Updates the requirements onurllib3 to permit the latest version.
Release notes
Sourced fromurllib3's releases.
2.5.0
🚀 urllib3 is fundraising for HTTP/2 support
urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projectsplease consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.
Thank you for your support.
Security issues
urllib3 2.5.0 fixes two moderate security issues:
Features
- Added support for the
compression.zstd module that is new in Python 3.14. SeePEP 784 for more information. (#3610) - Added support for version 0.5 of
hatch-vcs (#3612)
Bugfixes
- Raised exception for
HTTPResponse.shutdown on a connection already released to the pool. (#3581) - Fixed incorrect
CONNECT statement when using an IPv6 proxy withconnection_from_host. Previously would not be wrapped in[]. (#3615)
Changelog
Sourced fromurllib3's changelog.
2.5.0 (2025-06-18)
Features
- Added support for the
compression.zstd module that is new in Python 3.14.SeePEP 784 <https://peps.python.org/pep-0784/>_ for more information. ([#3610](https://github.com/urllib3/urllib3/issues/3610) <https://github.com/urllib3/urllib3/issues/3610>__) - Added support for version 0.5 of
hatch-vcs ([#3612](https://github.com/urllib3/urllib3/issues/3612) <https://github.com/urllib3/urllib3/issues/3612>__)
Bugfixes
- Fixed a security issue where restricting the maximum number of followedredirects at the
urllib3.PoolManager level via theretries parameterdid not work. - Made the Node.js runtime respect redirect parameters such as
retriesandredirects. - Raised exception for
HTTPResponse.shutdown on a connection already released to the pool. ([#3581](https://github.com/urllib3/urllib3/issues/3581) <https://github.com/urllib3/urllib3/issues/3581>__) - Fixed incorrect
CONNECT statement when using an IPv6 proxy withconnection_from_host. Previously would not be wrapped in[]. ([#3615](https://github.com/urllib3/urllib3/issues/3615) <https://github.com/urllib3/urllib3/issues/3615>__)
2.4.0 (2025-04-10)
Features
- Applied PEP 639 by specifying the license fields in pyproject.toml. (
[#3522](https://github.com/urllib3/urllib3/issues/3522) <https://github.com/urllib3/urllib3/issues/3522>__) - Updated exceptions to save and restore more properties during the pickle/serialization process. (
[#3567](https://github.com/urllib3/urllib3/issues/3567) <https://github.com/urllib3/urllib3/issues/3567>__) - Added
verify_flags option tocreate_urllib3_context with a default ofVERIFY_X509_PARTIAL_CHAIN andVERIFY_X509_STRICT for Python 3.13+. ([#3571](https://github.com/urllib3/urllib3/issues/3571) <https://github.com/urllib3/urllib3/issues/3571>__)
Bugfixes
- Fixed a bug with partial reads of streaming data in Emscripten. (
[#3555](https://github.com/urllib3/urllib3/issues/3555) <https://github.com/urllib3/urllib3/issues/3555>__)
Misc
- Switched to uv for installing development dependecies. (
[#3550](https://github.com/urllib3/urllib3/issues/3550) <https://github.com/urllib3/urllib3/issues/3550>__) - Removed the
multiple.intoto.jsonl asset from GitHub releases. Attestation of release files since v2.3.0 can be found on PyPI. ([#3566](https://github.com/urllib3/urllib3/issues/3566) <https://github.com/urllib3/urllib3/issues/3566>__)
2.3.0 (2024-12-22)
... (truncated)
Commits
You can trigger a rebase of this PR by commenting@dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebase will rebase this PR@dependabot recreate will recreate this PR, overwriting any edits that have been made to it@dependabot merge will merge this PR after your CI passes on it@dependabot squash and merge will squash and merge this PR after your CI passes on it@dependabot cancel merge will cancel a previously requested merge and block automerging@dependabot reopen will reopen this PR if it is closed@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.
Uh oh!
There was an error while loading.Please reload this page.
Updates the requirements onurllib3 to permit the latest version.
Release notes
Sourced fromurllib3's releases.
Changelog
Sourced fromurllib3's changelog.
... (truncated)
Commits
aaab4ecRelease 2.5.07eb4a2aMerge commit from forkf05b132Merge commit from forkd03fe32Fix HTTP tunneling with IPv6 in older Python versions11661e9Bump github/codeql-action from 3.28.0 to 3.29.0 (#3624)6a0ecc6Update v2 migration guide to 2.4.0 (#3621)8e32e60Raise exception for shutdown on a connection already released to the pool (#3...9996e0fFix emscripten CI for Chrome 137+ (#3599)4fd1a99Bump RECENT_DATE (#3617)c4b5917Add support for the newcompression.zstdmodule in Python 3.14 (#3611)You can trigger a rebase of this PR by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)