* Security issues
Pool managers now properly control redirects when retries is passed
(CVE-2025-50181, GHSA-pq67-6m6q-mj2v, bsc#1244925)
Redirects are now controlled by urllib3 in the Node.js runtime
(CVE-2025-50182, GHSA-48p4-8xcf-vxj5, bsc#1244924)
* Features
Added support for the compression.zstd module that is new in Python 3.14.
Added support for version 0.5 of hatch-vcs
* Bugfixes
Raised exception for HTTPResponse.shutdown on a connection already
released to the pool.
Fixed incorrect CONNECT statement when using an IPv6 proxy with
connection_from_host. Previously would not be wrapped in [].
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-urllib3?expand=0&rev=190
* Applied PEP 639 by specifying the license fields in
pyproject.toml. (#3522)
* Updated exceptions to save and restore more properties during the
pickle/serialization process. (#3567)
* Added verify_flags option to create_urllib3_context with a default
of VERIFY_X509_PARTIAL_CHAIN and VERIFY_X509_STRICT for Python
3.13+. (#3571)
* Fixed a bug with partial reads of streaming data in Emscripten.
(#3555)
* Switched to uv for installing development dependecies. (#3550)
* Removed the multiple.intoto.jsonl asset from GitHub releases.
Attestation of release files since v2.3.0 can be found on PyPI.
(#3566)
- 2.3.0:
* Added HTTPResponse.shutdown() to stop any ongoing or future reads
for a specific response. It calls shutdown(SHUT_RD) on the
underlying socket. This feature was sponsored by LaunchDarkly.
(#2868)
* Added support for JavaScript Promise Integration on Emscripten.
This enables more efficient WebAssembly requests and streaming,
and makes it possible to use in Node.js if you launch it as node
--experimental-wasm-stack-switching. (#3400)
* Added the proxy_is_tunneling property to HTTPConnection and
HTTPSConnection. (#3285)
* Added pickling support to NewConnectionError and
NameResolutionError. (#3480)
* Fixed an issue in debug logs where the HTTP version was rendering
as "HTTP/11" instead of "HTTP/1.1". (#3489)
* Removed support for Python 3.8. (#3492)
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-urllib3?expand=0&rev=188
* Features
+ Added support for Python 3.13.
* Bugfixes
+ Fixed the default encoding of chunked request bodies to be UTF-8
instead of ISO-8859-1. All other methods of supplying a request body
already use UTF-8 starting in urllib3 v2.0.
+ Fixed ResourceWarning on CONNECT with Python < 3.11.4 by backporting
python/cpython#103472.
+ Fixed a crash where certain standard library hash functions were absent
in restricted environments.
+ Added the Proxy-Authorization header to the list of headers to strip
from requests when redirecting to a different host. As before,
different headers can be set via Retry.remove_headers_on_redirect.
+ Allowed passing negative integers as amt to read methods of
http.client.HTTPResponse as an alternative to None.
+ Fixed issue where InsecureRequestWarning was emitted for HTTPS
connections when using Emscripten.
+ Fixed HTTPConnectionPool.urlopen to stop automatically casting
non-proxy headers to HTTPHeaderDict. This change was premature as it
did not apply to proxy headers and HTTPHeaderDict does not handle byte
header values correctly yet.
+ Changed InvalidChunkLength to ProtocolError when response terminates
before the chunk length is sent.
+ Changed ProtocolError to be more verbose on incomplete reads with
excess content.
+ Added support for HTTPResponse.read1() method.
+ Fixed issue where requests against urls with trailing dots were
failing due to SSL errors when using proxy.
+ Fixed HTTPConnection.proxy_is_verified and
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-urllib3?expand=0&rev=180
* Removed support for the deprecated urllib3[secure] extra.
* Removed support for the deprecated SecureTransport TLS
implementation.
* Removed support for the end-of-life Python 3.7.
* Allowed loading CA certificates from memory for proxies.
* Fixed decoding Gzip-encoded responses which specified
``x-gzip`` content-encoding.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-urllib3?expand=0&rev=174
* Added the Cookie header to the list of headers to strip from
requests when redirecting to a different host. As before, different
headers can be set via Retry.remove_headers_on_redirect
- 2.0.5:
* Allowed pyOpenSSL third-party module without any deprecation
warning. #3126
* Fixed default blocksize of HTTPConnection classes to match
high-level classes. Previously was 8KiB, now 16KiB. #3066
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-urllib3?expand=0&rev=168
* Added support for union operators to ``HTTPHeaderDict``
* Added ``BaseHTTPResponse`` to ``urllib3.__all__`` (`#3078
* Fixed ``urllib3.connection.HTTPConnection`` to raise the
``http.client.connect`` audit event to have the same behavior
as the standard library HTTP client
* Relied on the standard library for checking hostnames in
supported PyPy releases
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-urllib3?expand=0&rev=162
* Allowed alternative SSL libraries such as LibreSSL, while
still issuing a warning as we cannot help users facing issues
with implementations other than OpenSSL.
* Deprecated URLs which don't have an explicit scheme
* Fixed response decoding with Zstandard when compressed data
is made of several frames.
* Fixed ``assert_hostname=False`` to correctly skip hostname
check.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-urllib3?expand=0&rev=159
* Fixed a socket leak when fingerprint or hostname verifications fail.
* Fixed an error when HTTPResponse.read(0) was the first read call or when
the internal response body buffer was otherwise empty.
* Removed support for Python 2.7, 3.5, and 3.6.
