Skip to content

chore(deps): bump urllib3 from 2.5.0 to 2.6.0 in /hack/api-docs#5704

Merged
Skarlso merged 4 commits intomainfrom
dependabot/pip/hack/api-docs/urllib3-2.6.0
Dec 9, 2025
Merged

chore(deps): bump urllib3 from 2.5.0 to 2.6.0 in /hack/api-docs#5704
Skarlso merged 4 commits intomainfrom
dependabot/pip/hack/api-docs/urllib3-2.6.0

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Dec 8, 2025
edited
Loading

Bumps urllib3 from 2.5.0 to 2.6.0.

Release notes

Sourced from urllib3's releases.

2.6.0

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Security

  • Fixed a security issue where streaming API could improperly handle highly compressed HTTP content ("decompression bombs") leading to excessive resource consumption even when a small amount of data was requested. Reading small chunks of compressed data is safer and much more efficient now. (CVE-2025-66471 reported by @​Cycloctane, 8.9 High, GHSA-2xpw-w6gg-jr37)
  • Fixed a security issue where an attacker could compose an HTTP response with virtually unlimited links in the Content-Encoding header, potentially leading to a denial of service (DoS) attack by exhausting system resources during decoding. The number of allowed chained encodings is now limited to 5. (CVE-2025-66418 reported by @​illia-v, 8.9 High, GHSA-gm62-xv2j-4w53)

[!IMPORTANT]

  • If urllib3 is not installed with the optional urllib3[brotli] extra, but your environment contains a Brotli/brotlicffi/brotlipy package anyway, make sure to upgrade it to at least Brotli 1.2.0 or brotlicffi 1.2.0.0 to benefit from the security fixes and avoid warnings. Prefer using urllib3[brotli] to install a compatible Brotli package automatically.
  • If you use custom decompressors, please make sure to update them to respect the changed API of urllib3.response.ContentDecoder.

Features

  • Enabled retrieval, deletion, and membership testing in HTTPHeaderDict using bytes keys. (#3653)
  • Added host and port information to string representations of HTTPConnection. (#3666)
  • Added support for Python 3.14 free-threading builds explicitly. (#3696)

Removals

  • Removed the HTTPResponse.getheaders() method in favor of HTTPResponse.headers. Removed the HTTPResponse.getheader(name, default) method in favor of HTTPResponse.headers.get(name, default). (#3622)

Bugfixes

  • Fixed redirect handling in urllib3.PoolManager when an integer is passed for the retries parameter. (#3649)
  • Fixed HTTPConnectionPool when used in Emscripten with no explicit port. (#3664)
  • Fixed handling of SSLKEYLOGFILE with expandable variables. (#3700)

Misc

  • Changed the zstd extra to install backports.zstd instead of zstandard on Python 3.13 and before. (#3693)
  • Improved the performance of content decoding by optimizing BytesQueueBuffer class. (#3710)
  • Allowed building the urllib3 package with newer setuptools-scm v9.x. (#3652)
  • Ensured successful urllib3 builds by setting Hatchling requirement to ≥ 1.27.0. (#3638)
Changelog

Sourced from urllib3's changelog.

2.6.0 (2025-12-05)

Security

  • Fixed a security issue where streaming API could improperly handle highly compressed HTTP content ("decompression bombs") leading to excessive resource consumption even when a small amount of data was requested. Reading small chunks of compressed data is safer and much more efficient now. (GHSA-2xpw-w6gg-jr37 <https://github.com/urllib3/urllib3/security/advisories/GHSA-2xpw-w6gg-jr37>__)
  • Fixed a security issue where an attacker could compose an HTTP response with virtually unlimited links in the Content-Encoding header, potentially leading to a denial of service (DoS) attack by exhausting system resources during decoding. The number of allowed chained encodings is now limited to 5. (GHSA-gm62-xv2j-4w53 <https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53>__)

.. caution::

  • If urllib3 is not installed with the optional urllib3[brotli] extra, but your environment contains a Brotli/brotlicffi/brotlipy package anyway, make sure to upgrade it to at least Brotli 1.2.0 or brotlicffi 1.2.0.0 to benefit from the security fixes and avoid warnings. Prefer using urllib3[brotli] to install a compatible Brotli package automatically.

  • If you use custom decompressors, please make sure to update them to respect the changed API of urllib3.response.ContentDecoder.

Features

  • Enabled retrieval, deletion, and membership testing in HTTPHeaderDict using bytes keys. ([#3653](https://github.com/urllib3/urllib3/issues/3653) <https://github.com/urllib3/urllib3/issues/3653>__)
  • Added host and port information to string representations of HTTPConnection. ([#3666](https://github.com/urllib3/urllib3/issues/3666) <https://github.com/urllib3/urllib3/issues/3666>__)
  • Added support for Python 3.14 free-threading builds explicitly. ([#3696](https://github.com/urllib3/urllib3/issues/3696) <https://github.com/urllib3/urllib3/issues/3696>__)

Removals

  • Removed the HTTPResponse.getheaders() method in favor of HTTPResponse.headers. Removed the HTTPResponse.getheader(name, default) method in favor of HTTPResponse.headers.get(name, default). ([#3622](https://github.com/urllib3/urllib3/issues/3622) <https://github.com/urllib3/urllib3/issues/3622>__)

Bugfixes

  • Fixed redirect handling in urllib3.PoolManager when an integer is passed for the retries parameter. ([#3649](https://github.com/urllib3/urllib3/issues/3649) <https://github.com/urllib3/urllib3/issues/3649>__)
  • Fixed HTTPConnectionPool when used in Emscripten with no explicit port. ([#3664](https://github.com/urllib3/urllib3/issues/3664) <https://github.com/urllib3/urllib3/issues/3664>__)
  • Fixed handling of SSLKEYLOGFILE with expandable variables. ([#3700](https://github.com/urllib3/urllib3/issues/3700) <https://github.com/urllib3/urllib3/issues/3700>__)

... (truncated)

Commits
  • 720f484 Release 2.6.0
  • 24d7b67 Merge commit from fork
  • c19571d Merge commit from fork
  • 816fcf0 Bump actions/setup-python from 6.0.0 to 6.1.0 (#3725)
  • 18af0a1 Improve speed of BytesQueueBuffer.get() by using memoryview (#3711)
  • 1f6abac Bump versions of pre-commit hooks (#3716)
  • 1c8fbf7 Bump actions/checkout from 5.0.0 to 6.0.0 (#3722)
  • 7784b9e Add Python 3.15 to CI (#3717)
  • 0241c9e Updated docs to reflect change in optional zstd dependency from zstandard t...
  • 7afcabb Expand environment variable of SSLKEYLOGFILE (#3705)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
chore(deps): bump urllib3 from 2.5.0 to 2.6.0 in /hack/api-docs
d6110ac 
Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.5.0 to 2.6.0.
- [Release notes](https://github.com/urllib3/urllib3/releases)
- [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst)
- [Commits](urllib3/urllib3@2.5.0...2.6.0)

---
updated-dependencies:
- dependency-name: urllib3
  dependency-version: 2.6.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file python Pull requests that update Python code labels Dec 8, 2025
@github-actions github-actions bot added area/deps kind/chore Categorizes Pull Requests for chore activities (like bumping versions) kind/dependency dependabot and upgrades size/xs and removed kind/chore Categorizes Pull Requests for chore activities (like bumping versions) area/deps labels Dec 8, 2025
@github-actions github-actions bot added area/deps kind/chore Categorizes Pull Requests for chore activities (like bumping versions) labels Dec 8, 2025
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud bot commented Dec 9, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@Skarlso Skarlso merged commit f1fe381 into main Dec 9, 2025
29 checks passed
@Skarlso Skarlso deleted the dependabot/pip/hack/api-docs/urllib3-2.6.0 branch December 9, 2025 07:24
alexlebens pushed a commit to alexlebens/infrastructure that referenced this pull request Dec 20, 2025
@alexlebens
Update Helm release external-secrets to v1.2.0 (#2737)
3e76f9c 
This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [external-secrets](https://github.com/external-secrets/external-secrets) | minor | `1.1.1` -> `1.2.0` |

---

### Release Notes

<details>
<summary>external-secrets/external-secrets (external-secrets)</summary>

### [`v1.2.0`](https://github.com/external-secrets/external-secrets/releases/tag/v1.2.0)

[Compare Source](external-secrets/external-secrets@v1.1.1...v1.2.0)

Image: `ghcr.io/external-secrets/external-secrets:v1.2.0`
Image: `ghcr.io/external-secrets/external-secrets:v1.2.0-ubi`
Image: `ghcr.io/external-secrets/external-secrets:v1.2.0-ubi-boringssl`

<!-- Release notes generated using configuration in .github/release.yml at main -->

#### What's Changed

##### General

- chore: bump 1.1.1 by [@&#8203;gusfcarvalho](https://github.com/gusfcarvalho) in [#&#8203;5687](external-secrets/external-secrets#5687)
- chore: fix the argocd e2e test case by [@&#8203;Skarlso](https://github.com/Skarlso) in [#&#8203;5688](external-secrets/external-secrets#5688)
- feat(provider): add Barbican provider support by [@&#8203;rkferreira](https://github.com/rkferreira) in [#&#8203;5398](external-secrets/external-secrets#5398)
- docs(secretserver): promote secretserver provider to beta by [@&#8203;DelineaSahilWankhede](https://github.com/DelineaSahilWankhede) in [#&#8203;5668](external-secrets/external-secrets#5668)
- feat(controller): add flag to enable/disable secretstore reconcile by [@&#8203;Ilhan-Personal](https://github.com/Ilhan-Personal) in [#&#8203;5653](external-secrets/external-secrets#5653)
- fix(aws-secrets-manager): Apply filtering based on both name and tags if provided by [@&#8203;iypetrov](https://github.com/iypetrov) in [#&#8203;5685](external-secrets/external-secrets#5685)
- fix(gcpsm): SecretExists should check for regional secrets when store location is specified by [@&#8203;tokiwong](https://github.com/tokiwong) in [#&#8203;5708](external-secrets/external-secrets#5708)
- feat: introduce store deprecation by [@&#8203;gusfcarvalho](https://github.com/gusfcarvalho) in [#&#8203;5711](external-secrets/external-secrets#5711)
- feat(charts): add global values for common deployment configurations by [@&#8203;Gabryel8818](https://github.com/Gabryel8818) in [#&#8203;5652](external-secrets/external-secrets#5652)
- feat: add Doppler OIDC-based authentication by [@&#8203;mikesellitto](https://github.com/mikesellitto) in [#&#8203;5475](external-secrets/external-secrets#5475)
- fix: make custom configuration available regardless of environment by [@&#8203;Skarlso](https://github.com/Skarlso) in [#&#8203;5713](external-secrets/external-secrets#5713)
- chore(chart): update bitwarden dependency to v0.5.2 by [@&#8203;Skarlso](https://github.com/Skarlso) in [#&#8203;5719](external-secrets/external-secrets#5719)
- docs(templating): update rbac for generic targets by [@&#8203;lostick](https://github.com/lostick) in [#&#8203;5736](external-secrets/external-secrets#5736)
- fix(testing): Breaking changes should not break ci by [@&#8203;evrardjp](https://github.com/evrardjp) in [#&#8203;5739](external-secrets/external-secrets#5739)
- fix(security): Get rid of getSecretKey by [@&#8203;evrardjp](https://github.com/evrardjp) in [#&#8203;5738](external-secrets/external-secrets#5738)
- fix(aws): parse resource policies into canonical JSON (sorted) before comparing by [@&#8203;cmoscofian](https://github.com/cmoscofian) in [#&#8203;5622](external-secrets/external-secrets#5622)
- docs: Fix example in GCP documentation by [@&#8203;headcr4sh](https://github.com/headcr4sh) in [#&#8203;5745](external-secrets/external-secrets#5745)
- chore(secretserver): update dependencies to accept new DelineaXPM/tss-sdk-go by [@&#8203;DelineaSahilWankhede](https://github.com/DelineaSahilWankhede) in [#&#8203;5742](external-secrets/external-secrets#5742)
- fix(gcpsm): Improve SecretExists method in GCP secret manager provider by [@&#8203;tosih](https://github.com/tosih) in [#&#8203;5610](external-secrets/external-secrets#5610)
- chore(docs): add clarification to helm values being disabled by [@&#8203;Skarlso](https://github.com/Skarlso) in [#&#8203;5746](external-secrets/external-secrets#5746)
- fix(release): apply [`64dc681`](external-secrets/external-secrets@64dc681) to release by [@&#8203;jakobmoellerdev](https://github.com/jakobmoellerdev) in [#&#8203;5749](external-secrets/external-secrets#5749)
- docs(release): 1.2 stability-support.md by [@&#8203;jakobmoellerdev](https://github.com/jakobmoellerdev) in [#&#8203;5750](external-secrets/external-secrets#5750)

