pferron / Case112184

0 stars 2 forks source link

Update dependency urllib3 to v2 - autoclosed #26

Closed mend-for-github-com[bot] closed 2 months ago

mend-for-github-com[bot] commented 5 months ago

This PR contains the following updates:

Package Update Change
urllib3 (changelog) major ==1.26.15 -> ==2.2.2

By merging this PR, the issue #8 will be automatically resolved and closed:

Severity CVSS Score CVE
High High 8.1 CVE-2023-43804
Medium Medium 4.4 CVE-2024-37891
Medium Medium 4.2 CVE-2023-45803

Release Notes

urllib3/urllib3 (urllib3) ### [`v2.2.2`](https://togithub.com/urllib3/urllib3/blob/HEAD/CHANGES.rst#222-2024-06-17) [Compare Source](https://togithub.com/urllib3/urllib3/compare/2.2.1...2.2.2) \================== - Added the `Proxy-Authorization` header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via `Retry.remove_headers_on_redirect`. - Allowed passing negative integers as `amt` to read methods of `http.client.HTTPResponse` as an alternative to `None`. (`#​3122 `\__) - Fixed return types representing copying actions to use `typing.Self`. (`#​3363 `\__) ### [`v2.2.1`](https://togithub.com/urllib3/urllib3/blob/HEAD/CHANGES.rst#221-2024-02-16) [Compare Source](https://togithub.com/urllib3/urllib3/compare/2.2.0...2.2.1) \================== - Fixed issue where `InsecureRequestWarning` was emitted for HTTPS connections when using Emscripten. (`#​3331 `\__) - Fixed `HTTPConnectionPool.urlopen` to stop automatically casting non-proxy headers to `HTTPHeaderDict`. This change was premature as it did not apply to proxy headers and `HTTPHeaderDict` does not handle byte header values correctly yet. (`#​3343 `\__) - Changed `InvalidChunkLength` to `ProtocolError` when response terminates before the chunk length is sent. (`#​2860 `\__) - Changed `ProtocolError` to be more verbose on incomplete reads with excess content. (`#​3261 `\__) ### [`v2.2.0`](https://togithub.com/urllib3/urllib3/blob/HEAD/CHANGES.rst#220-2024-01-30) [Compare Source](https://togithub.com/urllib3/urllib3/compare/2.1.0...2.2.0) \================== - Added support for `Emscripten and Pyodide `**, including streaming support in cross-origin isolated browser environments where threading is enabled. (`#​2951 `**) - Added support for `HTTPResponse.read1()` method. (`#​3186 `\__) - Added rudimentary support for HTTP/2. (`#​3284 `\__) - Fixed issue where requests against urls with trailing dots were failing due to SSL errors when using proxy. (`#​2244 `\__) - Fixed `HTTPConnection.proxy_is_verified` and `HTTPSConnection.proxy_is_verified` to be always set to a boolean after connecting to a proxy. It could be `None` in some cases previously. (`#​3130 `\__) - Fixed an issue where `headers` passed in a request with `json=` would be mutated (`#​3203 `\__) - Fixed `HTTPSConnection.is_verified` to be set to `False` when connecting from a HTTPS proxy to an HTTP target. It was set to `True` previously. (`#​3267 `\__) - Fixed handling of new error message from OpenSSL 3.2.0 when configuring an HTTP proxy as HTTPS (`#​3268 `\__) - Fixed TLS 1.3 post-handshake auth when the server certificate validation is disabled (`#​3325 `\__) - Note for downstream distributors: To run integration tests, you now need to run the tests a second time with the `--integration` pytest flag. (`#​3181 `\__) ### [`v2.1.0`](https://togithub.com/urllib3/urllib3/blob/HEAD/CHANGES.rst#210-2023-11-13) [Compare Source](https://togithub.com/urllib3/urllib3/compare/2.0.7...2.1.0) \================== - Removed support for the deprecated urllib3\[secure] extra. (`#​2680 `\__) - Removed support for the deprecated SecureTransport TLS implementation. (`#​2681 `\__) - Removed support for the end-of-life Python 3.7. (`#​3143 `\__) - Allowed loading CA certificates from memory for proxies. (`#​3065 `\__) - Fixed decoding Gzip-encoded responses which specified `x-gzip` content-encoding. (`#​3174 `\__) ### [`v2.0.7`](https://togithub.com/urllib3/urllib3/blob/HEAD/CHANGES.rst#207-2023-10-17) [Compare Source](https://togithub.com/urllib3/urllib3/compare/2.0.6...2.0.7) \================== - Made body stripped from