Skip to content

fix(deps): bump urllib3 to 2.7.0 to patch decompression-bomb vuln#13568

Merged
czubocha merged 2 commits into
mainfrom
fix-urlib3
May 11, 2026
Merged

fix(deps): bump urllib3 to 2.7.0 to patch decompression-bomb vuln#13568
czubocha merged 2 commits into
mainfrom
fix-urlib3

Conversation

@czubocha
Copy link
Copy Markdown
Contributor

@czubocha czubocha commented May 11, 2026
edited
Loading

Summary

  • Bump urllib3 from 2.6.3 to 2.7.0 across all Python test fixtures to resolve Dependabot alerts
  • Files updated under packages/sf-core/tests/python/tests/:
    • poetry: poetry/poetry.lock, poetry_individually/module1/poetry.lock, poetry_packages/poetry.lock
    • pipenv: pipenv/Pipfile.lock
    • pip: base/requirements-w-hashes.txt
    • uv: uv/uv.lock, uv_installer/uv.lock, uv_only_groups/uv.lock, uv_optional_dependencies/uv.lock, uv_optional_groups/uv.lock, uv_with_without_groups/uv.lock

The uv lockfiles weren't included in the original Dependabot alerts but pinned the same vulnerable version, so they're patched here too.

Root cause

urllib3 2.6.x is affected by GHSA-mf9v-mfxr-j63j — decompression-bomb safeguards can be bypassed in parts of the streaming API. Patched in 2.7.0.

Test plan

  • CI passes on the Python plugin test suite that consumes these fixtures

@Mmarzex
Copy link
Copy Markdown
Contributor

Mmarzex commented May 11, 2026
edited
Loading

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues
Code Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai Bot commented May 11, 2026
edited
Loading

📝 Walkthrough

Walkthrough

This pull request updates the pinned version of urllib3 from 2.6.3 to 2.7.0 in the test requirements file, replacing the associated SHA256 hashes for pip verification without modifying any other dependencies or metadata.

Changes

urllib3 Version Bump

Layer / File(s) Summary
Dependency Version & Hashes
packages/sf-core/tests/python/tests/base/requirements-w-hashes.txt		 urllib3 is pinned to version 2.7.0 with new SHA256 hashes; the # via botocore comment is preserved.

🎯 1 (Trivial) | ⏱️ ~3 minutes

🐰 A tiny hop upstream, the urllib flows free,
New hashes blessed, the bot's decree,
From point-six-three to seven-oh, so neat! 📦✨

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly and specifically describes the main change: bumping urllib3 to address a decompression-bomb vulnerability, which directly aligns with the PR's core objective of patching a security issue across Python test fixtures.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix-urlib3

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

  • Generate code and open pull requests
  • Plan features and break down work
  • Investigate incidents and troubleshoot customer tickets together
  • Automate recurring tasks and respond to alerts with triggers
  • Summarize progress and report instantly

Built for teams:

  • Shared memory across your entire org—no repeating context
  • Per-thread sandboxes to safely plan and execute work
  • Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@czubocha czubocha merged commit 06f1b1b into main May 11, 2026
13 checks passed
@czubocha czubocha deleted the fix-urlib3 branch May 11, 2026 16:41
@github-actions github-actions Bot locked and limited conversation to collaborators May 11, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@czubocha @Mmarzex