COS sdk still use urllib3 1.26.18 version, not compatable with other library run on python 3.10 environment.

[Pokerface9711]

Most python 3.10+ version already use urllib3 >= 2.0.8, but cos sdk still on 1.26.*, this will cause a lot of security issue and compatibility issue.

[avinashpvas]

@Pokerface9711 we opened an internal ticket for this. Further, can you please share the security issues that you have seen, as we didn't find any vulnerability issues with this library in our scans. So if you are using some other tools which identify this as a security issue please share that with us.

[Pokerface9711]

Hello @avinashpvas , urllib3 1.26.18 version may not have vulnerability in security scan. But in python 3.10 environment, several libs works with urllib3 2.0.x version, so ibm cos sdk can not work with these library together. Such as if I install ibm cos sdk first, then I run pip install requests. We will get below error when run python code:

>>> import ibm_boto3
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/Users/wuwei/vmonic/git_repo/ic4v-billing/.direnv/python-3.10/lib/python3.10/site-packages/ibm_boto3/__init__.py", line 16, in <module>
    from ibm_boto3.session import Session
  File "/Users/wuwei/vmonic/git_repo/ic4v-billing/.direnv/python-3.10/lib/python3.10/site-packages/ibm_boto3/session.py", line 27, in <module>
    import ibm_botocore.session
  File "/Users/wuwei/vmonic/git_repo/ic4v-billing/.direnv/python-3.10/lib/python3.10/site-packages/ibm_botocore/session.py", line 26, in <module>
    import ibm_botocore.client
  File "/Users/wuwei/vmonic/git_repo/ic4v-billing/.direnv/python-3.10/lib/python3.10/site-packages/ibm_botocore/client.py", line 15, in <module>
    from ibm_botocore import waiter, xform_name
  File "/Users/wuwei/vmonic/git_repo/ic4v-billing/.direnv/python-3.10/lib/python3.10/site-packages/ibm_botocore/waiter.py", line 18, in <module>
    from ibm_botocore.docs.docstring import WaiterDocstring
  File "/Users/wuwei/vmonic/git_repo/ic4v-billing/.direnv/python-3.10/lib/python3.10/site-packages/ibm_botocore/docs/__init__.py", line 15, in <module>
    from ibm_botocore.docs.service import ServiceDocumenter
  File "/Users/wuwei/vmonic/git_repo/ic4v-billing/.direnv/python-3.10/lib/python3.10/site-packages/ibm_botocore/docs/service.py", line 14, in <module>
    from ibm_botocore.docs.client import ClientDocumenter, ClientExceptionsDocumenter
  File "/Users/wuwei/vmonic/git_repo/ic4v-billing/.direnv/python-3.10/lib/python3.10/site-packages/ibm_botocore/docs/client.py", line 14, in <module>
    from ibm_botocore.docs.example import ResponseExampleDocumenter
  File "/Users/wuwei/vmonic/git_repo/ic4v-billing/.direnv/python-3.10/lib/python3.10/site-packages/ibm_botocore/docs/example.py", line 13, in <module>
    from ibm_botocore.docs.shape import ShapeDocumenter
  File "/Users/wuwei/vmonic/git_repo/ic4v-billing/.direnv/python-3.10/lib/python3.10/site-packages/ibm_botocore/docs/shape.py", line 19, in <module>
    from ibm_botocore.utils import is_json_value_header
  File "/Users/wuwei/vmonic/git_repo/ic4v-billing/.direnv/python-3.10/lib/python3.10/site-packages/ibm_botocore/utils.py", line 37, in <module>
    import ibm_botocore.httpsession
  File "/Users/wuwei/vmonic/git_repo/ic4v-billing/.direnv/python-3.10/lib/python3.10/site-packages/ibm_botocore/httpsession.py", line 22, in <module>
    from urllib3.util.ssl_ import (
ImportError: cannot import name 'DEFAULT_CIPHERS' from 'urllib3.util.ssl_' (/Users/wuwei/vmonic/git_repo/ic4v-billing/.direnv/python-3.10/lib/python3.10/site-packages/urllib3/util/ssl_.py)
>>> import requests
>>> exit()

[avinash1IBM]

@Pokerface9711 We are working to resolve the incompatibility issues

[avinash1IBM]

@Pokerface9711 we fixed this in the latest version. Please check and close this issue

[Pokerface9711]

Thanks, I will check.

[Pokerface9711]

Close issue, verified new version COS SDK can work with urllib3 2.x version.