Skip to content

Bump urllib3 to >=2.7.0 to patch CVE-2026-44431 and CVE-2026-44432#50

Merged
moshemorad merged 1 commit into
masterfrom
fix/urllib3-cve-2026-44431-44432
Jun 8, 2026
Merged

Bump urllib3 to >=2.7.0 to patch CVE-2026-44431 and CVE-2026-44432#50
moshemorad merged 1 commit into
masterfrom
fix/urllib3-cve-2026-44431-44432

Conversation

@moshemorad

@moshemorad moshemorad commented Jun 8, 2026

Copy link
Copy Markdown
Contributor

Summary

Fixes the two HIGH-severity urllib3 vulnerabilities flagged by Vanta/Dependabot on this repo:

Both are resolved in urllib3 2.7.0. The previous floor (>=2.6.3, added in #48) is still vulnerable.

Changes

  • pyproject.toml: bump urllib3 constraint from >=2.6.3,<3.0.0 to >=2.7.0,<3.0.0
  • poetry.lock: regenerated — resolves urllib3 to 2.7.0 (also refreshes transitive deps to latest allowed versions)

Verification

  • poetry lock + poetry install succeed
  • python -c "import urllib3; print(urllib3.__version__)"2.7.0

🤖 Generated with Claude Code

@moshemorad @claude
Bump urllib3 to >=2.7.0 to patch CVE-2026-44431 and CVE-2026-44432
6f32167 
Two HIGH-severity urllib3 advisories (GHSA-qccp-gfcp-xxvc,
GHSA-mf9v-mfxr-j63j) are fixed in 2.7.0. Bump the floor from 2.6.3
to 2.7.0 and refresh the lockfile.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@moshemorad moshemorad merged commit 4830ebd into master Jun 8, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@naomi-robusta naomi-robusta naomi-robusta approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@moshemorad @naomi-robusta