Urllib3

Latest version: v2.3.0

Safety actively analyzes 710445 Python packages for vulnerabilities to keep your Python projects secure.

Scan your dependencies

Page 2 of 17

2.0.7

Not secure
==================

* Made body stripped from HTTP requests changing the request method to GET after HTTP 303 "See Other" redirect responses.

2.0.6

Not secure
==================

* Added the ``Cookie`` header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via ``Retry.remove_headers_on_redirect``.

2.0.5

Not secure
==================

- Allowed pyOpenSSL third-party module without any deprecation warning. (`3126 <https://github.com/urllib3/urllib3/issues/3126>`__)
- Fixed default ``blocksize`` of ``HTTPConnection`` classes to match high-level classes. Previously was 8KiB, now 16KiB. (`3066 <https://github.com/urllib3/urllib3/issues/3066>`__)

2.0.4

Not secure
==================

- Added support for union operators to ``HTTPHeaderDict`` (`2254 <https://github.com/urllib3/urllib3/issues/2254>`__)
- Added ``BaseHTTPResponse`` to ``urllib3.__all__`` (`3078 <https://github.com/urllib3/urllib3/issues/3078>`__)
- Fixed ``urllib3.connection.HTTPConnection`` to raise the ``http.client.connect`` audit event to have the same behavior as the standard library HTTP client (`2757 <https://github.com/urllib3/urllib3/issues/2757>`__)
- Relied on the standard library for checking hostnames in supported PyPy releases (`3087 <https://github.com/urllib3/urllib3/issues/3087>`__)

2.0.3

Not secure
==================

- Allowed alternative SSL libraries such as LibreSSL, while still issuing a warning as we cannot help users facing issues with implementations other than OpenSSL. (`3020 <https://github.com/urllib3/urllib3/issues/3020>`__)
- Deprecated URLs which don't have an explicit scheme (`2950 <https://github.com/urllib3/urllib3/pull/2950>`_)
- Fixed response decoding with Zstandard when compressed data is made of several frames. (`3008 <https://github.com/urllib3/urllib3/issues/3008>`__)
- Fixed ``assert_hostname=False`` to correctly skip hostname check. (`3051 <https://github.com/urllib3/urllib3/issues/3051>`__)

2.0.2

Not secure
==================

- Fixed ``HTTPResponse.stream()`` to continue yielding bytes if buffered decompressed data
was still available to be read even if the underlying socket is closed. This prevents
a compressed response from being truncated. (`3009 <https://github.com/urllib3/urllib3/issues/3009>`__)

Page 2 of 17

© 2025 Safety CLI Cybersecurity Inc. All Rights Reserved.