* Removed fallback on certificate commonName in match_hostname() function.
* Removed support for Python with an ssl module compiled with LibreSSL,
CiscoSSL, wolfSSL, and all other OpenSSL alternatives.
* Removed support for OpenSSL versions earlier than 1.1.1.
* Removed urllib3.contrib.appengine.AppEngineManager and support for Google
App Engine Standard Environment.
* Changed ssl_version to instead set the corresponding
SSLContext.minimum_version and SSLContext.maximum_version values.
* Changed default SSLContext.minimum_version to be TLSVersion.TLSv1_2
in line with Python 3.10.
* Changed urllib3.util.create_urllib3_context to not override the system
cipher suites with a default value.
* Changed multipart/form-data header parameter formatting matches the
WHATWG HTML Standard as of 2021-06-10.
* Changed HTTPConnection.request() to always use lowercase chunk boundaries
when sending requests with Transfer-Encoding: chunked.
* Changed enforce_content_length default to True, preventing silent data
loss when reading streamed responses.
* Changed all parameters in the HTTPConnection and HTTPSConnection
constructors to be keyword-only except host and port.
* Changed HTTPConnection.getresponse() to set the socket timeout from
HTTPConnection.timeout value before reading data from the socket.
* Changed name of Retry.BACK0FF_MAX to be Retry.DEFAULT_BACKOFF_MAX.
* Changed TLS handshakes to use SSLContext.check_hostname when possible.
* Changed the default blocksize to 16KB to match OpenSSL's default read
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-urllib3?expand=0&rev=152
* Changed ``urllib3[brotli]`` extra to favor installing Brotli libraries that are still
receiving updates like ``brotli`` and ``brotlicffi`` instead of ``brotlipy``.
This change does not impact behavior of urllib3, only which dependencies are installed.
* Fixed a socket leaking when ``HTTPSConnection.connect()`` raises an exception.
* Fixed ``server_hostname`` being forwarded from ``PoolManager`` to ``HTTPConnectionPool``
when requesting an HTTP URL. Should only be forwarded when requesting an HTTPS URL.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-urllib3?expand=0&rev=130
* Added extra message to``urllib3.exceptions.ProxyError`` when urllib3 detects that
a proxy is configured to use HTTPS but the proxy itself appears to only use HTTP.
* Added a mention of the size of the connection pool when discarding a
connection due to the pool being full.
* Added explicit support for Python 3.11.
* Deprecated the ``Retry.MAX_BACKOFF`` class property in favor of
``Retry.DEFAULT_MAX_BACKOFF`` to better match the rest of the default parameter names.
``Retry.MAX_BACKOFF`` is removed in v2.0.
* Changed location of the vendored ``ssl.match_hostname`` function from
``urllib3.packages.ssl_match_hostname`` to
``urllib3.util.ssl_match_hostname`` to ensure Python 3.10+ compatibility after
being repackaged by downstream distributors.
* Fixed absolute imports, all imports are now relative.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-urllib3?expand=0&rev=127
* Fixed an issue where ``wrap_socket`` and ``CERT_REQUIRED`` wouldn't
be imported properly on Python 2.7.8 and earlier (Pull #2052)
* Fixed an issue where two ``User-Agent`` headers would be sent if a
``User-Agent`` header key is passed as ``bytes`` (Pull #2047)
* Added support for HTTPS proxies contacting HTTPS servers (Pull #1923, Pull #1806)
* Deprecated negotiating TLSv1 and TLSv1.1 by default. Users that
still wish to use TLS earlier than 1.2 without a deprecation warning
should opt-in explicitly by setting ``ssl_version=ssl.PROTOCOL_TLSv1_1`` (Pull #2002)
**Starting in urllib3 v2.0: Connections that receive a ``DeprecationWarning`` will fail**
* Deprecated ``Retry`` options ``Retry.DEFAULT_METHOD_WHITELIST``, ``Retry.DEFAULT_REDIRECT_HEADERS_BLACKLIST``
and ``Retry(method_whitelist=...)`` in favor of ``Retry.DEFAULT_ALLOWED_METHODS``,
``Retry.DEFAULT_REMOVE_HEADERS_ON_REDIRECT``, and ``Retry(allowed_methods=...)``
(Pull #2000) **Starting in urllib3 v2.0: Deprecated options will be removed**
* Added default ``User-Agent`` header to every request (Pull #1750)
* Added ``urllib3.util.SKIP_HEADER`` for skipping ``User-Agent``, ``Accept-Encoding``,
and ``Host`` headers from being automatically emitted with requests (Pull #2018)
* Collapse ``transfer-encoding: chunked`` request data and framing into
the same ``socket.send()`` call (Pull #1906)
* Send ``http/1.1`` ALPN identifier with every TLS handshake by default (Pull #1894)
* Properly terminate SecureTransport connections when CA verification fails (Pull #1977)
* Don't emit an ``SNIMissingWarning`` when passing ``server_hostname=None``
to SecureTransport (Pull #1903)
* Disabled requesting TLSv1.2 session tickets as they weren't being used by urllib3 (Pull #1970)
* Suppress ``BrokenPipeError`` when writing request body after the server
has closed the socket (Pull #1524)
* Wrap ``ssl.SSLError`` that can be raised from reading a socket (e.g. "bad MAC")
into an ``urllib3.exceptions.SSLError`` (Pull #1939)
* Fix retry backoff time parsed from ``Retry-After`` header when given
in the HTTP date format. The HTTP date was parsed as the local timezone
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-urllib3?expand=0&rev=105
