From 95cee26b94a2bd976f21c2dfd9160eda2fb3448c Mon Sep 17 00:00:00 2001 From: Claude Date: Thu, 30 Apr 2026 08:57:34 +0000 Subject: [PATCH 1/2] fix: bump urllib3 minimum to 2.6.3 for CVE-2026-21441 Tighten the urllib3 constraint from >2.6.0 to >2.6.2 so the resolver picks 2.6.3+, which patches CVE-2026-21441 (vulnerable range >=1.22, <2.6.3). --- poetry.lock | 8 ++++---- pyproject.toml | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/poetry.lock b/poetry.lock index 80a62a1..c632b64 100644 --- a/poetry.lock +++ b/poetry.lock @@ -974,14 +974,14 @@ files = [ [[package]] name = "urllib3" -version = "2.6.2" +version = "2.6.3" description = "HTTP library with thread-safe connection pooling, file post, and more." optional = false python-versions = ">=3.9" groups = ["main"] files = [ - {file = "urllib3-2.6.2-py3-none-any.whl", hash = "sha256:ec21cddfe7724fc7cb4ba4bea7aa8e2ef36f607a4bab81aa6ce42a13dc3f03dd"}, - {file = "urllib3-2.6.2.tar.gz", hash = "sha256:016f9c98bb7e98085cb2b4b17b87d2c702975664e4f060c6532e64d1c1a5e797"}, + {file = "urllib3-2.6.3-py3-none-any.whl", hash = "sha256:bf272323e553dfb2e87d9bfd225ca7b0f467b919d7bbd355436d3fd37cb0acd4"}, + {file = "urllib3-2.6.3.tar.gz", hash = "sha256:1b62b6884944a57dbe321509ab94fd4d3b307075e0c2eae991ac71ee15ad38ed"}, ] [package.extras] @@ -1010,4 +1010,4 @@ test = ["websockets"] [metadata] lock-version = "2.1" python-versions = "^3.9, <3.13" -content-hash = "51143e6528a3145577eaa69d4e5529788b1d21c43a452c7ada8950c90a536735" +content-hash = "fbe1712702d075c0437ba8333eec2846030351c775bde2eb735c5ec0ca7a6f8d" diff --git a/pyproject.toml b/pyproject.toml index 5f302b8..97dcab7 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -24,7 +24,7 @@ types-toml = "^0.10.2" toml = "^0.10.2" hikaru-model-28 = "^1.1.0" kubernetes = "^29" -urllib3 = ">2.6.0" +urllib3 = ">2.6.2" click = "8.1.8" From 29184ac602fcb3edb8b6a0417a09c6b6234ed233 Mon Sep 17 00:00:00 2001 From: Claude Date: Thu, 30 Apr 2026 09:00:41 +0000 Subject: [PATCH 2/2] chore: use >=2.6.3 for urllib3 constraint Switch the operator from > 2.6.2 to >= 2.6.3 to express the CVE-2026-21441 fix version directly. --- poetry.lock | 2 +- pyproject.toml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/poetry.lock b/poetry.lock index c632b64..dfad816 100644 --- a/poetry.lock +++ b/poetry.lock @@ -1010,4 +1010,4 @@ test = ["websockets"] [metadata] lock-version = "2.1" python-versions = "^3.9, <3.13" -content-hash = "fbe1712702d075c0437ba8333eec2846030351c775bde2eb735c5ec0ca7a6f8d" +content-hash = "920eefc8b90638f1bbf55066e748900cefd117942b869c0ef8fd30f893578d2c" diff --git a/pyproject.toml b/pyproject.toml index 97dcab7..fbd11f7 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -24,7 +24,7 @@ types-toml = "^0.10.2" toml = "^0.10.2" hikaru-model-28 = "^1.1.0" kubernetes = "^29" -urllib3 = ">2.6.2" +urllib3 = ">=2.6.3" click = "8.1.8"