build(deps): [security] bump urllib3 from 1.25.11 to 1.26.5

[dependabot-preview]

Bumps urllib3 from 1.25.11 to 1.26.5. This update includes a security fix.

Vulnerabilities fixed

Sourced from The GitHub Security Advisory Database.

Catastrophic backtracking in URL authority parser when passed URL containing many @ characters

Impact

When provided with a URL containing many @ characters in the authority component the authority regular expression exhibits catastrophic backtracking causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.

Patches

The issue has been fixed in urllib3 v1.26.5.

References

• CVE-2021-33503
• urllib3 v1.26.5

For more information

If you have any questions or comments about this advisory:

• Ask in our community Discord
• Email [email protected]

Affected versions: < 1.26.5

Release notes

Sourced from urllib3's releases.

1.26.5

⚠️ IMPORTANT: urllib3 v2.0 will drop support for Python 2: Read more in the v2.0 Roadmap

• Fixed deprecation warnings emitted in Python 3.10.
• Updated vendored six library to 1.16.0.
• Improved performance of URL parser when splitting the authority component.

If you or your organization rely on urllib3 consider supporting us via GitHub Sponsors

1.26.4

⚠️ IMPORTANT: urllib3 v2.0 will drop support for Python 2: Read more in the v2.0 Roadmap

• Changed behavior of the default SSLContext when connecting to HTTPS proxy during HTTPS requests. The default SSLContext now sets check_hostname=True.

If you or your organization rely on urllib3 consider supporting us via GitHub Sponsors

1.26.3

⚠️ IMPORTANT: urllib3 v2.0 will drop support for Python 2: Read more in the v2.0 Roadmap

• Fixed bytes and string comparison issue with headers (Pull #2141)

• Changed ProxySchemeUnknown error message to be more actionable if the user supplies a proxy URL without a scheme (Pull #2107)

If you or your organization rely on urllib3 consider supporting us via GitHub Sponsors

1.26.2

⚠️ IMPORTANT: urllib3 v2.0 will drop support for Python 2: Read more in the v2.0 Roadmap

• Fixed an issue where wrap_socket and CERT_REQUIRED wouldn't be imported properly on Python 2.7.8 and earlier (Pull #2052)

1.26.1

⚠️ IMPORTANT: urllib3 v2.0 will drop support for Python 2: Read more in the v2.0 Roadmap

• Fixed an issue where two User-Agent headers would be sent if a User-Agent header key is passed as bytes (Pull #2047)

1.26.0

⚠️ IMPORTANT: urllib3 v2.0 will drop support for Python 2: Read more in the v2.0 Roadmap

• Added support for HTTPS proxies contacting HTTPS servers (Pull #1923, Pull #1806)

• Deprecated negotiating TLSv1 and TLSv1.1 by default. Users that still wish to use TLS earlier than 1.2 without a deprecation warning should opt-in explicitly by setting ssl_version=ssl.PROTOCOL_TLSv1_1 (Pull #2002) Starting in urllib3 v2.0: Connections that receive a DeprecationWarning will fail

• Deprecated Retry options Retry.DEFAULT_METHOD_WHITELIST, Retry.DEFAULT_REDIRECT_HEADERS_BLACKLIST and Retry(method_whitelist=...) in favor of Retry.DEFAULT_ALLOWED_METHODS, Retry.DEFAULT_REMOVE_HEADERS_ON_REDIRECT, and Retry(allowed_methods=...) (Pull #2000) Starting in urllib3 v2.0: Deprecated options will be removed

... (truncated)

Changelog

Sourced from urllib3's changelog.

1.26.5 (2021-05-26)

• Fixed deprecation warnings emitted in Python 3.10.
• Updated vendored six library to 1.16.0.
• Improved performance of URL parser when splitting the authority component.

1.26.4 (2021-03-15)

• Changed behavior of the default SSLContext when connecting to HTTPS proxy during HTTPS requests. The default SSLContext now sets check_hostname=True.

