mCaptcha/mcaptcha-api-js

Fork 0

chore(deps): update dependency urllib3 to v2.6.0 #32

Open

renovate-bot wants to merge 1 commit from renovate/urllib3-2.x into master

renovate-bot commented

2024-12-23 18:16:31 +05:30

Member

This PR contains the following updates:

Package	Change	Age	Confidence
urllib3 (changelog)	`==2.2.3` -> `==2.6.0`

Release Notes

urllib3/urllib3 (urllib3)

Security

Fixed a security issue where streaming API could improperly handle highly
compressed HTTP content ("decompression bombs") leading to excessive resource
consumption even when a small amount of data was requested. Reading small
chunks of compressed data is safer and much more efficient now.
(GHSA-2xpw-w6gg-jr37 <https://github.com/urllib3/urllib3/security/advisories/GHSA-2xpw-w6gg-jr37>__)
Fixed a security issue where an attacker could compose an HTTP response with
virtually unlimited links in the Content-Encoding header, potentially
leading to a denial of service (DoS) attack by exhausting system resources
during decoding. The number of allowed chained encodings is now limited to 5.
(GHSA-gm62-xv2j-4w53 <https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53>__)

.. caution::

If urllib3 is not installed with the optional urllib3[brotli] extra, but
your environment contains a Brotli/brotlicffi/brotlipy package anyway, make
sure to upgrade it to at least Brotli 1.2.0 or brotlicffi 1.2.0.0 to
benefit from the security fixes and avoid warnings. Prefer using
urllib3[brotli] to install a compatible Brotli package automatically.
If you use custom decompressors, please make sure to update them to
respect the changed API of urllib3.response.ContentDecoder.

Features

Enabled retrieval, deletion, and membership testing in HTTPHeaderDict using bytes keys. (#3653 <https://github.com/urllib3/urllib3/issues/3653>__)
Added host and port information to string representations of HTTPConnection. (#3666 <https://github.com/urllib3/urllib3/issues/3666>__)
Added support for Python 3.14 free-threading builds explicitly. (#3696 <https://github.com/urllib3/urllib3/issues/3696>__)

Removals

Removed the HTTPResponse.getheaders() method in favor of HTTPResponse.headers.
Removed the HTTPResponse.getheader(name, default) method in favor of HTTPResponse.headers.get(name, default). (#3622 <https://github.com/urllib3/urllib3/issues/3622>__)

Bugfixes

Fixed redirect handling in urllib3.PoolManager when an integer is passed
for the retries parameter. (#3649 <https://github.com/urllib3/urllib3/issues/3649>__)
Fixed HTTPConnectionPool when used in Emscripten with no explicit port. (#3664 <https://github.com/urllib3/urllib3/issues/3664>__)
Fixed handling of SSLKEYLOGFILE with expandable variables. (#3700 <https://github.com/urllib3/urllib3/issues/3700>__)

Misc

Changed the zstd extra to install backports.zstd instead of zstandard on Python 3.13 and before. (#3693 <https://github.com/urllib3/urllib3/issues/3693>__)
Improved the performance of content decoding by optimizing BytesQueueBuffer class. (#3710 <https://github.com/urllib3/urllib3/issues/3710>__)
Allowed building the urllib3 package with newer setuptools-scm v9.x. (#3652 <https://github.com/urllib3/urllib3/issues/3652>__)
Ensured successful urllib3 builds by setting Hatchling requirement to >= 1.27.0. (#3638 <https://github.com/urllib3/urllib3/issues/3638>__)

Features

Added support for the compression.zstd module that is new in Python 3.14.
See PEP 784 <https://peps.python.org/pep-0784/>_ for more information. (#3610 <https://github.com/urllib3/urllib3/issues/3610>__)
Added support for version 0.5 of hatch-vcs (#3612 <https://github.com/urllib3/urllib3/issues/3612>__)

