- Update to 2.6.2
* Fixed HTTPResponse.read_chunked() to properly handle leftover data in the
decoder's buffer when reading compressed chunked responses.
- Update to 2.6.1
* Restore previously removed HTTPResponse.getheaders() and
HTTPResponse.getheader() methods.
- Update to 2.6.0
* Security:
- Fixed a security issue where streaming API could improperly handle highly
compressed HTTP content ("decompression bombs") leading to excessive
resource consumption even when a small amount of data was requested.
Reading small chunks of compressed data is safer and much more efficient
now. (CVE-2025-66471, GHSA-2xpw-w6gg-jr37, bsc#1254867)
- Fixed a security issue where an attacker could compose an HTTP response
with virtually unlimited links in the Content-Encoding header, potentially
leading to a denial of service (DoS) attack by exhausting system resources
during decoding. The number of allowed chained encodings is now limited to
5. (CVE-2025-66418, GHSA-gm62-xv2j-4w53, bsc#1254866)
* Features:
- Enabled retrieval, deletion, and membership testing in HTTPHeaderDict
using bytes keys.
- Added host and port information to string representations of
HTTPConnection.
- Added support for Python 3.14 free-threading builds explicitly.
* Removals:
- Removed the HTTPResponse.getheaders() method in favor of
HTTPResponse.headers. Removed the HTTPResponse.getheader(name, default)
method in favor of HTTPResponse.headers.get(name, default).
* Bugfixes:
- Fixed redirect handling in urllib3.PoolManager when an integer is passed
for the retries parameter.
- Fixed HTTPConnectionPool when used in Emscripten with no explicit port.
- Fixed handling of SSLKEYLOGFILE with expandable variables.
* Misc:
- Changed the zstd extra to install backports.zstd instead of zstandard on
Python 3.13 and before.
- Improved the performance of content decoding by optimizing
BytesQueueBuffer class.
- Allowed building the urllib3 package with newer setuptools-scm v9.x.
- Ensured successful urllib3 builds by setting Hatchling requirement
to ≥ 1.27.0.
OBS-URL: https://build.opensuse.org/request/show/1325746
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-urllib3?expand=0&rev=192
* Security issues
Pool managers now properly control redirects when retries is passed
(CVE-2025-50181, GHSA-pq67-6m6q-mj2v, bsc#1244925)
Redirects are now controlled by urllib3 in the Node.js runtime
(CVE-2025-50182, GHSA-48p4-8xcf-vxj5, bsc#1244924)
* Features
Added support for the compression.zstd module that is new in Python 3.14.
Added support for version 0.5 of hatch-vcs
* Bugfixes
Raised exception for HTTPResponse.shutdown on a connection already
released to the pool.
Fixed incorrect CONNECT statement when using an IPv6 proxy with
connection_from_host. Previously would not be wrapped in [].
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-urllib3?expand=0&rev=190
* Applied PEP 639 by specifying the license fields in
pyproject.toml. (#3522)
* Updated exceptions to save and restore more properties during the
pickle/serialization process. (#3567)
* Added verify_flags option to create_urllib3_context with a default
of VERIFY_X509_PARTIAL_CHAIN and VERIFY_X509_STRICT for Python
3.13+. (#3571)
* Fixed a bug with partial reads of streaming data in Emscripten.
(#3555)
* Switched to uv for installing development dependecies. (#3550)
* Removed the multiple.intoto.jsonl asset from GitHub releases.
Attestation of release files since v2.3.0 can be found on PyPI.
(#3566)
- 2.3.0:
* Added HTTPResponse.shutdown() to stop any ongoing or future reads
for a specific response. It calls shutdown(SHUT_RD) on the
underlying socket. This feature was sponsored by LaunchDarkly.
(#2868)
* Added support for JavaScript Promise Integration on Emscripten.
This enables more efficient WebAssembly requests and streaming,
and makes it possible to use in Node.js if you launch it as node
--experimental-wasm-stack-switching. (#3400)
* Added the proxy_is_tunneling property to HTTPConnection and
HTTPSConnection. (#3285)
* Added pickling support to NewConnectionError and
NameResolutionError. (#3480)
* Fixed an issue in debug logs where the HTTP version was rendering
as "HTTP/11" instead of "HTTP/1.1". (#3489)
* Removed support for Python 3.8. (#3492)
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-urllib3?expand=0&rev=188
* Features
+ Added support for Python 3.13.