##### Dependencies

- chore(deps): bump golang from 1.25.4 to 1.25.5 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5693](external-secrets/external-secrets#5693)
- chore(deps): bump golang from 1.25.4-bookworm to 1.25.5-bookworm in /e2e by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5702](external-secrets/external-secrets#5702)
- chore(deps): bump ubi9/ubi from `dcd8128` to `75937d9` by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5655](external-secrets/external-secrets#5655)
- chore(deps): bump peter-evans/slash-command-dispatch from 5.0.0 to 5.0.1 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5695](external-secrets/external-secrets#5695)
- chore(deps): bump github/codeql-action from 4.31.5 to 4.31.7 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5696](external-secrets/external-secrets#5696)
- chore(deps): bump actions/stale from 10.1.0 to 10.1.1 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5697](external-secrets/external-secrets#5697)
- chore(deps): bump actions/create-github-app-token from 2.2.0 to 2.2.1 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5700](external-secrets/external-secrets#5700)
- chore(deps): bump step-security/harden-runner from 2.13.2 to 2.13.3 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5698](external-secrets/external-secrets#5698)
- chore(deps): bump actions/checkout from 6.0.0 to 6.0.1 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5699](external-secrets/external-secrets#5699)
- chore(deps): bump platformdirs from 4.5.0 to 4.5.1 in /hack/api-docs by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5705](external-secrets/external-secrets#5705)
- chore(deps): bump distroless/static from `87bce11` to `4b2a093` by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5692](external-secrets/external-secrets#5692)
- chore(deps): bump alpine from 3.22 to 3.23 in /hack/api-docs by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5703](external-secrets/external-secrets#5703)
- chore(deps): bump urllib3 from 2.5.0 to 2.6.0 in /hack/api-docs by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5704](external-secrets/external-secrets#5704)
- chore(deps): bump pymdown-extensions from 10.17.2 to 10.18 in /hack/api-docs by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5706](external-secrets/external-secrets#5706)
- chore(deps): bump alpine from 3.22.2 to 3.23.0 in /e2e by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5701](external-secrets/external-secrets#5701)
- chore(deps): bump golang from `2611181` to `2611181` by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5721](external-secrets/external-secrets#5721)
- chore(deps): bump codecov/codecov-action from 5.5.1 to 5.5.2 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5725](external-secrets/external-secrets#5725)
- chore(deps): bump urllib3 from 2.6.0 to 2.6.2 in /hack/api-docs by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5730](external-secrets/external-secrets#5730)
- chore(deps): bump github/codeql-action from 4.31.7 to 4.31.8 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5726](external-secrets/external-secrets#5726)
- chore(deps): bump anchore/sbom-action from 0.20.10 to 0.20.11 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5724](external-secrets/external-secrets#5724)
- chore(deps): bump tornado from 6.5.2 to 6.5.3 in /hack/api-docs by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5732](external-secrets/external-secrets#5732)
- chore(deps): bump ubi9/ubi from `75937d9` to `d4feb57` by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5722](external-secrets/external-secrets#5722)
- chore(deps): bump golang from `5117d68` to `09f53de` in /e2e by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5729](external-secrets/external-secrets#5729)
- chore(deps): bump alpine from `4b7ce07` to `51183f2` by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5694](external-secrets/external-secrets#5694)
- chore(deps): bump hashicorp/setup-terraform from [`712b439`](external-secrets/external-secrets@712b439) to [`071811a`](external-secrets/external-secrets@071811a) by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5727](external-secrets/external-secrets#5727)
- chore(deps): bump pymdown-extensions from 10.18 to 10.19.1 in /hack/api-docs by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5731](external-secrets/external-secrets#5731)
- chore(deps): bump step-security/harden-runner from 2.13.3 to 2.14.0 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5728](external-secrets/external-secrets#5728)
- chore(deps): bump actions/cache from 4.3.0 to 5.0.1 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5723](external-secrets/external-secrets#5723)

#### New Contributors

- [@&#8203;iypetrov](https://github.com/iypetrov) made their first contribution in [#&#8203;5685](external-secrets/external-secrets#5685)
- [@&#8203;tokiwong](https://github.com/tokiwong) made their first contribution in [#&#8203;5708](external-secrets/external-secrets#5708)
- [@&#8203;Gabryel8818](https://github.com/Gabryel8818) made their first contribution in [#&#8203;5652](external-secrets/external-secrets#5652)
- [@&#8203;mikesellitto](https://github.com/mikesellitto) made their first contribution in [#&#8203;5475](external-secrets/external-secrets#5475)
- [@&#8203;lostick](https://github.com/lostick) made their first contribution in [#&#8203;5736](external-secrets/external-secrets#5736)
- [@&#8203;cmoscofian](https://github.com/cmoscofian) made their first contribution in [#&#8203;5622](external-secrets/external-secrets#5622)
- [@&#8203;headcr4sh](https://github.com/headcr4sh) made their first contribution in [#&#8203;5745](external-secrets/external-secrets#5745)
- [@&#8203;tosih](https://github.com/tosih) made their first contribution in [#&#8203;5610](external-secrets/external-secrets#5610)

**Full Changelog**: <external-secrets/external-secrets@v1.1.1...v1.2.0>

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi4zOS4xIiwidXBkYXRlZEluVmVyIjoiNDIuMzkuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiY2hhcnQiXX0=-->

Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/2737
Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net>
Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Skarlso Skarlso Skarlso approved these changes

@eso-service-account-app eso-service-account-app[bot] eso-service-account-app[bot] approved these changes

Assignees

No one assigned

Labels

area/deps dependencies Pull requests that update a dependency file kind/chore Categorizes Pull Requests for chore activities (like bumping versions) kind/dependency dependabot and upgrades python Pull requests that update Python code size/xs

Projects

External Secrets
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Skarlso