HTTP requests changing the request method to GET after HTTP 303 "See Other" redirect responses. ### [`v2.0.6`](https://togithub.com/urllib3/urllib3/blob/HEAD/CHANGES.rst#206-2023-10-02) [Compare Source](https://togithub.com/urllib3/urllib3/compare/2.0.5...2.0.6) \================== - Added the `Cookie` header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via `Retry.remove_headers_on_redirect`. ### [`v2.0.5`](https://togithub.com/urllib3/urllib3/blob/HEAD/CHANGES.rst#205-2023-09-20) [Compare Source](https://togithub.com/urllib3/urllib3/compare/2.0.4...2.0.5) \================== - Allowed pyOpenSSL third-party module without any deprecation warning. (`#​3126 `\__) - Fixed default `blocksize` of `HTTPConnection` classes to match high-level classes. Previously was 8KiB, now 16KiB. (`#​3066 `\__) ### [`v2.0.4`](https://togithub.com/urllib3/urllib3/blob/HEAD/CHANGES.rst#204-2023-07-19) [Compare Source](https://togithub.com/urllib3/urllib3/compare/2.0.3...2.0.4) \================== - Added support for union operators to `HTTPHeaderDict` (`#​2254 `\__) - Added `BaseHTTPResponse` to `urllib3.__all__` (`#​3078 `\__) - Fixed `urllib3.connection.HTTPConnection` to raise the `http.client.connect` audit event to have the same behavior as the standard library HTTP client (`#​2757 `\__) - Relied on the standard library for checking hostnames in supported PyPy releases (`#​3087 `\__) ### [`v2.0.3`](https://togithub.com/urllib3/urllib3/blob/HEAD/CHANGES.rst#203-2023-06-07) [Compare Source](https://togithub.com/urllib3/urllib3/compare/2.0.2...2.0.3) \================== - Allowed alternative SSL libraries such as LibreSSL, while still issuing a warning as we cannot help users facing issues with implementations other than OpenSSL. (`#​3020 `\__) - Deprecated URLs which don't have an explicit scheme (`#​2950 `\_) - Fixed response decoding with Zstandard when compressed data is made of several frames. (`#​3008 `\__) - Fixed `assert_hostname=False` to correctly skip hostname check. (`#​3051 `\__) ### [`v2.0.2`](https://togithub.com/urllib3/urllib3/blob/HEAD/CHANGES.rst#202-2023-05-03) [Compare Source](https://togithub.com/urllib3/urllib3/compare/2.0.1...2.0.2) \================== - Fixed `HTTPResponse.stream()` to continue yielding bytes if buffered decompressed data was still available to be read even if the underlying socket is closed. This prevents a compressed response from being truncated. (`#​3009 `\__) ### [`v2.0.1`](https://togithub.com/urllib3/urllib3/blob/HEAD/CHANGES.rst#201-2023-04-30) [Compare Source](https://togithub.com/urllib3/urllib3/compare/2.0.0...2.0.1) \================== - Fixed a socket leak when fingerprint or hostname verifications fail. (`#​2991 `\__) - Fixed an error when `HTTPResponse.read(0)` was the first `read` call or when the internal response body buffer was otherwise empty. (`#​2998 `\__) ### [`v2.0.0`](https://togithub.com/urllib3/urllib3/blob/HEAD/CHANGES.rst#200-2023-04-26) [Compare Source](https://togithub.com/urllib3/urllib3/compare/1.26.20...2.0.0) \================== Read the `v2.0 migration guide `\__ for help upgrading to the latest version of urllib3. ## Removed - Removed support for Python 2.7, 3.5, and 3.6 (`#​883 `**, `#​2336 `**). - Removed fallback on certificate `commonName` in `match_hostname()` function. This behavior was deprecated in May 2000 in RFC 2818. Instead only `subjectAltName` is used to verify the hostname by default. To enable verifying the hostname against `commonName` use `SSLContext.hostname_checks_common_name = True` (`#​2113 `\__). - Removed support for Python with an `ssl` module compiled with LibreSSL, CiscoSSL, wolfSSL, and all other OpenSSL alternatives. Python is moving to require OpenSSL with PEP 644 (`#​2168 `\__). - Removed support for OpenSSL versions earlier than 1.1.1 or that don't have SNI support. When an incompatible OpenSSL version is detected an `ImportError` is raised (`#​2168 `\__). - Removed the list of default ciphers for OpenSSL 1.1.1+ and SecureTransport as their own defaults are already secure (`#​2082 `\__). - Removed `urllib3.contrib.appengine.AppEngineManager` and