1.26.3 (2021-01-26)

• Fixed bytes and string comparison issue with headers (Pull #2141)
• Changed ProxySchemeUnknown error message to be more actionable if the user supplies a proxy URL without a scheme. (Pull #2107)

1.26.2 (2020-11-12)

• Fixed an issue where wrap_socket and CERT_REQUIRED wouldn't be imported properly on Python 2.7.8 and earlier (Pull #2052)

1.26.1 (2020-11-11)

• Fixed an issue where two User-Agent headers would be sent if a User-Agent header key is passed as bytes (Pull #2047)

1.26.0 (2020-11-10)

• NOTE: urllib3 v2.0 will drop support for Python 2. Read more in the v2.0 Roadmap.
• Added support for HTTPS proxies contacting HTTPS servers (Pull #1923, Pull #1806)
• Deprecated negotiating TLSv1 and TLSv1.1 by default. Users that still wish to use TLS earlier than 1.2 without a deprecation warning should opt-in explicitly by setting ssl_version=ssl.PROTOCOL_TLSv1_1 (Pull #2002) Starting in urllib3 v2.0: Connections that receive a DeprecationWarning will fail
• Deprecated Retry options Retry.DEFAULT_METHOD_WHITELIST, Retry.DEFAULT_REDIRECT_HEADERS_BLACKLIST and Retry(method_whitelist=...) in favor of Retry.DEFAULT_ALLOWED_METHODS, Retry.DEFAULT_REMOVE_HEADERS_ON_REDIRECT, and Retry(allowed_methods=...) (Pull #2000) Starting in urllib3 v2.0: Deprecated options will be removed
• Added default User-Agent header to every request (Pull #1750)
• Added urllib3.util.SKIP_HEADER for skipping User-Agent, Accept-Encoding, and Host headers from being automatically emitted with requests (Pull #2018)
• Collapse transfer-encoding: chunked request data and framing into the same socket.send() call (Pull #1906)
• Send http/1.1 ALPN identifier with every TLS handshake by default (Pull #1894)
• Properly terminate SecureTransport connections when CA verification fails (Pull #1977)
• Don't emit an SNIMissingWarning when passing server_hostname=None to SecureTransport (Pull #1903)
• Disabled requesting TLSv1.2 session tickets as they weren't being used by urllib3 (Pull #1970)
• Suppress BrokenPipeError when writing request body after the server has closed the socket (Pull #1524)
• Wrap ssl.SSLError that can be raised from reading a socket (e.g. "bad MAC") into an urllib3.exceptions.SSLError (Pull #1939)

Commits

• d161647 Release 1.26.5
• 2d4a3fe Improve performance of sub-authority splitting in URL
• 2698537 Update vendored six to 1.16.0
• 07bed79 Fix deprecation warnings for Python 3.10 ssl module
• d725a9b Add Python 3.10 to GitHub Actions
• 339ad34 Use pytest==6.2.4 on Python 3.10+
• f271c9c Apply latest Black formatting
• 1884878 [1.26] Properly proxy EOF on the SSLTransport test suite
• a891304 Release 1.26.4
• 8d65ea1 Merge pull request from GHSA-5phf-pp7p-vc2r
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

[codecov]

Codecov Report

Merging #160 (469840b) into master (761d51f) will decrease coverage by 0.02%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##           master     #160      +/-   ##
==========================================
- Coverage   60.72%   60.70%   -0.03%     
==========================================
  Files          27       27              
  Lines         988      990       +2     
  Branches      167      167              
==========================================
+ Hits          600      601       +1     
- Misses        374      375       +1     
  Partials       14       14              

Impacted Files	Coverage Δ
rcds/cli/__main__.py	0.00% <0.00%> (ø)
rcds/project/assets.py	98.21% <0.00%> (+0.01%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 761d51f...469840b. Read the comment docs.