chore(deps): update dependency urllib3 to v2.6.0 [security]#113
Merged
Conversation
okafke
approved these changes
Dec 7, 2025
null2264
added a commit
to null2264/mc-runtime-test
that referenced
this pull request
Dec 10, 2025
* chore(mod): 1.21.5 (headlesshq#64) * chore(deps): update googleapis/release-please-action digest to a02a34c (headlesshq#62) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * feat(deps): support 1.21.5 and update to HeadlessMc 2.5.1 * chore(main): release 3.1.0 (headlesshq#68) Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * chore(docs): escape characters in README (headlesshq#69) * fix(action): Change cache keys to prevent prefix fallback to cache of incorrect version (headlesshq#71) * chore(main): release 3.1.1 (headlesshq#72) Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * chore(deps): update useblacksmith/setup-gradle digest to 7f7b355 (headlesshq#75) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update actions/download-artifact digest to d3f86a1 (headlesshq#65) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update useblacksmith/setup-java digest to 4ef8123 (headlesshq#63) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update actions/upload-artifact digest to ea165f8 (headlesshq#55) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * fix(deps): update dependency net.fabricmc.fabric-api:fabric-gametest-api-v1 to v1.3.16+1172e8970d (headlesshq#76) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * feat!: Default to github cache, blacksmith or no cache are configurable, extensive 1.7.10 logging (headlesshq#74) Co-authored-by: Chip Wolf <hello@chipwolf.uk> Co-authored-by: Chip Wolf <chipukyt@gmail.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * chore(main): release 4.0.0 (headlesshq#78) Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * chore(ci): automatic PR when new Mc version is available (headlesshq#85) * chore(ci): add requirements.txt * chore(ci): fix new mc version workflow (headlesshq#88) * chore(ci): fix reviewers and syntax in new mc version workflow (headlesshq#90) * chore(ci): run matrix based on PR message (headlesshq#92) * chore(ci): use find-comment action to find PR comment (headlesshq#94) * chore(ci): use pull_request.body * chore(ci): log PR comment body matching * chore(ci): Fixed regex for PR comment body matching * chore(ci): Fixed regex for PR comments not matching zeros * chore(ci): modify README in new mc version workflow (headlesshq#103) * feat(mod): Support 1.21.6 (headlesshq#81) Co-authored-by: okafke <65917827+okafke@users.noreply.github.com> * fix(action): switch from wget to curl to support windows (headlesshq#104) * chore(main): release 4.1.0 (headlesshq#106) Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * chore(docs): add supported versions to README * chore(ci): read build & run data from file (headlesshq#111) * chore(ci): improve README modification * chore(deps): update dependency urllib3 to v2.6.0 [security] (headlesshq#113) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * refactor: 1.21.10 already handled by 1_21_9 * ci: null2264 * ci: Use github cache * ci: Use github cache * refactor: Switching to uv --------- Co-authored-by: 3arthqu4ke <56741599+3arthqu4ke@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Chip Wolf <hello@chipwolf.uk> Co-authored-by: Chip Wolf <chipukyt@gmail.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: okafke <65917827+okafke@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
==2.5.0->==2.6.0Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
GitHub Vulnerability Alerts
CVE-2025-66418
Impact
urllib3 supports chained HTTP encoding algorithms for response content according to RFC 9110 (e.g.,
Content-Encoding: gzip, zstd).However, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data.
Affected usages
Applications and libraries using urllib3 version 2.5.0 and earlier for HTTP requests to untrusted sources unless they disable content decoding explicitly.
Remediation
Upgrade to at least urllib3 v2.6.0 in which the library limits the number of links to 5.
If upgrading is not immediately possible, use
preload_content=Falseand ensure thatresp.headers["content-encoding"]contains a safe number of encodings before reading the response content.CVE-2025-66471
Impact
urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once.