Bugfixes

Fixed a security issue where restricting the maximum number of followed
redirects at the urllib3.PoolManager level via the retries parameter
did not work.
Made the Node.js runtime respect redirect parameters such as retries
and redirects.
Raised exception for HTTPResponse.shutdown on a connection already released to the pool. (#3581 <https://github.com/urllib3/urllib3/issues/3581>__)
Fixed incorrect CONNECT statement when using an IPv6 proxy with connection_from_host. Previously would not be wrapped in []. (#3615 <https://github.com/urllib3/urllib3/issues/3615>__)

Features

Applied PEP 639 by specifying the license fields in pyproject.toml. (#3522 <https://github.com/urllib3/urllib3/issues/3522>__)
Updated exceptions to save and restore more properties during the pickle/serialization process. (#3567 <https://github.com/urllib3/urllib3/issues/3567>__)
Added verify_flags option to create_urllib3_context with a default of VERIFY_X509_PARTIAL_CHAIN and VERIFY_X509_STRICT for Python 3.13+. (#3571 <https://github.com/urllib3/urllib3/issues/3571>__)

Bugfixes

Fixed a bug with partial reads of streaming data in Emscripten. (#3555 <https://github.com/urllib3/urllib3/issues/3555>__)

Misc

Switched to uv for installing development dependecies. (#3550 <https://github.com/urllib3/urllib3/issues/3550>__)
Removed the multiple.intoto.jsonl asset from GitHub releases. Attestation of release files since v2.3.0 can be found on PyPI. (#3566 <https://github.com/urllib3/urllib3/issues/3566>__)

Features

Applied PEP 639 by specifying the license fields in pyproject.toml. (#3522 <https://github.com/urllib3/urllib3/issues/3522>__)
Updated exceptions to save and restore more properties during the pickle/serialization process. (#3567 <https://github.com/urllib3/urllib3/issues/3567>__)
Added verify_flags option to create_urllib3_context with a default of VERIFY_X509_PARTIAL_CHAIN and VERIFY_X509_STRICT for Python 3.13+. (#3571 <https://github.com/urllib3/urllib3/issues/3571>__)

Bugfixes

Fixed a bug with partial reads of streaming data in Emscripten. (#3555 <https://github.com/urllib3/urllib3/issues/3555>__)

Misc

Switched to uv for installing development dependecies. (#3550 <https://github.com/urllib3/urllib3/issues/3550>__)
Removed the multiple.intoto.jsonl asset from GitHub releases. Attestation of release files since v2.3.0 can be found on PyPI. (#3566 <https://github.com/urllib3/urllib3/issues/3566>__)

