Update Python dependency - `urllib3` & `requests` #1128

PeterDaveHello · 2022-07-05T17:52:36Z

Description

Update Python dependency - urllib3 & requests

Update urllib3 from v1.25.9 to v1.26.5
Update requests from v2.22.0 to v2.28.1

Motivation and Context

There's a medium severity CVE in urllib3, before v1.26.5, but we can't
only just update urllib3 because there will be a dependency conflict.
requests also needs to be updated.

CVE reference:

https://www.cve.org/CVERecord?id=CVE-2021-33503

An issue was discovered in urllib3 before 1.26.5. When provided with a
URL containing many @ characters in the authority component, the
authority regular expression exhibits catastrophic backtracking,
causing a denial of service if a URL were passed as a parameter or
redirected to via an HTTP redirect.

How Has This Been Tested?

Types of changes

Bug fix (non-breaking change which fixes an issue)
New feature (non-breaking change which adds functionality)
Breaking change (fix or feature that would cause existing functionality to not work as expected)

Checklist:

My code follows the code style of this project.
My change requires a change to the documentation.
I have updated the documentation accordingly.

- Update urllib3 from v1.25.9 to v1.26.5 - Update requests from v2.22.0 to v2.28.1 There's a medium severity CVE in urllib3, before v1.26.5, but we can't only just update urllib3 because there will be a dependency conflict. requests also needs to be updated. CVE reference: https://www.cve.org/CVERecord?id=CVE-2021-33503 > An issue was discovered in urllib3 before 1.26.5. When provided with a > URL containing many @ characters in the authority component, the > authority regular expression exhibits catastrophic backtracking, > causing a denial of service if a URL were passed as a parameter or > redirected to via an HTTP redirect. Signed-off-by: Peter Dave Hello <hsu@peterdavehello.org>