Commit 7fa4af5
* Patch CVE-2026-44432 and CVE-2026-44431 (urllib3)
Bumps urllib3 2.6.3 -> 2.7.0 to fix two HIGH severity advisories:
- CVE-2026-44432 (GHSA-mf9v-mfxr-j63j, CVSS 7.5): excessive resource
consumption (CWE-409) when streaming compressed responses via the
Brotli read path or drain_conn().
- CVE-2026-44431 (GHSA-qccp-gfcp-xxvc, CVSS 5.3): sensitive headers
(Authorization/Cookie/Proxy-Authorization) leaked on cross-origin
redirects via the low-level ProxyManager.connection_from_url() API.
urllib3 2.7.0 dropped Python 3.9 support, so the project floor is raised
to ^3.10 (3.9 is past EOL; the shipped Docker image is python:3.12).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
* Fix lock file
* ci: drop Python 3.9 from test matrix
urllib3 2.7.0 raised the project floor to ^3.10, so building/testing on
3.9 no longer resolves. Bump build_package to 3.12 and drop 3.9 from the
test_package matrix.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
1 parent 6147bdc commit 7fa4af5
3 files changed
Lines changed: 14 additions & 15 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
10 | 10 | | |
11 | 11 | | |
12 | 12 | | |
13 | | - | |
| 13 | + | |
14 | 14 | | |
15 | 15 | | |
16 | 16 | | |
| |||
31 | 31 | | |
32 | 32 | | |
33 | 33 | | |
34 | | - | |
| 34 | + | |
35 | 35 | | |
36 | 36 | | |
37 | 37 | | |
| |||
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
9 | 9 | | |
10 | 10 | | |
11 | 11 | | |
12 | | - | |
| 12 | + | |
13 | 13 | | |
14 | 14 | | |
15 | 15 | | |
| |||
24 | 24 | | |
25 | 25 | | |
26 | 26 | | |
27 | | - | |
| 27 | + | |
28 | 28 | | |
29 | 29 | | |
30 | 30 | | |
| |||
0 commit comments