Bump urllib3 from 2.6.2 to 2.6.3

[dependabot]

Bumps urllib3 from 2.6.2 to 2.6.3.

Release notes

Sourced from urllib3's releases.

2.6.3

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Changes

• Fixed a security issue where decompression-bomb safeguards of the streaming API were bypassed when HTTP redirects were followed. (CVE-2026-21441 reported by @​D47A, 8.9 High, GHSA-38jv-5279-wg99)
• Started treating Retry-After times greater than 6 hours as 6 hours by default. (urllib3/urllib3#3743)
• Fixed urllib3.connection.VerifiedHTTPSConnection on Emscripten. (urllib3/urllib3#3752)

Changelog

Sourced from urllib3's changelog.

2.6.3 (2026-01-07)

• Fixed a high-severity security issue where decompression-bomb safeguards of the streaming API were bypassed when HTTP redirects were followed. (GHSA-38jv-5279-wg99 <https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99>__)
• Started treating Retry-After times greater than 6 hours as 6 hours by default. ([#3743](https://github.com/urllib3/urllib3/issues/3743) <https://github.com/urllib3/urllib3/issues/3743>__)
• Fixed urllib3.connection.VerifiedHTTPSConnection on Emscripten. ([#3752](https://github.com/urllib3/urllib3/issues/3752) <https://github.com/urllib3/urllib3/issues/3752>__)

Commits

• 0248277 Release 2.6.3
• 8864ac4 Merge commit from fork
• 70cecb2 Fix Scorecard issues related to vulnerable dev dependencies (#3755)
• 41f249a Move "v2.0 Migration Guide" to the end of the table of contents (#3747)
• fd4dffd Patch VerifiedHTTPSConnection for Emscripten (#3752)
• 13f0bfd Handle massive values in Retry-After when calculating time to sleep for (#3743)
• 8c480bf Bump actions/upload-artifact from 5.0.0 to 6.0.0 (#3748)
• 4b40616 Bump actions/cache from 4.3.0 to 5.0.1 (#3750)
• 82b8479 Bump actions/download-artifact from 6.0.0 to 7.0.0 (#3749)
• 34284cb Mention experimental features in the security policy (#3746)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[codspeed-hq]

CodSpeed Performance Report

Merging this PR will not alter performance

_{Comparing dependabot/pip/urllib3-2.6.3 (ee608ce) with master (e311807)}

Summary

✅ 59 untouched benchmarks

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 98.73%. Comparing base (e311807) to head (ee608ce).
⚠️ Report is 300 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #11930      +/-   ##
==========================================
- Coverage   98.75%   98.73%   -0.03%     
==========================================
  Files         127      127              
  Lines       44532    44532              
  Branches     2354     2354              
==========================================
- Hits        43979    43970       -9     
- Misses        393      399       +6     
- Partials      160      163       +3     

Flag	Coverage Δ
CI-GHA	98.60% <ø> (-0.02%)	⬇️
OS-Linux	98.34% <ø> (-0.02%)	⬇️
OS-Windows	96.69% <ø> (ø)
OS-macOS	97.21% <ø> (-0.38%)	⬇️
Py-3.10.11	95.99% <ø> (-1.14%)	⬇️
Py-3.10.19	97.61% <ø> (ø)
Py-3.11.14	97.81% <ø> (-0.01%)	⬇️
Py-3.11.9	97.33% <ø> (-0.01%)	⬇️
Py-3.12.10	97.42% <ø> (-0.01%)	⬇️
Py-3.12.12	97.91% <ø> (ø)
Py-3.13.11	98.15% <ø> (-0.02%)	⬇️
Py-3.14.2	97.44% <ø> (-0.72%)	⬇️
Py-3.14.2t	97.22% <ø> (ø)
Py-pypy3.11.13-7.3.20	?
VM-macos	97.21% <ø> (-0.38%)	⬇️
VM-ubuntu	98.34% <ø> (-0.02%)	⬇️
VM-windows	96.69% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[dependabot]

Looks like urllib3 is up-to-date now, so this is no longer needed.