Skip to content

fix(deps): patch urllib3 and idna security advisories#14

Merged
lorenjphillips merged 2 commits into
mainfrom
security/bump-urllib3-idna
May 22, 2026
Merged

fix(deps): patch urllib3 and idna security advisories#14
lorenjphillips merged 2 commits into
mainfrom
security/bump-urllib3-idna

Conversation

@lorenjphillips

@lorenjphillips lorenjphillips commented May 22, 2026

Copy link
Copy Markdown
Contributor

Summary

Both are pinned transitive deps of requests==2.32.3; no API changes.

Test plan

Summary by CodeRabbit

  • Chores
    • Updated Python dependencies to current versions.

Review Change Stack

Patches GHSA-pq67-6m6q-mj2v: urllib3 < 2.7.0 forwards sensitive
headers across origins during proxied low-level redirects.

Resolves Dependabot alert #9.
Patches the IDNA bypass of the CVE-2024-3651 fix: specially crafted
inputs to idna.encode() can still trigger pathological CPU usage on
idna < 3.15.

Resolves Dependabot alert #10.
@coderabbitai

coderabbitai Bot commented May 22, 2026

Copy link
Copy Markdown

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 1034bdbb-0698-4f66-ada7-73566ad17c80

📥 Commits

Reviewing files that changed from the base of the PR and between 4d14c9c and ed13b8c.

📒 Files selected for processing (1)
  • requirements.txt

📝 Walkthrough

Walkthrough

This PR updates two pinned Python dependencies in requirements.txt: idna is bumped from 3.10 to 3.15, and urllib3 is bumped from 2.2.3 to 2.7.0. No other dependencies are modified.

Changes

Dependency Updates

Layer / File(s) Summary
Pinned dependency versions
requirements.txt
idna version is raised to 3.15 and urllib3 version is raised to 2.7.0 to bring the project dependencies up to date.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

A rabbit hops through version lanes,
With idna fresh and urllib3 new,
Dependencies dance in their domains,
Pinned and patched in morning dew. 🐰✨

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The PR title 'fix(deps): patch urllib3 and idna security advisories' accurately and directly describes the main change: updating two dependencies to address security vulnerabilities, which aligns perfectly with the changeset that bumps urllib3 and idna versions.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch security/bump-urllib3-idna

Comment @coderabbitai help to get the list of available commands and usage tips.

@lorenjphillips lorenjphillips merged commit 3f9f90f into main May 22, 2026
1 check passed
@lorenjphillips lorenjphillips deleted the security/bump-urllib3-idna branch May 22, 2026 19:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants