Bump urllib3 from 2.2.3 to 2.6.3 in /Password Strength Checker by dependabot[bot] · Pull Request #529 · wasmerio/Python-Scripts
2.6.3
🚀 urllib3 is fundraising for HTTP/2 support
urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.
Thank you for your support.
Changes
- Fixed a security issue where decompression-bomb safeguards of the streaming API were bypassed when HTTP redirects were followed. (CVE-2026-21441 reported by
@D47A, 8.9 High, GHSA-38jv-5279-wg99) - Started treating
Retry-Aftertimes greater than 6 hours as 6 hours by default. (urllib3/urllib3#3743) - Fixed
urllib3.connection.VerifiedHTTPSConnectionon Emscripten. (urllib3/urllib3#3752)
2.6.2
🚀 urllib3 is fundraising for HTTP/2 support
urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.
Thank you for your support.
Changes
- Fixed
HTTPResponse.read_chunked()to properly handle leftover data in the decoder's buffer when reading compressed chunked responses. (urllib3/urllib3#3734)
2.6.1
🚀 urllib3 is fundraising for HTTP/2 support
urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.
Thank you for your support.
Changes
- Restore previously removed
HTTPResponse.getheaders()andHTTPResponse.getheader()methods. (#3731)
2.6.0
🚀 urllib3 is fundraising for HTTP/2 support
urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.
Thank you for your support.
Security
- Fixed a security issue where streaming API could improperly handle highly compressed HTTP content ("decompression bombs") leading to excessive resource consumption even when a small amount of data was requested. Reading small chunks of compressed data is safer and much more efficient now. (CVE-2025-66471 reported by
@Cycloctane, 8.9 High, GHSA-2xpw-w6gg-jr37) - Fixed a security issue where an attacker could compose an HTTP response with virtually unlimited links in the
Content-Encodingheader, potentially leading to a denial of service (DoS) attack by exhausting system resources during decoding. The number of allowed chained encodings is now limited to 5. (CVE-2025-66418 reported by@illia-v, 8.9 High, GHSA-gm62-xv2j-4w53)
[!IMPORTANT]
- If urllib3 is not installed with the optional
urllib3[brotli]extra, but your environment contains a Brotli/brotlicffi/brotlipy package anyway, make sure to upgrade it to at least Brotli 1.2.0 or brotlicffi 1.2.0.0 to benefit from the security fixes and avoid warnings. Prefer usingurllib3[brotli]to install a compatible Brotli package automatically.
... (truncated)