Use newer version of `urllib3` to avoid moderate security bug

[turbomam]

GitHub's dependabot recently reported an issue in the urllib3 Python package upon which this project depends. According to dependabot, the issue is present in urllib3 version 2.2.1, but not 2.2.2. In this branch, I ran poetry update urllib3 to update urllib3 to a version newer than 2.2.1, and committed the resulting poetry.lock file.

[github-actions[bot]]

PR Preview Action v1.4.7 :---: :rocket: Deployed preview to https://microbiomedata.github.io/nmdc-schema/pr-preview/pr-2097/ on branch gh-pages at 2024-07-03 12:54 UTC

[eecavanna]

I'd rather not have a new direct dependency be introduced when the only reason it is being introduced is to specify that a specific version of it be installed (and it is otherwise a transitive dependency). With this approach, even if the direct dependencies switch to using something other than urllib3, nmdc-schema will continue to "depend" on it.

[eecavanna]

I think you can instead run:

poetry update urllib3

Source: https://python-poetry.org/docs/cli/#update

And then commit the resulting poetry.lock file.

[eecavanna]

can you suggest an alternative?

I posted a shell command (suggestion) right above your most recent comment (I think we posted those at roughly the same time).

[eecavanna]

@turbomam, here's what I suggest for a PR description:

GitHub's "dependabot" recently reported an issue in the urllib3 Python package upon which this project depends. According to "dependabot," the issue is present in urllib3 version 2.2.1, but not 2.2.2. In this branch, I ran poetry update urllib3 to update urllib3 to a version newer than 2.2.1, and committed the resulting poetry.lock file.

This branch does not contain any schema changes.