support for Google App Engine Standard Environment (`#​2044 `\__). - Removed deprecated `Retry` options `method_whitelist`, `DEFAULT_REDIRECT_HEADERS_BLACKLIST` (`#​2086 `\__). - Removed `urllib3.HTTPResponse.from_httplib` (`#​2648 `\__). - Removed default value of `None` for the `request_context` parameter of `urllib3.PoolManager.connection_from_pool_key`. This change should have no effect on users as the default value of `None` was an invalid option and was never used (`#​1897 `\__). - Removed the `urllib3.request` module. `urllib3.request.RequestMethods` has been made a private API. This change was made to ensure that `from urllib3 import request` imported the top-level `request()` function instead of the `urllib3.request` module (`#​2269 `\__). - Removed support for SSLv3.0 from the `urllib3.contrib.pyopenssl` even when support is available from the compiled OpenSSL library (`#​2233 `\__). - Removed the deprecated `urllib3.contrib.ntlmpool` module (`#​2339 `\__). - Removed `DEFAULT_CIPHERS`, `HAS_SNI`, `USE_DEFAULT_SSLCONTEXT_CIPHERS`, from the private module `urllib3.util.ssl_` (`#​2168 `\__). - Removed `urllib3.exceptions.SNIMissingWarning` (`#​2168 `\__). - Removed the `_prepare_conn` method from `HTTPConnectionPool`. Previously this was only used to call `HTTPSConnection.set_cert()` by `HTTPSConnectionPool` (`#​1985 `\__). - Removed `tls_in_tls_required` property from `HTTPSConnection`. This is now determined from the `scheme` parameter in `HTTPConnection.set_tunnel()` (`#​1985 `\__). - Removed the `strict` parameter/attribute from `HTTPConnection`, `HTTPSConnection`, `HTTPConnectionPool`, `HTTPSConnectionPool`, and `HTTPResponse` (`#​2064 `\__). ## Deprecated - Deprecated `HTTPResponse.getheaders()` and `HTTPResponse.getheader()` which will be removed in urllib3 v2.1.0. Instead use `HTTPResponse.headers` and `HTTPResponse.headers.get(name, default)`. (`#​1543 `**, `#​2814 `**). - Deprecated `urllib3.contrib.pyopenssl` module which will be removed in urllib3 v2.1.0 (`#​2691 `\__). - Deprecated `urllib3.contrib.securetransport` module which will be removed in urllib3 v2.1.0 (`#​2692 `\__). - Deprecated `ssl_version` option in favor of `ssl_minimum_version`. `ssl_version` will be removed in urllib3 v2.1.0 (`#​2110 `\__). - Deprecated the `strict` parameter of `PoolManager.connection_from_context()` as it's not longer needed in Python 3.x. It will be removed in urllib3 v2.1.0 (`#​2267 `\__) - Deprecated the `NewConnectionError.pool` attribute which will be removed in urllib3 v2.1.0 (`#​2271 `\__). - Deprecated `format_header_param_html5` and `format_header_param` in favor of `format_multipart_header_param` (`#​2257 `\__). - Deprecated `RequestField.header_formatter` parameter which will be removed in urllib3 v2.1.0 (`#​2257 `\__). - Deprecated `HTTPSConnection.set_cert()` method. Instead pass parameters to the `HTTPSConnection` constructor (`#​1985 `\__). - Deprecated `HTTPConnection.request_chunked()` method which will be removed in urllib3 v2.1.0. Instead pass `chunked=True` to `HTTPConnection.request()` (`#​1985 `\__). ## Added - Added top-level `urllib3.request` function which uses a preconfigured module-global `PoolManager` instance (`#​2150 `\__). - Added the `json` parameter to `urllib3.request()`, `PoolManager.request()`, and `ConnectionPool.request()` methods to send JSON bodies in requests. Using this parameter will set the header `Content-Type: application/json` if `Content-Type` isn't already defined. Added support for parsing JSON response bodies with `HTTPResponse.json()` method (`#​2243 `\__). - Added type hints to the `urllib3` module (`#​1897 `\__). - Added `ssl_minimum_version` and `ssl_maximum_version` options which set `SSLContext.minimum_version` and `SSLContext.maximum_version` (`#​2110 `\__). - Added support for Zstandard (RFC 8878) when `zstandard` 1.18.0 or later is installed. Added the `zstd` extra which installs the `zstandard` package (`#​1992 `\__). - Added `urllib3.response.BaseHTTPResponse` class. All future response classes will be subclasses of `BaseHTTPResponse` (`#​2083 `\__). - Added `FullPoolError` which is raised when `PoolManager(block=True)` and a connection is returned to a full pool (`#​2197 `\__). - Added `HTTPHeaderDict` to the top-level `urllib3` namespace (`#​2216 `\__). - Added support for configuring header merging behavior with HTTPHeaderDict When using a `HTTPHeaderDict` to provide headers for a request, by default duplicate header values will be repeated. But if `combine=True` is passed into a call to `HTTPHeaderDict.add`, then the added header value will be merged in with an existing value into a comma-separated list (`X-My-Header: foo, bar`) (`#​2242 `\__). - Added `NameResolutionError` exception when a DNS error occurs (`#​2305 `\__). - Added `proxy_assert_hostname` and `proxy_assert_fingerprint` kwargs to `ProxyManager` (`#​2409 `\__). - Added a configurable `backoff_max` parameter to the `Retry` class. If a custom `backoff_max` is provided to the `Retry` class, it will replace the `Retry.DEFAULT_BACKOFF_MAX` (`#​2494 `\__). - Added the `authority` property to the Url class as per RFC 3986 3.2. This property should be used in place of `netloc` for users who want to include the userinfo (auth) component of the URI (`#​2520 `\__). - Added the `scheme` parameter to `HTTPConnection.set_tunnel` to configure the scheme of the origin being tunnelled to (`#​1985 `\__). - Added the `is_closed`, `is_connected` and `has_connected_to_proxy` properties to `HTTPConnection` (`#​1985 `\__). - Added optional `backoff_jitter` parameter to `Retry`. (`#​2952 `\__) ## Changed - Changed `urllib3.response.HTTPResponse.read` to respect the semantics of `io.BufferedIOBase` regardless of compression. Specifically, this method: - Only returns an empty bytes object to indicate EOF (that is, the response has been fully consumed). - Never returns more bytes than requested. - Can issue any number of system calls: zero, one or multiple. If you want each `urllib3.response.HTTPResponse.read` call to issue a single system call, you need to disable decompression by setting `decode_content=False` (`#​2128 `\__). - Changed `urllib3.HTTPConnection.getresponse` to return an instance of `urllib3.HTTPResponse` instead of `http.client.HTTPResponse` (`#​2648 `\__). - Changed `ssl_version` to instead set the corresponding `SSLContext.minimum_version` and `SSLContext.maximum_version` values. Regardless of `ssl_version` passed `SSLContext` objects are now constructed using `ssl.PROTOCOL_TLS_CLIENT` (`#​2110 `\__). - Changed default `SSLContext.minimum_version` to be `TLSVersion.TLSv1_2` in line with Python 3.10 (`#​2373 `\__). - Changed `ProxyError` to wrap any connection error (timeout, TLS, DNS) that occurs when connecting to the proxy (`#​2482 `\__). - Changed `urllib3.util.create_urllib3_context` to not override the system cipher suites with a default value. The new default will be cipher suites configured by the operating system (`#​2168 `\__). - Changed `multipart/form-data` header parameter formatting matches the WHATWG HTML Standard as of 2021-06-10. Control characters in filenames are no longer percent encoded (`#​2257 `\__). - Changed the error raised when connecting via HTTPS when the `ssl` module isn't available from `SSLError` to `ImportError` (`#​2589 `\__). - Changed `HTTPConnection.request()` to always use lowercase chunk boundaries when sending requests with `Transfer-Encoding: chunked` (`#​2515 `\__). - Changed `enforce_content_length` default to True, preventing silent data loss when reading streamed responses (`#​2514 `\__). - Changed internal implementation of `HTTPHeaderDict` to use `dict` instead of `collections.OrderedDict` for better performance (`#​2080 `\__). - Changed the `urllib3.contrib.pyopenssl` module to wrap `OpenSSL.SSL.Error` with `ssl.SSLError` in `PyOpenSSLContext.load_cert_chain` (`#​2628 `\__). - Changed usage of the deprecated `socket.error` to `OSError` (`#​2120 `\__). - Changed all parameters in the `HTTPConnection` and `HTTPSConnection` constructors to be keyword-only except `host` and `port` (`#​1985 `\__). - Changed `HTTPConnection.getresponse()` to set the socket timeout from `HTTPConnection.timeout` value before reading data from the socket. This previously was done manually by the `HTTPConnectionPool` calling `HTTPConnection.sock.settimeout(...)