Remove outdated urllib3<2.0.0 constraint #91
Description
Problem
kbcstorage has a hard dependency constraint urllib3<2.0.0 in its metadata, which prevents downstream projects from upgrading to urllib3 2.x.
The constraint was added as a workaround for boto/botocore#2926, which has since been resolved and closed.
Evidence
- The comment in
pyproject.tomlreads:"urllib3<2.0.0", # Frozen until fixed: https://github.com/boto/botocore/issues/2926 - The referenced botocore issue is closed.
- Current botocore (1.42.x) handles urllib3 version constraints itself via markers:
urllib3<1.27for Python <3.10urllib3>=1.25.4,<3for Python >=3.10
- kbcstorage does not import or use urllib3 anywhere in its source code — it's a phantom dependency.
Suggested fix
Remove the direct urllib3<2.0.0 pin from pyproject.toml and let the transitive dependencies (boto3/botocore) manage their own urllib3 version constraints. This is the correct approach since botocore already specifies the appropriate urllib3 markers for each Python version.
Impact
This constraint blocks all downstream projects from resolving to modern versions of urllib3, cryptography, requests, and other packages that have moved to urllib3 2.x, causing numerous unresolvable Dependabot security alerts.