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [urllib3](https://github.com/urllib3/urllib3) ([changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst)) | `==2.2.3` -> `==2.6.0` | ![age](https://developer.mend.io/api/mc/badges/age/pypi/urllib3/2.6.0?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/urllib3/2.2.3/2.6.0?slim=true) | --- ### Release Notes <details> <summary>urllib3/urllib3 (urllib3)</summary> ### [`v2.6.0`](https://github.com/urllib3/urllib3/blob/HEAD/CHANGES.rst#260-2025-12-05) [Compare Source](https://github.com/urllib3/urllib3/compare/2.5.0...2.6.0) \================== ## Security - Fixed a security issue where streaming API could improperly handle highly compressed HTTP content ("decompression bombs") leading to excessive resource consumption even when a small amount of data was requested. Reading small chunks of compressed data is safer and much more efficient now. (`GHSA-2xpw-w6gg-jr37 <https://github.com/urllib3/urllib3/security/advisories/GHSA-2xpw-w6gg-jr37>`\_\_) - Fixed a security issue where an attacker could compose an HTTP response with virtually unlimited links in the `Content-Encoding` header, potentially leading to a denial of service (DoS) attack by exhausting system resources during decoding. The number of allowed chained encodings is now limited to 5. (`GHSA-gm62-xv2j-4w53 <https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53>`\_\_) .. caution:: - If urllib3 is not installed with the optional `urllib3[brotli]` extra, but your environment contains a Brotli/brotlicffi/brotlipy package anyway, make sure to upgrade it to at least Brotli 1.2.0 or brotlicffi 1.2.0.0 to benefit from the security fixes and avoid warnings. Prefer using `urllib3[brotli]` to install a compatible Brotli package automatically. - If you use custom decompressors, please make sure to update them to respect the changed API of `urllib3.response.ContentDecoder`. ## Features - Enabled retrieval, deletion, and membership testing in `HTTPHeaderDict` using bytes keys. (`#3653 <https://github.com/urllib3/urllib3/issues/3653>`\_\_) - Added host and port information to string representations of `HTTPConnection`. (`#3666 <https://github.com/urllib3/urllib3/issues/3666>`\_\_) - Added support for Python 3.14 free-threading builds explicitly. (`#3696 <https://github.com/urllib3/urllib3/issues/3696>`\_\_) ## Removals - Removed the `HTTPResponse.getheaders()` method in favor of `HTTPResponse.headers`. Removed the `HTTPResponse.getheader(name, default)` method in favor of `HTTPResponse.headers.get(name, default)`. (`#3622 <https://github.com/urllib3/urllib3/issues/3622>`\_\_) ## Bugfixes - Fixed redirect handling in `urllib3.PoolManager` when an integer is passed for the retries parameter. (`#3649 <https://github.com/urllib3/urllib3/issues/3649>`\_\_) - Fixed `HTTPConnectionPool` when used in Emscripten with no explicit port. (`#3664 <https://github.com/urllib3/urllib3/issues/3664>`\_\_) - Fixed handling of `SSLKEYLOGFILE` with expandable variables. (`#3700 <https://github.com/urllib3/urllib3/issues/3700>`\_\_) ## Misc - Changed the `zstd` extra to install `backports.zstd` instead of `zstandard` on Python 3.13 and before. (`#3693 <https://github.com/urllib3/urllib3/issues/3693>`\_\_) - Improved the performance of content decoding by optimizing `BytesQueueBuffer` class. (`#3710 <https://github.com/urllib3/urllib3/issues/3710>`\_\_) - Allowed building the urllib3 package with newer setuptools-scm v9.x. (`#3652 <https://github.com/urllib3/urllib3/issues/3652>`\_\_) - Ensured successful urllib3 builds by setting Hatchling requirement to >= 1.27.0. (`#3638 <https://github.com/urllib3/urllib3/issues/3638>`\_\_) ### [`v2.5.0`](https://github.com/urllib3/urllib3/blob/HEAD/CHANGES.rst#250-2025-06-18) [Compare Source](https://github.com/urllib3/urllib3/compare/2.4.0...2.5.0) \================== ## Features - Added support for the `compression.zstd` module that is new in Python 3.14. See `PEP 784 <https://peps.python.org/pep-0784/>`\_ for more information. (`#3610 <https://github.com/urllib3/urllib3/issues/3610>`\_\_) - Added support for version 0.5 of `hatch-vcs` (`#3612 <https://github.com/urllib3/urllib3/issues/3612>`\_\_) ## Bugfixes - Fixed a security issue where restricting the maximum number of followed redirects at the `urllib3.PoolManager` level via the `retries` parameter did not work. - Made the Node.js runtime respect redirect parameters such as `retries` and `redirects`. - Raised exception for `HTTPResponse.shutdown` on a connection already released to the pool. (`#3581 <https://github.com/urllib3/urllib3/issues/3581>`\_\_) - Fixed incorrect `CONNECT` statement when using an IPv6 proxy with `connection_from_host`. Previously would not be wrapped in `[]`. (`#3615 <https://github.com/urllib3/urllib3/issues/3615>`\_\_) ### [`v2.4.0`](https://github.com/urllib3/urllib3/blob/HEAD/CHANGES.rst#240-2025-04-10) [Compare Source](https://github.com/urllib3/urllib3/compare/2.3.0...2.4.0) \================== ## Features - Applied PEP 639 by specifying the license fields in pyproject.toml. (`#3522 <https://github.com/urllib3/urllib3/issues/3522>`\_\_) - Updated exceptions to save and restore more properties during the pickle/serialization process. (`#3567 <https://github.com/urllib3/urllib3/issues/3567>`\_\_) - Added `verify_flags` option to `create_urllib3_context` with a default of `VERIFY_X509_PARTIAL_CHAIN` and `VERIFY_X509_STRICT` for Python 3.13+. (`#3571 <https://github.com/urllib3/urllib3/issues/3571>`\_\_) ## Bugfixes - Fixed a bug with partial reads of streaming data in Emscripten. (`#3555 <https://github.com/urllib3/urllib3/issues/3555>`\_\_) ## Misc - Switched to uv for installing development dependecies. (`#3550 <https://github.com/urllib3/urllib3/issues/3550>`\_\_) - Removed the `multiple.intoto.jsonl` asset from GitHub releases. Attestation of release files since v2.3.0 can be found on PyPI. (`#3566 <https://github.com/urllib3/urllib3/issues/3566>`\_\_) ### [`v2.3.0`](https://github.com/urllib3/urllib3/blob/HEAD/CHANGES.rst#240-2025-04-10) [Compare Source](https://github.com/urllib3/urllib3/compare/2.2.3...2.3.0) \================== ## Features - Applied PEP 639 by specifying the license fields in pyproject.toml. (`#3522 <https://github.com/urllib3/urllib3/issues/3522>`\_\_) - Updated exceptions to save and restore more properties during the pickle/serialization process. (`#3567 <https://github.com/urllib3/urllib3/issues/3567>`\_\_) - Added `verify_flags` option to `create_urllib3_context` with a default of `VERIFY_X509_PARTIAL_CHAIN` and `VERIFY_X509_STRICT` for Python 3.13+. (`#3571 <https://github.com/urllib3/urllib3/issues/3571>`\_\_) ## Bugfixes - Fixed a bug with partial reads of streaming data in Emscripten. (`#3555 <https://github.com/urllib3/urllib3/issues/3555>`\_\_) ## Misc - Switched to uv for installing development dependecies. (`#3550 <https://github.com/urllib3/urllib3/issues/3550>`\_\_) - Removed the `multiple.intoto.jsonl` asset from GitHub releases. Attestation of release files since v2.3.0 can be found on PyPI. (`#3566 <https://github.com/urllib3/urllib3/issues/3566>`\_\_) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).