* Bugfixes
+ Fixed the default encoding of chunked request bodies to be UTF-8
instead of ISO-8859-1. All other methods of supplying a request body
already use UTF-8 starting in urllib3 v2.0.
+ Fixed ResourceWarning on CONNECT with Python < 3.11.4 by backporting
python/cpython#103472.
+ Fixed a crash where certain standard library hash functions were absent
in restricted environments.
+ Added the Proxy-Authorization header to the list of headers to strip
from requests when redirecting to a different host. As before,
different headers can be set via Retry.remove_headers_on_redirect.
+ Allowed passing negative integers as amt to read methods of
http.client.HTTPResponse as an alternative to None.
+ Fixed issue where InsecureRequestWarning was emitted for HTTPS
connections when using Emscripten.
+ Fixed HTTPConnectionPool.urlopen to stop automatically casting
non-proxy headers to HTTPHeaderDict. This change was premature as it
did not apply to proxy headers and HTTPHeaderDict does not handle byte
header values correctly yet.
+ Changed InvalidChunkLength to ProtocolError when response terminates
before the chunk length is sent.
+ Changed ProtocolError to be more verbose on incomplete reads with
excess content.
+ Added support for HTTPResponse.read1() method.
+ Fixed issue where requests against urls with trailing dots were
failing due to SSL errors when using proxy.
+ Fixed HTTPConnection.proxy_is_verified and
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-urllib3?expand=0&rev=180
* Removed support for the deprecated urllib3[secure] extra.
* Removed support for the deprecated SecureTransport TLS
implementation.
* Removed support for the end-of-life Python 3.7.
* Allowed loading CA certificates from memory for proxies.
* Fixed decoding Gzip-encoded responses which specified
``x-gzip`` content-encoding.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-urllib3?expand=0&rev=174
* Added the Cookie header to the list of headers to strip from
requests when redirecting to a different host. As before, different
headers can be set via Retry.remove_headers_on_redirect
- 2.0.5:
* Allowed pyOpenSSL third-party module without any deprecation
warning. #3126
* Fixed default blocksize of HTTPConnection classes to match
high-level classes. Previously was 8KiB, now 16KiB. #3066
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-urllib3?expand=0&rev=168
* Added ``urllib3.util.SKIP_HEADER`` for skipping ``User-Agent``, ``Accept-Encoding``,
- Add missing dependency on python-six (bsc#1150895)
- update to 1.25 (bsc#1132663, bsc#1129071, CVE-2019-9740, CVE-2019-11236):
* Allow providing a list of headers to strip from requests when redirecting
without repeatedly flushing the decoder, to function better on
* Accept ca_cert_dir for SSL-related PoolManager configuration.
- add python-pyOpenSSL, python-certifi and python-pyasn1 requirements
- Comment out test requirements, as tests are disabled anyway, and
* Add support for directories of certificate authorities, as
* New exception: NewConnectionError, raised when we fail to
- Update 0001-Don-t-pin-dependency-to-exact-version.patch
* Shuffled around development-related files.
If you're maintaining a distro package of urllib3, you may need
* Unverified HTTPS requests will trigger a warning on the first
* New retry logic and urllib3.util.retry.Retry configuration
* All raised exceptions should now wrapped in a
urllib3.exceptions.HTTPException-extending exception.
urllib3.exceptions.MaxRetryError, including timeout-related
exceptions which were previously exempt. Underlying error is
* urllib3.exceptions.ConnectionError renamed to
* Requesting an empty host will raise
* Catch read timeouts over SSL connections as
* Fix TLS verification when using a proxy in Python 3.4.1.
* Add disable_cache option to urllib3.util.make_headers.
