Skip to content

[py] Bump urllib3 in packaging and dev dependencies#16690

Merged
cgoldberg merged 1 commit intoSeleniumHQ:trunkfrom
cgoldberg:py-urllib3-update
Dec 6, 2025
Merged

[py] Bump urllib3 in packaging and dev dependencies#16690
cgoldberg merged 1 commit intoSeleniumHQ:trunkfrom
cgoldberg:py-urllib3-update

Conversation

@cgoldberg
Copy link
Member

@cgoldberg cgoldberg commented Dec 6, 2025
edited by qodo-code-review bot
Loading

User description

💥 What does this PR do?

This PR bumps urllib3 minimum version to 2.6.0 in packaging because of a vulnerability in 2.5.0. It also includes an updated requirements.txtand lock file for dependencies in dev/CI.

https://github.com/SeleniumHQ/selenium/security/dependabot/226
https://github.com/SeleniumHQ/selenium/security/dependabot/224

🔄 Types of changes

  • dev/packaging

PR Type

Enhancement

Description

  • Bump urllib3 minimum version to 2.6.0

  • Addresses security vulnerability in urllib3 2.5.0

  • Updates lock file with new urllib3 hashes

Diagram Walkthrough

flowchart LR
  A["urllib3 2.5.0"] -->|security vulnerability| B["urllib3 2.6.0"]
  C["pyproject.toml"] -->|version update| B
  D["requirements.txt"] -->|version update| B
  E["requirements_lock.txt"] -->|hash update| B
Loading

File Walkthrough
Relevant files
Dependencies
pyproject.toml
Update urllib3 minimum version constraint                               

py/pyproject.toml

  • Updated urllib3 minimum version constraint from 2.5.0 to 2.6.0
  • Maintains upper bound constraint at <3.0
 +1/-1     
requirements.txt
Pin urllib3 to 2.6.0 version                                                         

py/requirements.txt

  • Pinned urllib3[socks] version to 2.6.0
  • Updates exact version for development environment
 +1/-1     
requirements_lock.txt
Update urllib3 lock file with new hashes                                 

py/requirements_lock.txt

  • Updated urllib3[socks] version from 2.5.0 to 2.6.0
  • Updated SHA256 hashes for new version
  • Maintains lock file integrity with new checksums
 +3/-3     

@selenium-ci selenium-ci added the C-py Python Bindings label Dec 6, 2025
@qodo-code-review
Copy link
Contributor

qodo-code-review bot commented Dec 6, 2025

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
🟢
No security concerns identified No security vulnerabilities detected by AI analysis. Human verification advised for critical code.
Ticket Compliance
🎫 No ticket provided
  • Create ticket/issue
Codebase Duplication Compliance
Codebase context is not defined

Follow the guide to enable codebase context checks.

Custom Compliance
🟢
Generic: Meaningful Naming and Self-Documenting Code

Objective: Ensure all identifiers clearly express their purpose and intent, making code
self-documenting

Status: Passed

Learn more about managing compliance generic rules or creating your own custom rules

Generic: Secure Error Handling

Objective: To prevent the leakage of sensitive system information through error messages while
providing sufficient detail for internal debugging.

Status: Passed

Learn more about managing compliance generic rules or creating your own custom rules

Generic: Secure Logging Practices

Objective: To ensure logs are useful for debugging and auditing without exposing sensitive
information like PII, PHI, or cardholder data.

Status: Passed

Learn more about managing compliance generic rules or creating your own custom rules

Generic: Comprehensive Audit Trails

Objective: To create a detailed and reliable record of critical system actions for security analysis
and compliance.

Status:
No runtime code: The PR only updates dependency versions and does not add or modify runtime code where
audit logging could be implemented, so compliance cannot be assessed from the diff.

Referred Code 
"urllib3[socks]>=2.6.0,<3.0",
"trio>=0.31.0,<1.0",
"trio-websocket>=0.12.2,<1.0",
"certifi>=2025.10.5",
"typing_extensions>=4.15.0,<5.0",

Learn more about managing compliance generic rules or creating your own custom rules

Generic: Robust Error Handling and Edge Case Management

Objective: Ensure comprehensive error handling that provides meaningful context and graceful
degradation

Status:
No error paths: The changes are limited to dependency pinning with no new executable logic, so error
handling and edge cases cannot be evaluated from the diff.

Referred Code 
urllib3[socks]==2.6.0
virtualenv==20.35.4

Learn more about managing compliance generic rules or creating your own custom rules

Generic: Security-First Input Validation and Data Handling

Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent
vulnerabilities

Status:
No input handling: Only dependency versions and hashes were updated with no new input surfaces or data
handling logic, so validation and security handling cannot be assessed from the diff.

Referred Code 
urllib3[socks]==2.6.0 \
    --hash=sha256:c90f7a39f716c572c4e3e58509581ebd83f9b59cced005b7db7ad2d22b0db99f \
    --hash=sha256:cb9bcef5a4b345d5da5d145dc3e30834f58e8018828cbc724d30b4cb7d4d49f1

Learn more about managing compliance generic rules or creating your own custom rules
Compliance status legend 🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

@qodo-code-review
Copy link
Contributor

qodo-code-review bot commented Dec 6, 2025

PR Code Suggestions ✨

No code suggestions found for the PR.

@cgoldberg cgoldberg merged commit fab7984 into SeleniumHQ:trunk Dec 6, 2025
25 checks passed
@cgoldberg cgoldberg deleted the py-urllib3-update branch December 6, 2025 17:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@asolntsev asolntsev asolntsev approved these changes

Assignees

No one assigned

Labels

C-py Python Bindings Review effort 1/5

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@cgoldberg @asolntsev @selenium-ci