From a9248bb99601d460078752e5b0bcd0dc03259e0a Mon Sep 17 00:00:00 2001 From: Simone Carletti Date: Wed, 3 Jun 2026 08:45:59 +0200 Subject: [PATCH 1/2] Address security advisories for urllib3 and idna Raise the minimum versions of these transitive dependencies (pulled in via requests) to pick up security fixes: - urllib3 >=2.7.0 (CVE-2026-44431, CVE-2026-44432) - idna >=3.15 (CVE-2026-45409) --- CHANGELOG.md | 7 +++++++ pyproject.toml | 5 +++++ 2 files changed, 12 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 590d88d..4503453 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,13 @@ This project uses [Semantic Versioning 2.0.0](http://semver.org/), the format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). +## Unreleased + +### Security + +- Raised the minimum `urllib3` version to `>=2.7.0` to address CVE-2026-44431 and CVE-2026-44432. +- Raised the minimum `idna` version to `>=3.15` to address CVE-2026-45409. + ## 8.0.0 - 2026-05-05 ### Changed diff --git a/pyproject.toml b/pyproject.toml index ded1149..28bf4c2 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -19,6 +19,11 @@ classifiers = [ python = "^3.12" requests = "^2.28.2" omitempty = "^0.1.1" +# Minimum versions for transitive dependencies (pulled in via requests) to +# pick up security fixes. urllib3 >=2.7.0 covers CVE-2026-44431 and +# CVE-2026-44432; idna >=3.15 covers CVE-2026-45409. +urllib3 = ">=2.7.0" +idna = ">=3.15" [tool.poetry.group.test.dependencies] responses = ">=0.23.1,<0.27.0" From f98e71e8699b388a19025ea36459fbf520d49dfb Mon Sep 17 00:00:00 2001 From: Simone Carletti Date: Wed, 3 Jun 2026 08:48:38 +0200 Subject: [PATCH 2/2] Update pyproject.toml Signed-off-by: Simone Carletti --- pyproject.toml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index 28bf4c2..3cd3af9 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -19,9 +19,7 @@ classifiers = [ python = "^3.12" requests = "^2.28.2" omitempty = "^0.1.1" -# Minimum versions for transitive dependencies (pulled in via requests) to -# pick up security fixes. urllib3 >=2.7.0 covers CVE-2026-44431 and -# CVE-2026-44432; idna >=3.15 covers CVE-2026-45409. +# Minimum versions for transitive dependencies for security urllib3 = ">=2.7.0" idna = ">=3.15"