renovate-bot added the

renovate-bot

label

2024-12-23 18:16:31 +05:30

renovate-bot force-pushed renovate/urllib3-2.x from 67fe5cb157 to 6e698d70ae

2025-04-07 05:17:49 +05:30

Compare

renovate-bot changed title from ~~chore(deps): update dependency urllib3 to v2.3.0~~ to chore(deps): update dependency urllib3 to v2.4.0

2025-04-14 05:16:10 +05:30

renovate-bot force-pushed renovate/urllib3-2.x from 6e698d70ae to 105560a9c2

2025-04-14 05:16:10 +05:30

Compare

renovate-bot changed title from ~~chore(deps): update dependency urllib3 to v2.4.0~~ to chore(deps): update dependency urllib3 to v2.5.0

2025-06-23 05:25:37 +05:30

renovate-bot force-pushed renovate/urllib3-2.x from 105560a9c2 to c37815252f

2025-06-23 05:25:39 +05:30

Compare

renovate-bot changed title from ~~chore(deps): update dependency urllib3 to v2.5.0~~ to chore(deps): update dependency urllib3 to v2.6.0

2025-12-08 05:19:51 +05:30

renovate-bot force-pushed renovate/urllib3-2.x from c37815252f to ccbf1f055a

2025-12-08 05:19:53 +05:30

Compare

This pull request can be merged automatically.

You are not authorized to merge this pull request.

View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.

git fetch -u origin renovate/urllib3-2.x:renovate/urllib3-2.x

git switch renovate/urllib3-2.x

Merge

Merge the changes and update on Forgejo.

Warning: The "Autodetect manual merge" setting is not enabled for this repository, you will have to mark this pull request as manually merged afterwards.

git switch master

git merge --no-ff renovate/urllib3-2.x

git switch renovate/urllib3-2.x

git rebase master

git switch master

git merge --ff-only renovate/urllib3-2.x

git switch renovate/urllib3-2.x

git rebase master

git switch master

git merge --no-ff renovate/urllib3-2.x

git switch master

git merge --squash renovate/urllib3-2.x