chore(deps): bump urllib3 from 2.6.3 to 2.7.0#3109
Conversation
Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.6.3 to 2.7.0. - [Release notes](https://github.com/urllib3/urllib3/releases) - [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst) - [Commits](urllib3/urllib3@2.6.3...2.7.0) --- updated-dependencies: - dependency-name: urllib3 dependency-version: 2.7.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
There was a problem hiding this comment.
LGTM — routine Dependabot lockfile bump of urllib3 2.6.3 → 2.7.0.
What was reviewed
- The diff is a single
uv.lockentry update; sdist/wheel URLs and hashes follow the standard PyPI pattern for the 2.7.0 release. - urllib3 is not a direct dependency of the SDK — it enters the lockfile only transitively via
requests(dev/docs tooling), so no SDK code paths change. - 2.7.0 ships two security fixes (decompression-bomb safeguard bypass, proxy redirect header stripping); the removals in this release (Python 3.9 / PyPy3.10 support) don't affect this repo's supported 3.10–3.14 range.
Extended reasoning...
Overview
This PR is a Dependabot-generated bump of urllib3 from 2.6.3 to 2.7.0, touching only uv.lock (one package stanza: version, sdist, and wheel URL/hash updates). No source code, pyproject.toml, or CI configuration changes.
Security risks
The change itself introduces no new attack surface — it is a lockfile pin update. The new release actually addresses two security advisories in urllib3 (GHSA-mf9v-mfxr-j63j and GHSA-qccp-gfcp-xxvc). The hashes are Dependabot-generated and uv verifies them against PyPI on install, so a tampered artifact would fail resolution rather than silently install.
Level of scrutiny
Low. urllib3 is a transitive dependency only (pulled in via requests, which is dev/docs tooling — it does not appear in the SDK's runtime dependencies; the SDK's HTTP stack is httpx2). A minor-version bump of a transitive dev dependency in a lockfile is about as mechanical as PRs get. The release's breaking removals (Python 3.9, PyPy3.10) are irrelevant since this repo supports 3.10–3.14 on CPython. The FutureWarning-instead-of-DeprecationWarning change could theoretically interact with pytest's filterwarnings = ["error"], but only if test code exercised deprecated urllib3 APIs, which the SDK does not use directly — and CI will catch any such surprise.
Other factors
The repo's guidelines note not to raise dependency floors for CVEs alone — this PR does not touch any >= constraint, only the resolved lock pin, which is exactly the right shape for absorbing a security release. CI runs the full test matrix plus a uv.lock consistency check, providing an additional safety net. No reviewer comments or prior bot reviews exist on the timeline.
Bumps urllib3 from 2.6.3 to 2.7.0.
Release notes
Sourced from urllib3's releases.
Changelog
Sourced from urllib3's changelog.
... (truncated)
Commits
9a950b9Release 2.7.05ec0de4Merge commit from fork2bdcc44Merge commit from forkf45b0dfFix a misleading example forProxyManager(#4970)577193cSwitch to nightly PyPy3.11 in CI for now (#4984)e90af45Avoid infinite loop inHTTPResponse.read_chunkedwhenamt=0(#4974)67ed74fBump dev dependencies (#4972)3abd481Upgrade mypy to version 1.20.2 (#4978)2b8725dDrop support for EOL PyPy3.10 (#4979)2944b2aUpgradesetup-chromeandsetup-firefoxto fix warnings (#4973)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.