Update dependency urllib3 to v2.7.0

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
urllib3 (changelog)	==2.5.0 → ==2.7.0

---

Release Notes

urllib3/urllib3 (urllib3)

v2.7.0

Compare Source

=======================

Security

Addressed high-severity security issues.
Impact was limited to specific use cases detailed in the accompanying
advisories; overall user exposure was estimated to be marginal.

• Decompression-bomb safeguards of the streaming API were bypassed:

  1. When HTTPResponse.drain_conn() was called after the response had been
     read and decompressed partially.
  2. During the second HTTPResponse.read(amt=N) or
     HTTPResponse.stream(amt=N) call when the response was decompressed
     using the official Brotli <https://pypi.org/project/brotli/>__ library.

  See GHSA-mf9v-mfxr-j63j <https://github.com/urllib3/urllib3/security/advisories/GHSA-mf9v-mfxr-j63j>__
  for details.

• HTTP pools created using ProxyManager.connection_from_url did not strip
  sensitive headers specified in Retry.remove_headers_on_redirect when
  redirecting to a different host.
  (GHSA-qccp-gfcp-xxvc <https://github.com/urllib3/urllib3/security/advisories/GHSA-qccp-gfcp-xxvc>__)

Deprecations and Removals

• Used FutureWarning instead of DeprecationWarning for better
  visibility of existing deprecation notices. Rescheduled the removal of
  deprecated features to version 3.0.
  (#&#8203;3764 <https://github.com/urllib3/urllib3/issues/3764>__)
• Removed support for end-of-life Python 3.9.
  (#&#8203;3720 <https://github.com/urllib3/urllib3/issues/3720>__)
• Removed support for end-of-life PyPy3.10.
  (#&#8203;4979 <https://github.com/urllib3/urllib3/issues/4979>__)
• Bumped the minimum supported pyOpenSSL version to 19.0.0.
  (#&#8203;3777 <https://github.com/urllib3/urllib3/issues/3777>__)

Bugfixes

• Fixed a bug where HTTPResponse.read(amt=None) was ignoring decompressed
  data buffered from previous partial reads.
  (#&#8203;3636 <https://github.com/urllib3/urllib3/issues/3636>__)
• Fixed a bug where HTTPResponse.read() could cache only part of the
  response after a partial read when cache_content=True.
  (#&#8203;4967 <https://github.com/urllib3/urllib3/issues/4967>__)
• Fixed HTTPResponse.stream() and HTTPResponse.read_chunked() to handle
  amt=0.
  (#&#8203;3793 <https://github.com/urllib3/urllib3/issues/3793>__)
• Updated _TYPE_BODY type alias to include missing Iterable[str],
  matching the documented and runtime behavior of chunked request bodies.
  (#&#8203;3798 <https://github.com/urllib3/urllib3/issues/3798>__)
• Fixed LocationParseError when paths resembling schemeless URIs were
  passed to HTTPConnectionPool.urlopen().
  (#&#8203;3352 <https://github.com/urllib3/urllib3/issues/3352>__)
• Fixed BaseHTTPResponse.readinto() type annotation to accept
  memoryview in addition to bytearray, matching the
  io.RawIOBase.readinto contract and enabling use with
  io.BufferedReader without type errors.
  (#&#8203;3764 <https://github.com/urllib3/urllib3/issues/3764>__)

v2.6.3

Compare Source

==================

• Fixed a high-severity security issue where decompression-bomb safeguards of
  the streaming API were bypassed when HTTP redirects were followed.
  (GHSA-38jv-5279-wg99 <https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99>__)
• Started treating Retry-After times greater than 6 hours as 6 hours by
  default. (#&#8203;3743 <https://github.com/urllib3/urllib3/issues/3743>__)
• Fixed urllib3.connection.VerifiedHTTPSConnection on Emscripten.
  (#&#8203;3752 <https://github.com/urllib3/urllib3/issues/3752>__)

v2.6.2

Compare Source

==================

• Fixed HTTPResponse.read_chunked() to properly handle leftover data in
  the decoder's buffer when reading compressed chunked responses.
  (#&#8203;3734 <https://github.com/urllib3/urllib3/issues/3734>__)

v2.6.1

Compare Source

==================

• Restore previously removed HTTPResponse.getheaders() and
  HTTPResponse.getheader() methods.
  (#&#8203;3731 <https://github.com/urllib3/urllib3/issues/3731>__)

v2.6.0

Compare Source

==================

Security

• Fixed a security issue where streaming API could improperly handle highly
  compressed HTTP content ("decompression bombs") leading to excessive resource
  consumption even when a small amount of data was requested. Reading small
  chunks of compressed data is safer and much more efficient now.
  (GHSA-2xpw-w6gg-jr37 <https://github.com/urllib3/urllib3/security/advisories/GHSA-2xpw-w6gg-jr37>__)
• Fixed a security issue where an attacker could compose an HTTP response with
  virtually unlimited links in the Content-Encoding header, potentially
  leading to a denial of service (DoS) attack by exhausting system resources
  during decoding. The number of allowed chained encodings is now limited to 5.
  (GHSA-gm62-xv2j-4w53 <https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53>__)

.. caution::

• If urllib3 is not installed with the optional urllib3[brotli] extra, but
  your environment contains a Brotli/brotlicffi/brotlipy package anyway, make
  sure to upgrade it to at least Brotli 1.2.0 or brotlicffi 1.2.0.0 to
  benefit from the security fixes and avoid warnings. Prefer using
  urllib3[brotli] to install a compatible Brotli package automatically.

• If you use custom decompressors, please make sure to update them to
  respect the changed API of urllib3.response.ContentDecoder.

Features

• Enabled retrieval, deletion, and membership testing in HTTPHeaderDict using bytes keys. (#&#8203;3653 <https://github.com/urllib3/urllib3/issues/3653>__)
• Added host and port information to string representations of HTTPConnection. (#&#8203;3666 <https://github.com/urllib3/urllib3/issues/3666>__)
• Added support for Python 3.14 free-threading builds explicitly. (#&#8203;3696 <https://github.com/urllib3/urllib3/issues/3696>__)

Removals

• Removed the HTTPResponse.getheaders() method in favor of HTTPResponse.headers.
  Removed the HTTPResponse.getheader(name, default) method in favor of HTTPResponse.headers.get(name, default). (#&#8203;3622 <https://github.com/urllib3/urllib3/issues/3622>__)

Bugfixes

• Fixed redirect handling in urllib3.PoolManager when an integer is passed
  for the retries parameter. (#&#8203;3649 <https://github.com/urllib3/urllib3/issues/3649>__)
• Fixed HTTPConnectionPool when used in Emscripten with no explicit port. (#&#8203;3664 <https://github.com/urllib3/urllib3/issues/3664>__)
• Fixed handling of SSLKEYLOGFILE with expandable variables. (#&#8203;3700 <https://github.com/urllib3/urllib3/issues/3700>__)

Misc

• Changed the zstd extra to install backports.zstd instead of zstandard on Python 3.13 and before. (#&#8203;3693 <https://github.com/urllib3/urllib3/issues/3693>__)
• Improved the performance of content decoding by optimizing BytesQueueBuffer class. (#&#8203;3710 <https://github.com/urllib3/urllib3/issues/3710>__)
• Allowed building the urllib3 package with newer setuptools-scm v9.x. (#&#8203;3652 <https://github.com/urllib3/urllib3/issues/3652>__)
• Ensured successful urllib3 builds by setting Hatchling requirement to >= 1.27.0. (#&#8203;3638 <https://github.com/urllib3/urllib3/issues/3638>__)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.