com/urllib3/urllib3/issues/3352">urllib3/urllib3/issues/3352))- Fixed
BaseHTTPResponse.readinto()type annotation to acceptmemoryviewin addition tobytearray, matching theio.RawIOBase.readintocontract and enabling use withio.BufferedReaderwithout type errors. (urllib3/urllib3#3764](https://github.com/href="https://redirect.github.com/urllib3/urllib3/issues/3764">urllib3/urllib3/issues/3764))
Sourced from urllib3's changelog.
2.7.0 (2026-05-07)
Security
Addressed high-severity security issues. Impact was limited to specific use cases detailed in the accompanying advisories; overall user exposure was estimated to be marginal.
Decompression-bomb safeguards of the streaming API were bypassed:
- When
HTTPResponse.drain_conn()was called after the response had been read and decompressed partially.- During the second
HTTPResponse.read(amt=N)orHTTPResponse.stream(amt=N)call when the response was decompressed using the officialBrotli <https://pypi.org/project/brotli/>__ library.See
GHSA-mf9v-mfxr-j63j <https://github.com/urllib3/urllib3/security/advisories/GHSA-mf9v-mfxr-j63j>__ for details.HTTP pools created using
ProxyManager.connection_from_urldid not strip sensitive headers specified inRetry.remove_headers_on_redirectwhen redirecting to a different host. (GHSA-qccp-gfcp-xxvc <https://github.com/urllib3/urllib3/security/advisories/GHSA-qccp-gfcp-xxvc>__)Deprecations and Removals
- Used
FutureWarninginstead ofDeprecationWarningfor better visibility of existing deprecation notices. Rescheduled the removal of deprecated features to version 3.0. ([#3763](https://github.com/urllib3/urllib3/issues/3763) <https://github.com/urllib3/urllib3/issues/3763>__)- Removed support for end-of-life Python 3.9. (
[#3720](https://github.com/urllib3/urllib3/issues/3720) <https://github.com/urllib3/urllib3/issues/3720>__)- Removed support for end-of-life PyPy3.10. (
[#4979](https://github.com/urllib3/urllib3/issues/4979) <https://github.com/urllib3/urllib3/issues/4979>__)- Bumped the minimum supported pyOpenSSL version to 19.0.0. (
[#3777](https://github.com/urllib3/urllib3/issues/3777) <https://github.com/urllib3/urllib3/issues/3777>__)Bugfixes
- Fixed a bug where
HTTPResponse.read(amt=None)was ignoring decompressed data buffered from previous partial reads. ([#3636](https://github.com/urllib3/urllib3/issues/3636) <https://github.com/urllib3/urllib3/issues/3636>__)- Fixed a bug where
HTTPResponse.read()could cache only part of the response after a partial read whencache_content=True.
... (truncated)
9a950b9 Release 2.7.05ec0de4 Merge commit from fork2bdcc44 Merge commit from forkf45b0df Fix a misleading example for ProxyManager (#4970](https://github.com/href="https://redirect.github.com/urllib3/urllib3/issues/4970">/issues/4970))577193c Switch to nightly PyPy3.11 in CI for now (#4984](https://github.com/href="https://redirect.github.com/urllib3/urllib3/issues/4984">/issues/4984))e90af45 Avoid infinite loop in HTTPResponse.read_chunked when amt=0 (#4974](https://github.com/href="https://redirect.github.com/urllib3/urllib3/issues/4974">/issues/4974))67ed74f Bump dev dependencies (#4972](https://github.com/href="https://redirect.github.com/urllib3/urllib3/issues/4972">/issues/4972))3abd481 Upgrade mypy to version 1.20.2 (#4978](https://github.com/href="https://redirect.github.com/urllib3/urllib3/issues/4978">/issues/4978))2b8725d Drop support for EOL PyPy3.10 (#4979](https://github.com/href="https://redirect.github.com/urllib3/urllib3/issues/4979">/issues/4979))2944b2a Upgrade setup-chrome and setup-firefox to fix warnings (#4973](https://github.com/href="https://redirect.github.com/urllib3/urllib3/issues/4973">/issues/4973))Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.
Originally posted by: luifr10
@dependabot rebase