When streaming a compressed response, urllib3 can perform decoding or decompression based on the HTTP
Content-Encodingheader (e.g.,gzip,deflate,br, orzstd). The library must read compressed data from the network and decompress it until the requested chunk size is met. Any resulting decompressed data that exceeds the requested amount is held in an internal buffer for the next read operation.The decompression logic could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This can result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data; CWE-409) on the client side, even if the application only requested a small chunk of data.
Affected usages
Applications and libraries using urllib3 version 2.5.0 and earlier to stream large compressed responses or content from untrusted sources.
stream(),read(amt=256),read1(amt=256),read_chunked(amt=256),readinto(b)are examples ofurllib3.HTTPResponsemethod calls using the affected logic unless decoding is disabled explicitly.Remediation
Upgrade to at least urllib3 v2.6.0 in which the library avoids decompressing data that exceeds the requested amount.
If your environment contains a package facilitating the Brotli encoding, upgrade to at least Brotli 1.2.0 or brotlicffi 1.2.0.0 too. These versions are enforced by the
urllib3[brotli]extra in the patched versions of urllib3.Credits
The issue was reported by @Cycloctane.
Supplemental information was provided by @stamparm during a security audit performed by 7ASecurity and facilitated by OSTIF.
Release Notes
urllib3/urllib3 (urllib3)
v2.6.0Compare Source
==================
Security
compressed HTTP content ("decompression bombs") leading to excessive resource
consumption even when a small amount of data was requested. Reading small
chunks of compressed data is safer and much more efficient now.
(
GHSA-2xpw-w6gg-jr37 <https://github.com/urllib3/urllib3/security/advisories/GHSA-2xpw-w6gg-jr37>__)virtually unlimited links in the
Content-Encodingheader, potentiallyleading to a denial of service (DoS) attack by exhausting system resources
during decoding. The number of allowed chained encodings is now limited to 5.
(
GHSA-gm62-xv2j-4w53 <https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53>__).. caution::
If urllib3 is not installed with the optional
urllib3[brotli]extra, butyour environment contains a Brotli/brotlicffi/brotlipy package anyway, make
sure to upgrade it to at least Brotli 1.2.0 or brotlicffi 1.2.0.0 to
benefit from the security fixes and avoid warnings. Prefer using
urllib3[brotli]to install a compatible Brotli package automatically.If you use custom decompressors, please make sure to update them to
respect the changed API of
urllib3.response.ContentDecoder.Features
HTTPHeaderDictusing bytes keys. (#​3653 <https://github.com/urllib3/urllib3/issues/3653>__)HTTPConnection. (#​3666 <https://github.com/urllib3/urllib3/issues/3666>__)#​3696 <https://github.com/urllib3/urllib3/issues/3696>__)Removals
HTTPResponse.getheaders()method in favor ofHTTPResponse.headers.Removed the
HTTPResponse.getheader(name, default)method in favor ofHTTPResponse.headers.get(name, default). (#​3622 <https://github.com/urllib3/urllib3/issues/3622>__)Bugfixes
urllib3.PoolManagerwhen an integer is passedfor the retries parameter. (
#​3649 <https://github.com/urllib3/urllib3/issues/3649>__)HTTPConnectionPoolwhen used in Emscripten with no explicit port. (#​3664 <https://github.com/urllib3/urllib3/issues/3664>__)SSLKEYLOGFILEwith expandable variables. (#​3700 <https://github.com/urllib3/urllib3/issues/3700>__)Misc
zstdextra to installbackports.zstdinstead ofzstandardon Python 3.13 and before. (#​3693 <https://github.com/urllib3/urllib3/issues/3693>__)BytesQueueBufferclass. (#​3710 <https://github.com/urllib3/urllib3/issues/3710>__)#​3652 <https://github.com/urllib3/urllib3/issues/3652>__)#​3638 <https://github.com/urllib3/urllib3/issues/3638>__)Configuration
📅 Schedule: Branch creation - "" in timezone UTC, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.