Skip to content

Bump urllib3 to 2.7.0 to fix two security advisories#24

Merged
akva2 merged 2 commits into
OPM:masterfrom
hakonhagland:upgrade_urllib
May 12, 2026
Merged

Bump urllib3 to 2.7.0 to fix two security advisories#24
akva2 merged 2 commits into
OPM:masterfrom
hakonhagland:upgrade_urllib

Conversation

@hakonhagland
Copy link
Copy Markdown
Collaborator

@hakonhagland hakonhagland commented May 12, 2026

Builds on #23.

Updates the urllib3 entry in python/sphinx_docs/poetry.lock from 2.6.3 to 2.7.0 to resolve two high-severity Dependabot alerts. urllib3 is a transitive dependency, so only the lockfile changed. This project already requires Python ^3.10, so the bump in urllib3's own Python-version requirement (>=3.9>=3.10) is a no-op.

Vulnerabilities fixed

@hakonhagland
Bump GitPython to 3.1.50 to fix three security advisories
769f794 
Fixes dependabot alerts OPM#20, OPM#21, OPM#22:
- GHSA-7545-fcxq-7j24 (CVE-2026-44243): path traversal in reference APIs
- GHSA-v87r-6q3f-2j67 (CVE-2026-44244): newline injection in set_value() value
- GHSA-mv93-w799-cj2w: newline injection in set_value() section parameter
@hakonhagland
Bump urllib3 to 2.7.0 to fix two security advisories
c38a463 
Fixes dependabot alerts OPM#23, OPM#24:
- GHSA-mf9v-mfxr-j63j (CVE-2026-44432): decompression-bomb safeguards
  bypassed in parts of the streaming API
- GHSA-qccp-gfcp-xxvc (CVE-2026-44431): sensitive headers forwarded
  across origins in proxied low-level redirects
@akva2 akva2 merged commit d51be8e into OPM:master May 12, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@hakonhagland @akva2