Urllib3

Latest version: v2.3.0

Safety actively analyzes 710445 Python packages for vulnerabilities to keep your Python projects secure.

Scan your dependencies

Page 14 of 17

1.8.1

==================

* Fix AppEngine bug of HTTPS requests going out as HTTP. (Issue 356)

* Don't install ``dummyserver`` into ``site-packages`` as it's only needed
for the test suite. (Issue 362)

* Added support for specifying ``source_address``. (Issue 352)

1.8

Not secure
================

* Improved url parsing in ``urllib3.util.parse_url`` (properly parse '' in
username, and blank ports like 'hostname:').

* New ``urllib3.connection`` module which contains all the HTTPConnection
objects.

* Several ``urllib3.util.Timeout``-related fixes. Also changed constructor
signature to a more sensible order. [Backwards incompatible]
(Issues 252, 262, 263)

* Use ``backports.ssl_match_hostname`` if it's installed. (Issue 274)

* Added ``.tell()`` method to ``urllib3.response.HTTPResponse`` which
returns the number of bytes read so far. (Issue 277)

* Support for platforms without threading. (Issue 289)

* Expand default-port comparison in ``HTTPConnectionPool.is_same_host``
to allow a pool with no specified port to be considered equal to to an
HTTP/HTTPS url with port 80/443 explicitly provided. (Issue 305)

* Improved default SSL/TLS settings to avoid vulnerabilities.
(Issue 309)

* Fixed ``urllib3.poolmanager.ProxyManager`` not retrying on connect errors.
(Issue 310)

* Disable Nagle's Algorithm on the socket for non-proxies. A subset of requests
will send the entire HTTP request ~200 milliseconds faster; however, some of
the resulting TCP packets will be smaller. (Issue 254)

* Increased maximum number of SubjectAltNames in ``urllib3.contrib.pyopenssl``
from the default 64 to 1024 in a single certificate. (Issue 318)

* Headers are now passed and stored as a custom
``urllib3.collections_.HTTPHeaderDict`` object rather than a plain ``dict``.
(Issue 329, 333)

* Headers no longer lose their case on Python 3. (Issue 236)

* ``urllib3.contrib.pyopenssl`` now uses the operating system's default CA
certificates on inject. (Issue 332)

* Requests with ``retries=False`` will immediately raise any exceptions without
wrapping them in ``MaxRetryError``. (Issue 348)

* Fixed open socket leak with SSL-related failures. (Issue 344, 348)

1.7.1

Not secure
==================

* Added granular timeout support with new ``urllib3.util.Timeout`` class.
(Issue 231)

* Fixed Python 3.4 support. (Issue 238)

1.7

Not secure
================

* More exceptions are now pickle-able, with tests. (Issue 174)

* Fixed redirecting with relative URLs in Location header. (Issue 178)

* Support for relative urls in ``Location: ...`` header. (Issue 179)

* ``urllib3.response.HTTPResponse`` now inherits from ``io.IOBase`` for bonus
file-like functionality. (Issue 187)

* Passing ``assert_hostname=False`` when creating a HTTPSConnectionPool will
skip hostname verification for SSL connections. (Issue 194)

* New method ``urllib3.response.HTTPResponse.stream(...)`` which acts as a
generator wrapped around ``.read(...)``. (Issue 198)

* IPv6 url parsing enforces brackets around the hostname. (Issue 199)

* Fixed thread race condition in
``urllib3.poolmanager.PoolManager.connection_from_host(...)`` (Issue 204)

* ``ProxyManager`` requests now include non-default port in ``Host: ...``
header. (Issue 217)

* Added HTTPS proxy support in ``ProxyManager``. (Issue 170 139)

* New ``RequestField`` object can be passed to the ``fields=...`` param which
can specify headers. (Issue 220)

* Raise ``urllib3.exceptions.ProxyError`` when connecting to proxy fails.
(Issue 221)

* Use international headers when posting file names. (Issue 119)

* Improved IPv6 support. (Issue 203)

1.6

Not secure
================

* Contrib: Optional SNI support for Py2 using PyOpenSSL. (Issue 156)

* ``ProxyManager`` automatically adds ``Host: ...`` header if not given.

* Improved SSL-related code. ``cert_req`` now optionally takes a string like
"REQUIRED" or "NONE". Same with ``ssl_version`` takes strings like "SSLv23"
The string values reflect the suffix of the respective constant variable.
(Issue 130)

* Vendored ``socksipy`` now based on Anorov's fork which handles unexpectedly
closed proxy connections and larger read buffers. (Issue 135)

* Ensure the connection is closed if no data is received, fixes connection leak
on some platforms. (Issue 133)

* Added SNI support for SSL/TLS connections on Py32+. (Issue 89)

* Tests fixed to be compatible with Py26 again. (Issue 125)

* Added ability to choose SSL version by passing an ``ssl.PROTOCOL_*`` constant
to the ``ssl_version`` parameter of ``HTTPSConnectionPool``. (Issue 109)

* Allow an explicit content type to be specified when encoding file fields.
(Issue 126)

* Exceptions are now pickleable, with tests. (Issue 101)

* Fixed default headers not getting passed in some cases. (Issue 99)

* Treat "content-encoding" header value as case-insensitive, per RFC 2616
Section 3.5. (Issue 110)

* "Connection Refused" SocketErrors will get retried rather than raised.
(Issue 92)

* Updated vendored ``six``, no longer overrides the global ``six`` module
namespace. (Issue 113)

* ``urllib3.exceptions.MaxRetryError`` contains a ``reason`` property holding
the exception that prompted the final retry. If ``reason is None`` then it
was due to a redirect. (Issue 92, 114)

* Fixed ``PoolManager.urlopen()`` from not redirecting more than once.
(Issue 149)

* Don't assume ``Content-Type: text/plain`` for multi-part encoding parameters
that are not files. (Issue 111)

* Pass `strict` param down to ``httplib.HTTPConnection``. (Issue 122)

* Added mechanism to verify SSL certificates by fingerprint (md5, sha1) or
against an arbitrary hostname (when connecting by IP or for misconfigured
servers). (Issue 140)

* Streaming decompression support. (Issue 159)

1.5

Not secure
================

* Added ``urllib3.add_stderr_logger()`` for quickly enabling STDERR debug
logging in urllib3.

* Native full URL parsing (including auth, path, query, fragment) available in
``urllib3.util.parse_url(url)``.

* Built-in redirect will switch method to 'GET' if status code is 303.
(Issue 11)

* ``urllib3.PoolManager`` strips the scheme and host before sending the request
uri. (Issue 8)

* New ``urllib3.exceptions.DecodeError`` exception for when automatic decoding,
based on the Content-Type header, fails.

* Fixed bug with pool depletion and leaking connections (Issue 76). Added
explicit connection closing on pool eviction. Added
``urllib3.PoolManager.clear()``.

* 99% -> 100% unit test coverage.

Page 14 of 17

© 2025 Safety CLI Cybersecurity Inc. All Rights Reserved.