The pinned version of urllib3 was an outdated / vulnerable package. I'm pretty sure the vulnerable code wasn't used anywhere in this app, but just to make things easier I've removed the urllib3 requirement entirely and it is now correctly installed as a dependency of chromadb.
I think I originally pinned it due to some conflict that was resolved when I bumped the chromadb version a few weeks back.
The pinned version of urllib3 was an outdated / vulnerable package. I'm pretty sure the vulnerable code wasn't used anywhere in this app, but just to make things easier I've removed the urllib3 requirement entirely and it is now correctly installed as a dependency of chromadb.
I think I originally pinned it due to some conflict that was resolved when I bumped the chromadb version a few weeks back.