chore(deps): bump urllib3 from 2.6.3 to 2.7.0#46
Conversation
dependabot
Bot
added
dependencies
|
I dug through the current state here. This PR is not mergeable as-is: it re-resolves the lockfile in a way that breaks the Python 3.9 test lane ( The security motivation is valid, but the remaining Dependabot alerts are now a support-policy issue rather than a simple bot update issue. I recommend we do not merge this PR. The right next step is to decide explicitly between:
Given that #44 already handled the compatible split-lock approach for newer Python versions, this Dependabot PR is better treated as blocked/superseded pending that compatibility decision. |
jbeckwith-oai
left a comment
jbeckwith-oai
left a comment
There was a problem hiding this comment.
Automated approval for bot-managed dependency update PR.
Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.6.3 to 2.7.0. - [Release notes](https://github.com/urllib3/urllib3/releases) - [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst) - [Commits](urllib3/urllib3@2.6.3...2.7.0) --- updated-dependencies: - dependency-name: urllib3 dependency-version: 2.7.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/uv/urllib3-2.7.0
branch
from
22a42ca to
1f69340
Compare
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 1f693406f5
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| { name = "distro", marker = "python_full_version < '3.10'" }, | ||
| { name = "python-dateutil", marker = "python_full_version < '3.10'" }, | ||
| { name = "requests", marker = "python_full_version < '3.10'" }, | ||
| { name = "requests", version = "2.15.1", source = { registry = "https://pypi.org/simple" }, marker = "python_full_version < '3.10'" }, |
There was a problem hiding this comment.
This lock update pins the Python 3.9 dependency path (posthog on <3.10) to requests==2.15.1, which is a 2017-era release and no longer receives the security/runtime compatibility fixes present in current Requests. Because CI still runs a Python 3.9 matrix and installs from uv.lock (uv sync --extra dev in .github/workflows/test.yml), this change can introduce network/SSL regressions and reintroduce known legacy behavior specifically on the 3.9 job path; keep the <3.10 branch on a modern Requests line with a compatible urllib3 constraint instead of falling back to 2.15.1.
Useful? React with 👍 / 👎.
|
Closing as superseded by #49. This regenerated lock cannot safely achieve its goal while Python 3.9 remains supported: urllib3 2.7.0 explicitly drops Python 3.9, and this branch downgrades the 3.9 path to requests 2.15.1. PR #49 makes the EOL support-floor decision explicit, keeps urllib3 2.7.0, and is green across its full CI matrix plus local lock, lint, type, unit, smoke, and build validation. |
Pull request was closed
|
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |
2 participants
Warning
Dependabot will stop supporting
python v3.9!Please upgrade to one of the following versions:
v3.9,v3.10,v3.11,v3.12,v3.13, orv3.14.Bumps urllib3 from 2.6.3 to 2.7.0.
Release notes
Sourced from urllib3's releases.
Changelog
Sourced from urllib3's changelog.
... (truncated)
Commits
9a950b9Release 2.7.05ec0de4Merge commit from fork2bdcc44Merge commit from forkf45b0dfFix a misleading example forProxyManager(#4970)577193cSwitch to nightly PyPy3.11 in CI for now (#4984)e90af45Avoid infinite loop inHTTPResponse.read_chunkedwhenamt=0(#4974)67ed74fBump dev dependencies (#4972)3abd481Upgrade mypy to version 1.20.2 (#4978)2b8725dDrop support for EOL PyPy3.10 (#4979)2944b2aUpgradesetup-chromeandsetup-firefoxto fix warnings (#4973)