Skip to content

Bring compatibility with urllib3 v2.0.0+ #207

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
VDigitall wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Bring compatibility with urllib3 v2.0.0+ #207

VDigitall wants to merge 2 commits into from

Conversation

@VDigitall
Copy link

@VDigitall VDigitall commented Dec 11, 2025
edited
Loading

Update urllib3 Dependency Version Constraints

Summary

This PR updates the urllib3 dependency constraint to >= 2.0.0, < 3.0.0 to address compatibility issues with deprecated features in urllib3 v2.0.0 and ensure stable operation while preventing breaking changes from the upcoming v3.x release.

Root Cause

urllib3 v2.0.0 introduced significant breaking changes and removed several deprecated features that were present in v1.x:

  • Removed Python 2.7 and Python 3.6 support: urllib3 v2.0+ requires Python 3.7+
  • Removed deprecated methods: Several previously deprecated methods and parameters were removed
  • Changed SSL/TLS behavior: Updated default SSL context and certificate verification behavior
  • Refactored internal APIs: Changes to internal module structure that may affect compatibility
  • Updated connection pooling: Modified connection pool management and timeout handling

The previous constraint (>= 2.0.0) was too broad and could allow installation of early v2.x versions that still had stability issues. Setting a minimum of v2.0.0 ensures users get a mature, stable release from the v2.x series.

Changes Made

  • Updated setup.py: Changed urllib3 constraint from >= 1.15.1 to >= 2.0.0, < 3.0.0
  • This ensures:
    • ✅ Minimum version is 2.0.0 (stable v2.x release with bug fixes)
    • ✅ Compatible with all mature urllib3 2.x releases
    • ✅ Prevents automatic upgrades to 3.x (which will introduce new breaking changes)

Impact

  • Compatibility: Ensures stable operation with urllib3 v2.x series
  • Future-proofing: Prevents automatic breaking changes from urllib3 v3.x
  • Users: Existing installations will upgrade to a stable v2.x release (>= 2.0.0)

References

Solves the issue #208

BCompertoreWAG and others added 2 commits December 8, 2025 09:28
@BCompertoreWAG
urllib 2.6.0 Support
7fd7797
@VDigitall
chore: Update urllib3 version constraint to >= 2.0.0, < 3.0.0
67134c5 
- Constrain urllib3 dependency to versions between 2.0.0 and 3.0.0
- Ensures compatibility with urllib3 v2.x while preventing breaking changes from v3.x
Copilot AI review requested due to automatic review settings December 11, 2025 14:50
Copilot AI reviewed Dec 11, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the urllib3 dependency from >= 1.15 to >= 2.0.0, < 3.0.0 and migrates the code to use urllib3 v2.x API patterns by replacing deprecated response methods with direct header attribute access.

Key changes:

  • Updated urllib3 version constraint to require v2.0.0+ and prevent v3.x
  • Modified RESTResponse wrapper methods to use urllib3 v2.x API (direct headers access instead of getheaders()/getheader() methods)
  • Updated README documentation to reflect new minimum version requirement

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
setup.py Updated urllib3 dependency constraint from >= 1.15 to >= 2.0.0, < 3.0.0
docusign_esign/client/api_response.py Updated RESTResponse methods to use urllib3 v2.x API: replaced getheaders() with direct headers access and getheader(name, default) with headers.get(name, default)
README.md Updated documentation to reflect new minimum urllib3 version (v2.0.0+)

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

setup.py
# http://pypi.python.org/pypi/setuptools

REQUIRES = ["urllib3 >= 1.15", "six >= 1.8.0", "certifi >= 14.05.14", "python-dateutil >= 2.5.3", "setuptools >= 21.0.0", "PyJWT>=2.0.0", "cryptography>=2.5"]
REQUIRES = ["urllib3 >= 2.0.0, < 3.0.0", "six >= 1.8.0", "certifi >= 14.05.14", "python-dateutil >= 2.5.3", "setuptools >= 21.0.0", "PyJWT>=2.0.0", "cryptography>=2.5"]
Copy link

Copilot AI Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The version constraint in the code (>= 2.0.0) does not match what is described in the PR description. The PR description states "Setting a minimum of v2.6.0 ensures users get a mature, stable release" and claims the change ensures "Minimum version is 2.0.0 (stable v2.x release with bug fixes)", but the actual minimum version specified here is 2.0.0, not 2.6.0 as mentioned in the description. If the intent is to require v2.6.0 as the minimum for stability reasons, the constraint should be "urllib3 >= 2.6.0, < 3.0.0" instead.

Suggested change
REQUIRES = ["urllib3 >= 2.0.0, < 3.0.0", "six >= 1.8.0", "certifi >= 14.05.14", "python-dateutil >= 2.5.3", "setuptools >= 21.0.0", "PyJWT>=2.0.0", "cryptography>=2.5"]
REQUIRES = ["urllib3 >= 2.6.0, < 3.0.0", "six >= 1.8.0", "certifi >= 14.05.14", "python-dateutil >= 2.5.3", "setuptools >= 21.0.0", "PyJWT>=2.0.0", "cryptography>=2.5"]

Copilot uses AI. Check for mistakes.
Copy link
Contributor

@garg-mudit garg-mudit Dec 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@VDigitall Shouldn't we move to 2.6.0 as minimum version to mitigate CVE-2025-66471

Copy link
Author

@VDigitall VDigitall Dec 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@garg-mudit
It could be an option, but I added v2.0.0 as it is minimum version that has new methods and it gives other users time to migrate to urllib3 v2.6.0.

To mitigate vulnerability, better would be set minimum version to 2.6.0

But its up to you.

@VDigitall
Copy link
Author

VDigitall commented Dec 11, 2025
edited
Loading

This PR addresses a critical security vulnerability in urllib3 that affects this package. Please prioritize review and merge.

Critical Vulnerability Addressed

CVE-2025-66471

Vulnerability in urllib3 < 2.6.0

  • Severity: CRITICAL/HIGH
  • Impact: Security flaw in urllib3 versions prior to 2.6.0 that could lead to unauthorized access, data exposure, or other security compromises
  • Affected versions: urllib3 < 2.6.0
  • Fixed in: urllib3 2.6.0+

References

Request

Please review and merge this PR urgently to protect users from this critical vulnerability. Thank you! 🙏

@VDigitall VDigitall changed the title Update urllib3 Dependency Version Constraints Bring compatibility with urllib3 v2.0.0+ Dec 11, 2025
This was referenced Dec 11, 2025
Closed
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@garg-mudit garg-mudit garg-mudit left review comments

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@VDigitall @garg-mudit @BCompertoreWAG