* Wrap socket.timeout exception with
* Fixed proxy-related bug where connections were being reused
* Added socket_options keyword parameter which allows to define
* Removed HTTPConnection.tcp_nodelay in favor of
* Don't install dummyserver into site-packages as it's only
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-urllib3?expand=0&rev=166
* Added support for union operators to ``HTTPHeaderDict``
* Added ``BaseHTTPResponse`` to ``urllib3.__all__`` (`#3078
* Fixed ``urllib3.connection.HTTPConnection`` to raise the
``http.client.connect`` audit event to have the same behavior
as the standard library HTTP client
* Relied on the standard library for checking hostnames in
supported PyPy releases
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-urllib3?expand=0&rev=162
* Allowed alternative SSL libraries such as LibreSSL, while
still issuing a warning as we cannot help users facing issues
with implementations other than OpenSSL.
* Deprecated URLs which don't have an explicit scheme
* Fixed response decoding with Zstandard when compressed data
is made of several frames.
* Fixed ``assert_hostname=False`` to correctly skip hostname
check.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-urllib3?expand=0&rev=159
* Fixed a socket leak when fingerprint or hostname verifications fail.
* Fixed an error when HTTPResponse.read(0) was the first read call or when
the internal response body buffer was otherwise empty.
* Removed support for Python 2.7, 3.5, and 3.6.
* Removed fallback on certificate commonName in match_hostname() function.
* Removed support for Python with an ssl module compiled with LibreSSL,
CiscoSSL, wolfSSL, and all other OpenSSL alternatives.
* Removed support for OpenSSL versions earlier than 1.1.1.
* Removed urllib3.contrib.appengine.AppEngineManager and support for Google
App Engine Standard Environment.
* Changed ssl_version to instead set the corresponding
SSLContext.minimum_version and SSLContext.maximum_version values.
* Changed default SSLContext.minimum_version to be TLSVersion.TLSv1_2
in line with Python 3.10.
* Changed urllib3.util.create_urllib3_context to not override the system
cipher suites with a default value.
* Changed multipart/form-data header parameter formatting matches the
WHATWG HTML Standard as of 2021-06-10.
* Changed HTTPConnection.request() to always use lowercase chunk boundaries
when sending requests with Transfer-Encoding: chunked.
* Changed enforce_content_length default to True, preventing silent data
loss when reading streamed responses.
* Changed all parameters in the HTTPConnection and HTTPSConnection
constructors to be keyword-only except host and port.
* Changed HTTPConnection.getresponse() to set the socket timeout from
HTTPConnection.timeout value before reading data from the socket.
* Changed name of Retry.BACK0FF_MAX to be Retry.DEFAULT_BACKOFF_MAX.
* Changed TLS handshakes to use SSLContext.check_hostname when possible.
* Changed the default blocksize to 16KB to match OpenSSL's default read
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-urllib3?expand=0&rev=152
* Changed ``urllib3[brotli]`` extra to favor installing Brotli libraries that are still
receiving updates like ``brotli`` and ``brotlicffi`` instead of ``brotlipy``.
This change does not impact behavior of urllib3, only which dependencies are installed.
* Fixed a socket leaking when ``HTTPSConnection.connect()`` raises an exception.
* Fixed ``server_hostname`` being forwarded from ``PoolManager`` to ``HTTPConnectionPool``
when requesting an HTTP URL. Should only be forwarded when requesting an HTTPS URL.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-urllib3?expand=0&rev=130
* Added extra message to``urllib3.exceptions.ProxyError`` when urllib3 detects that
a proxy is configured to use HTTPS but the proxy itself appears to only use HTTP.
* Added a mention of the size of the connection pool when discarding a
connection due to the pool being full.
* Added explicit support for Python 3.11.
* Deprecated the ``Retry.MAX_BACKOFF`` class property in favor of
``Retry.DEFAULT_MAX_BACKOFF`` to better match the rest of the default parameter names.
``Retry.MAX_BACKOFF`` is removed in v2.0.
* Changed location of the vendored ``ssl.match_hostname`` function from
``urllib3.packages.ssl_match_hostname`` to
``urllib3.util.ssl_match_hostname`` to ensure Python 3.10+ compatibility after
being repackaged by downstream distributors.
* Fixed absolute imports, all imports are now relative.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-urllib3?expand=0&rev=127
