Closed dependabot[bot] closed 1 week ago
@ashleygould @sfisher Hi Scott and Ashley,
This is Dependabot created pull request. There were two urllib3
packages in the poetry.lock
file, one for Python 3.8+ and one for earlier versions (">=2.7, !=3.0., !=3.1., !=3.2., !=3.3., !=3.4., !=3.5."). The pull request only kept one urllib3 for Python earlier Python versions (">=2.7, !=3.0., !=3.1., !=3.2., !=3.3., !=3.4., !=3.5.").
Should we discard this pull request and manually update rullib3
?
Thank you
Jing
Manually updating Python package dependancies by running the poetry add ${package}@latest
command didn't update the urllib3
versions in poetry.lock
file. The command showed that:
urllib3
package entries in the poetry.lock
fileOutput from running the update_project.sh
script:
Package operations: 0 installs, 4 updates, 0 removals
- Updating urllib3 (1.26.18 -> 2.2.1)
- Downgrading boto3 (1.34.130 -> 1.34.119)
- Downgrading filelock (3.15.3 -> 3.14.0)
- Downgrading sqlalchemy (2.0.31 -> 2.0.30)
Using version ^2.2.4 for mysqlclient
...
Package operations: 0 installs, 3 updates, 0 removals
- Downgrading urllib3 (2.2.1 -> 1.26.18)
- Updating botocore (1.34.130 -> 1.34.131)
- Updating boto3 (1.34.119 -> 1.34.131)
Writing lock file
Using version ^0.0.3 for mysql
urllib3
packages in poetry.lock
:
[[package]]
name = "urllib3"
version = "1.26.18"
description = "HTTP library with thread-safe connection pooling, file post, and more."
optional = false
python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, !=3.5.*"
files = [
{file = "urllib3-1.26.18-py2.py3-none-any.whl", hash = "sha256:34b97092d7e0a3a8cf7cd10e386f401b3737364026c45e622aa02903dffe0f07"},
{file = "urllib3-1.26.18.tar.gz", hash = "sha256:f8ecc1bba5667413457c529ab955bf8c67b45db799d159066261719e328580a0"},
]
[package.extras]
brotli = ["brotli (==1.0.9)", "brotli (>=1.0.9)", "brotlicffi (>=0.8.0)", "brotlipy (>=0.6.0)"]
secure = ["certifi", "cryptography (>=1.3.4)", "idna (>=2.0.0)", "ipaddress", "pyOpenSSL (>=0.14)", "urllib3-secure-extra"]
socks = ["PySocks (>=1.5.6,!=1.5.7,<2.0)"]
[[package]]
name = "urllib3"
version = "2.2.1"
description = "HTTP library with thread-safe connection pooling, file post, and more."
optional = false
python-versions = ">=3.8"
files = [
{file = "urllib3-2.2.1-py3-none-any.whl", hash = "sha256:450b20ec296a467077128bff42b73080516e71b56ff59a60a02bef2232c4fa9d"},
{file = "urllib3-2.2.1.tar.gz", hash = "sha256:d0570876c61ab9e520d776c38acbbb5b05a776d3f9ff98a5c8fd5162a444cf19"},
]
[package.extras]
brotli = ["brotli (>=1.0.9)", "brotlicffi (>=0.8.0)"]
h2 = ["h2 (>=4,<5)"]
socks = ["pysocks (>=1.5.6,!=1.5.7,<2.0)"]
zstd = ["zstandard (>=0.18.0)"]
Conclusion:
@ashleygould @sfisher Scott and Ashley: How do you think?
Jing
Need more investigation.
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version
or @dependabot ignore this minor version
.
If you change your mind, just re-open this PR and I'll resolve any conflicts on it.
Bumps urllib3 from 1.26.18 to 1.26.19.
Release notes
Sourced from urllib3's releases.
Changelog
Sourced from urllib3's changelog.
Commits
d9d85c8
Release 1.26.198528b63
[1.26] Fix downstream tests (#3409)40b6d16
Merge pull request from GHSA-34jh-p97f-mpxf29cfd02
Fix handling of OpenSSL 3.2.0 new error message "record layer failure" (#3405)b600643
[1.26] Bump RECENT_DATE (#3404)7e2d389
[1.26] Fix running CPython 2.7 tests in CI (#3137)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show