` (`#​1985 `\__). - Changed the `_proxy_host` property to `_tunnel_host` in `HTTPConnectionPool` to more closely match how the property is used (value in `HTTPConnection.set_tunnel()`) (`#​1985 `\__). - Changed name of `Retry.BACK0FF_MAX` to be `Retry.DEFAULT_BACKOFF_MAX`. - Changed TLS handshakes to use `SSLContext.check_hostname` when possible (`#​2452 `\__). - Changed `server_hostname` to behave like other parameters only used by `HTTPSConnectionPool` (`#​2537 `\__). - Changed the default `blocksize` to 16KB to match OpenSSL's default read amounts (`#​2348 `\__). - Changed `HTTPResponse.read()` to raise an error when calling with `decode_content=False` after using `decode_content=True` to prevent data loss (`#​2800 `\__). ## Fixed - Fixed thread-safety issue where accessing a `PoolManager` with many distinct origins would cause connection pools to be closed while requests are in progress (`#​1252 `\__). - Fixed an issue where an `HTTPConnection` instance would erroneously reuse the socket read timeout value from reading the previous response instead of a newly configured connect timeout. Instead now if `HTTPConnection.timeout` is updated before sending the next request the new timeout value will be used (`#​2645 `\__). - Fixed `socket.error.errno` when raised from pyOpenSSL's `OpenSSL.SSL.SysCallError` (`#​2118 `\__). - Fixed the default value of `HTTPSConnection.socket_options` to match `HTTPConnection` (`#​2213 `\__). - Fixed a bug where `headers` would be modified by the `remove_headers_on_redirect` feature (`#​2272 `\__). - Fixed a reference cycle bug in `urllib3.util.connection.create_connection()` (`#​2277 `\__). - Fixed a socket leak if `HTTPConnection.connect()` fails (`#​2571 `\__). - Fixed `urllib3.contrib.pyopenssl.WrappedSocket` and `urllib3.contrib.securetransport.WrappedSocket` close methods (`#​2970 `\__) ### [`v1.26.20`](https://togithub.com/urllib3/urllib3/blob/HEAD/CHANGES.rst#12620-2024-08-29) [Compare Source](https://togithub.com/urllib3/urllib3/compare/1.26.19...1.26.20) \==================== - Fixed a crash where certain standard library hash functions were absent in FIPS-compliant environments. (`#​3432 `\__) - Replaced deprecated dash-separated setuptools entries in `setup.cfg`. (`#​3461 `\__) - Took into account macOS setting `ECONNRESET` instead of `EPROTOTYPE` in its newer versions. (`#​3416 `\__) - Backported changes to our tests and CI configuration from v2.x to support testing with CPython 3.12 and 3.13. (`#​3436 `\__) ### [`v1.26.19`](https://togithub.com/urllib3/urllib3/blob/HEAD/CHANGES.rst#12619-2024-06-17) [Compare Source](https://togithub.com/urllib3/urllib3/compare/1.26.18...1.26.19) \==================== - Added the `Proxy-Authorization` header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via `Retry.remove_headers_on_redirect`. - Fixed handling of OpenSSL 3.2.0 new error message for misconfiguring an HTTP proxy as HTTPS. (`#​3405 `\__) ### [`v1.26.18`](https://togithub.com/urllib3/urllib3/blob/HEAD/CHANGES.rst#12618-2023-10-17) [Compare Source](https://togithub.com/urllib3/urllib3/compare/1.26.17...1.26.18) \==================== - Made body stripped from HTTP requests changing the request method to GET after HTTP 303 "See Other" redirect responses. ### [`v1.26.17`](https://togithub.com/urllib3/urllib3/blob/HEAD/CHANGES.rst#12617-2023-10-02) [Compare Source](https://togithub.com/urllib3/urllib3/compare/1.26.16...1.26.17) \==================== - Added the `Cookie` header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via `Retry.remove_headers_on_redirect`. (`#​3139 `\_) ### [`v1.26.16`](https://togithub.com/urllib3/urllib3/blob/HEAD/CHANGES.rst#12616-2023-05-23) [Compare Source](https://togithub.com/urllib3/urllib3/compare/1.26.15...1.26.16) \==================== - Fixed thread-safety issue where accessing a `PoolManager` with many distinct origins would cause connection pools to be closed while requests are in progress (`#​2954 `\_)