Urllib3

Latest version: v2.3.0

Safety actively analyzes 710445 Python packages for vulnerabilities to keep your Python projects secure.

Scan your dependencies

Page 5 of 17

1.26.10

Not secure
====================

* Removed support for Python 3.5
* Fixed an issue where a ``ProxyError`` recommending configuring the proxy as HTTP
instead of HTTPS could appear even when an HTTPS proxy wasn't configured.

1.26.9

Not secure
===================

* Changed ``urllib3[brotli]`` extra to favor installing Brotli libraries that are still
receiving updates like ``brotli`` and ``brotlicffi`` instead of ``brotlipy``.
This change does not impact behavior of urllib3, only which dependencies are installed.
* Fixed a socket leaking when ``HTTPSConnection.connect()`` raises an exception.
* Fixed ``server_hostname`` being forwarded from ``PoolManager`` to ``HTTPConnectionPool``
when requesting an HTTP URL. Should only be forwarded when requesting an HTTPS URL.

1.26.8

Not secure
===================

* Added extra message to ``urllib3.exceptions.ProxyError`` when urllib3 detects that
a proxy is configured to use HTTPS but the proxy itself appears to only use HTTP.
* Added a mention of the size of the connection pool when discarding a connection due to the pool being full.
* Added explicit support for Python 3.11.
* Deprecated the ``Retry.MAX_BACKOFF`` class property in favor of ``Retry.DEFAULT_MAX_BACKOFF``
to better match the rest of the default parameter names. ``Retry.MAX_BACKOFF`` is removed in v2.0.
* Changed location of the vendored ``ssl.match_hostname`` function from ``urllib3.packages.ssl_match_hostname``
to ``urllib3.util.ssl_match_hostname`` to ensure Python 3.10+ compatibility after being repackaged
by downstream distributors.
* Fixed absolute imports, all imports are now relative.

1.26.7

Not secure
===================

* Fixed a bug with HTTPS hostname verification involving IP addresses and lack
of SNI. (Issue 2400)
* Fixed a bug where IPv6 braces weren't stripped during certificate hostname
matching. (Issue 2240)

1.26.6

Not secure
===================

* Deprecated the ``urllib3.contrib.ntlmpool`` module. urllib3 is not able to support
it properly due to `reasons listed in this issue <https://github.com/urllib3/urllib3/issues/2282>`_.
If you are a user of this module please leave a comment.
* Changed ``HTTPConnection.request_chunked()`` to not erroneously emit multiple
``Transfer-Encoding`` headers in the case that one is already specified.
* Fixed typo in deprecation message to recommend ``Retry.DEFAULT_ALLOWED_METHODS``.

1.26.5

Not secure
===================

* Fixed deprecation warnings emitted in Python 3.10.
* Updated vendored ``six`` library to 1.16.0.
* Improved performance of URL parser when splitting
the authority component.

Page 5 of 17

© 2025 Safety CLI Cybersecurity Inc. All Rights Reserved.