Skip to content

fix: update urllib3 2.2.3 → 2.6.3 and requests 2.32.3 → 2.33.0#176

Open
aviadhahami wants to merge 2 commits intomainfrom
aviad/RUN-627-python-instrumentation-vulnerabilities-c588
Open

fix: update urllib3 2.2.3 → 2.6.3 and requests 2.32.3 → 2.33.0#176
aviadhahami wants to merge 2 commits intomainfrom
aviad/RUN-627-python-instrumentation-vulnerabilities-c588

Conversation

@aviadhahami
Copy link
Copy Markdown
Contributor

@aviadhahami aviadhahami commented Mar 29, 2026
edited by cursor Bot
Loading

Summary

Update vulnerable dependencies urllib3 and requests to fix 7 CVEs (3 High, 4 Medium).

Changes

Package Old New
urllib3 2.2.3 2.6.3
requests 2.32.3 2.33.0

Both setup.py and requirements.txt updated. Minimum Python version bumped from 3.9 to 3.10 (Python 3.9 is EOL since Oct 2025, and requests 2.33.0 requires >=3.10).

CI workflow updates

  • Dropped Python 3.9 from test/build/integration-test matrices
  • Updated publish workflow to use Python 3.10
  • Regenerated requirements.txt with Python 3.10 (matching CI's check-requirements job)

CVEs Fixed

Severity CVE/GHSA Package
High GHSA-gm62-xv2j-4w53 urllib3
High GHSA-2xpw-w6gg-jr37 urllib3
High GHSA-38jv-5279-wg99 urllib3
Medium GHSA-pq67-6m6q-mj2v urllib3
Medium GHSA-48p4-8xcf-vxj5 urllib3
Medium GHSA-9hjg-9r4m-mvj7 requests
Medium GHSA-gc5v-m9x4-r6x2 requests

RUN-627

Linear Issue: RUN-627

Open in Web Open in Cursor 

cursoragent and others added 2 commits March 29, 2026 11:04
@cursoragent @aviadhahami
fix: update urllib3 2.2.3 -> 2.6.3 and requests 2.32.3 -> 2.33.0
4431ea7 
Fixes 7 CVEs:
- GHSA-gm62-xv2j-4w53 (High) - urllib3
- GHSA-2xpw-w6gg-jr37 (High) - urllib3
- GHSA-38jv-5279-wg99 (High) - urllib3
- GHSA-pq67-6m6q-mj2v (Medium) - urllib3
- GHSA-48p4-8xcf-vxj5 (Medium) - urllib3
- GHSA-9hjg-9r4m-mvj7 (Medium) - requests
- GHSA-gc5v-m9x4-r6x2 (Medium) - requests

RUN-627

Co-authored-by: Aviad Hahami <aviadhahami@users.noreply.github.com>
@cursoragent @aviadhahami
drop Python 3.9 support (EOL Oct 2025), regenerate requirements.txt w…
05489b3 
…ith Python 3.10

requests 2.33.0 requires Python >=3.10, so bump python_requires
and remove 3.9 from all CI workflow matrices.

Co-authored-by: Aviad Hahami <aviadhahami@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@aviadhahami @cursoragent