Skip to content

chore: upgrade urllib3 to resolve CVEs #320

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
lawrence-u10d merged 3 commits into from
Dec 31, 2025
Merged

chore: upgrade urllib3 to resolve CVEs #320

lawrence-u10d merged 3 commits into from
Dec 31, 2025

Conversation

@lawrence-u10d
Copy link
Contributor

@lawrence-u10d lawrence-u10d commented Dec 30, 2025
edited by cursor bot
Loading

Resolves CVE-2025-66471 and CVE-2025-66418

Note

Addresses dependency security and stability updates.

  • Upgrade urllib3 from 2.5.0 to 2.6.2 in poetry.lock (includes extras changes)
  • Bump package version to 0.42.7 in pyproject.toml
  • Test fix: add Python 3.9 workaround in _test_contract/conftest.py to eagerly import unstructured_client.utils.retries to avoid a lazy-import race KeyError

Written by Cursor Bugbot for commit e46c9cb. This will update automatically on new commits. Configure here.
@socket-security
Copy link

socket-security bot commented Dec 30, 2025
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatedpypi/​urllib3@​2.5.0 ⏵ 2.6.297 +1100 +22100100100

View full report
@lawrence-u10d lawrence-u10d changed the title Upgrade urllib3 to resolve CVEs Dec 30, 2025
@lawrence-u10d lawrence-u10d added the patch Patch version bump label Dec 30, 2025
@lawrence-u10d
Fix Python 3.9 module import race condition in contract tests
0ab24df 
Add eager import of utils.retries module to prevent KeyError in module
lock when templates.py triggers lazy import via __getattr__. This is a
known Python 3.9 issue with nested imports that was fixed in 3.10+.

The urllib3 upgrade changed import timing enough to expose this latent
bug in the lazy loading mechanism.
@lawrence-u10d
Copy link
Contributor Author

lawrence-u10d commented Dec 31, 2025

@cursor bump patch version in pyproject.toml
@cursor
Copy link

cursor bot commented Dec 31, 2025
edited
Loading

View PR

I've bumped the patch version in pyproject.toml from 0.42.6 to 0.42.7.

Open in Cursor Open in Web

Learn more about Cursor Agents
@cursoragent @lawrence-u10d
Bump version to 0.42.7
e46c9cb 
Co-authored-by: lawrence <lawrence@unstructured.io>
@lawrence-u10d lawrence-u10d merged commit 06b8b04 into main Dec 31, 2025
30 of 32 checks passed
@lawrence-u10d lawrence-u10d deleted the urllib3-upgrade branch December 31, 2025 04:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

patch Patch version bump

4 participants

@lawrence-u10d @william-u10d @cursoragent