build(deps): update dependency urllib3 to v1.26.5 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
urllib3 (source)	==1.25.11 -> ==1.26.5

GitHub Vulnerability Alerts

CVE-2021-33503

Impact

When provided with a URL containing many @ characters in the authority component the authority regular expression exhibits catastrophic backtracking causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.

Patches

The issue has been fixed in urllib3 v1.26.5.

References

• CVE-2021-33503
• JVNVU#​92413403 (English)
• JVNVU#​92413403 (Japanese)
• urllib3 v1.26.5

For more information

If you have any questions or comments about this advisory:

• Ask in our community Discord
• Email sethmichaellarson@gmail.com

---

Release Notes

urllib3/urllib3

v1.26.5

Compare Source

• Fixed deprecation warnings emitted in Python 3.10.
• Updated vendored six library to 1.16.0.
• Improved performance of URL parser when splitting
  the authority component.

v1.26.4

Compare Source

• Changed behavior of the default SSLContext when connecting to HTTPS proxy
  during HTTPS requests. The default SSLContext now sets check_hostname=True.

v1.26.3

Compare Source

• Fixed bytes and string comparison issue with headers (Pull #​2141)

• Changed ProxySchemeUnknown error message to be
  more actionable if the user supplies a proxy URL without
  a scheme. (Pull #​2107)

v1.26.2

Compare Source

• Fixed an issue where wrap_socket and CERT_REQUIRED wouldn't
  be imported properly on Python 2.7.8 and earlier (Pull #​2052)

v1.26.1

Compare Source

• Fixed an issue where two User-Agent headers would be sent if a
  User-Agent header key is passed as bytes (Pull #​2047)

v1.26.0

Compare Source

• NOTE: urllib3 v2.0 will drop support for Python 2.
  Read more in the v2.0 Roadmap <https://urllib3.readthedocs.io/en/latest/v2-roadmap.html>_.

• Added support for HTTPS proxies contacting HTTPS servers (Pull #​1923, Pull #​1806)

• Deprecated negotiating TLSv1 and TLSv1.1 by default. Users that
  still wish to use TLS earlier than 1.2 without a deprecation warning
  should opt-in explicitly by setting ssl_version=ssl.PROTOCOL_TLSv1_1 (Pull #​2002)
  Starting in urllib3 v2.0: Connections that receive a DeprecationWarning will fail

• Deprecated Retry options Retry.DEFAULT_METHOD_WHITELIST, Retry.DEFAULT_REDIRECT_HEADERS_BLACKLIST
  and Retry(method_whitelist=...) in favor of Retry.DEFAULT_ALLOWED_METHODS,
  Retry.DEFAULT_REMOVE_HEADERS_ON_REDIRECT, and Retry(allowed_methods=...)
  (Pull #​2000) Starting in urllib3 v2.0: Deprecated options will be removed

• Added default User-Agent header to every request (Pull #​1750)

• Added urllib3.util.SKIP_HEADER for skipping User-Agent, Accept-Encoding,
  and Host headers from being automatically emitted with requests (Pull #​2018)

• Collapse transfer-encoding: chunked request data and framing into
  the same socket.send() call (Pull #​1906)

• Send http/1.1 ALPN identifier with every TLS handshake by default (Pull #​1894)

• Properly terminate SecureTransport connections when CA verification fails (Pull #​1977)

• Don't emit an SNIMissingWarning when passing server_hostname=None
  to SecureTransport (Pull #​1903)

• Disabled requesting TLSv1.2 session tickets as they weren't being used by urllib3 (Pull #​1970)

• Suppress BrokenPipeError when writing request body after the server
  has closed the socket (Pull #​1524)

• Wrap ssl.SSLError that can be raised from reading a socket (e.g. "bad MAC")
  into an urllib3.exceptions.SSLError (Pull #​1939)

---

Configuration

📅 Schedule: "" in timezone Africa/Lusaka.

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box.

---

This PR has been generated by WhiteSource Renovate. View repository job log here.