Problem
kbcstorage has a hard dependency constraint urllib3<2.0.0 in its metadata, which prevents downstream projects from upgrading to urllib3 2.x.
The constraint was added as a workaround for boto/botocore#2926, which has since been resolved and closed.
Evidence
- The comment in
pyproject.toml reads:
"urllib3<2.0.0", # Frozen until fixed: https://github.com/boto/botocore/issues/2926
- The referenced botocore issue is closed.
- Current botocore (1.42.x) handles urllib3 version constraints itself via markers:
urllib3<1.27 for Python <3.10
urllib3>=1.25.4,<3 for Python >=3.10
- kbcstorage does not import or use urllib3 anywhere in its source code — it's a phantom dependency.
Suggested fix
Remove the direct urllib3<2.0.0 pin from pyproject.toml and let the transitive dependencies (boto3/botocore) manage their own urllib3 version constraints. This is the correct approach since botocore already specifies the appropriate urllib3 markers for each Python version.
Impact
This constraint blocks all downstream projects from resolving to modern versions of urllib3, cryptography, requests, and other packages that have moved to urllib3 2.x, causing numerous unresolvable Dependabot security alerts.
Problem
kbcstoragehas a hard dependency constrainturllib3<2.0.0in its metadata, which prevents downstream projects from upgrading to urllib3 2.x.The constraint was added as a workaround for boto/botocore#2926, which has since been resolved and closed.
Evidence
pyproject.tomlreads:urllib3<1.27for Python <3.10urllib3>=1.25.4,<3for Python >=3.10Suggested fix
Remove the direct
urllib3<2.0.0pin frompyproject.tomland let the transitive dependencies (boto3/botocore) manage their own urllib3 version constraints. This is the correct approach since botocore already specifies the appropriate urllib3 markers for each Python version.Impact
This constraint blocks all downstream projects from resolving to modern versions of urllib3, cryptography, requests, and other packages that have moved to urllib3 2.x, causing numerous unresolvable Dependabot security alerts.