security: bump urllib3 to >=2.7.0 by dantetemplar · Pull Request #21 · one-zero-eight/guard

dantetemplar · 2026-05-15T07:57:32Z

Summary

Bump urllib3 to 2.7.0 (fixes decompression-bomb safeguard bypass in streaming API, CVE range >=2.6.0,<2.7.0)
Add durable minimum version constraint so future lock resolves cannot regress to vulnerable 2.6.x

Test plan

Lockfile resolves urllib3 2.7.0
CI passes

Made with Cursor

Mitigate decompression-bomb safeguard bypass in urllib3 2.6.x streaming API. Add constraint so future lockfiles cannot regress below 2.7.0. Co-authored-by: Cursor <cursoragent@cursor.com>

security: bump urllib3 to >=2.7.0

580f260

Mitigate decompression-bomb safeguard bypass in urllib3 2.6.x streaming API. Add constraint so future lockfiles cannot regress below 2.7.0. Co-authored-by: Cursor <cursoragent@cursor.com>

dantetemplar merged commit 82857f0 into main May 15, 2026
5 of 7 checks passed

dantetemplar deleted the security/urllib3-2.7.0 branch May 15, 2026 08:11

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

security: bump urllib3 to >=2.7.0#21

security: bump urllib3 to >=2.7.0#21
dantetemplar merged 1 commit into
mainfrom
security/urllib3-2.7.0

dantetemplar commented May 15, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

dantetemplar commented May 15, 2026

Summary

Test plan

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant