From c441004dddd3eb1508d8fd85eb017537d3e822b7 Mon Sep 17 00:00:00 2001 From: Oscar V Date: Sun, 15 Mar 2026 12:30:53 -0700 Subject: [PATCH] Security: Update urllib3 to v2.6.3 to address high-severity CVEs Update urllib3 from >=2.5.0 to >=2.6.3 to address multiple vulnerabilities: - CVE-2026-21441: Decompression-bomb bypass on redirects (streaming API) - CVE-2025-66471: Streaming API mishandles highly compressed data - CVE-2025-66418: Unbounded decompression chain links Bump version to 1.2.4 for security release. --- CHANGELOG.md | 8 ++++++++ pyproject.toml | 4 ++-- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 129d10a..8da51d2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,14 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [1.2.4] - 2026-03-15 + +### Security +- Updated urllib3 from >=2.5.0 to >=2.6.3 to address multiple high-severity vulnerabilities: + - CVE-2026-21441: Decompression-bomb safeguards bypassed when following HTTP redirects (streaming API) + - CVE-2025-66471: Streaming API improperly handles highly compressed data + - CVE-2025-66418: Unbounded number of links in the decompression chain + ## [1.2.3] - 2025-10-27 ### Changed diff --git a/pyproject.toml b/pyproject.toml index 1f7b9d3..1a4bdf6 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta" [project] name = "purl2src" -version = "1.2.3" +version = "1.2.4" description = "Translate Package URLs (PURLs) into validated download URLs for source code artifacts" readme = "README.md" requires-python = ">=3.8" @@ -30,7 +30,7 @@ classifiers = [ dependencies = [ "click>=8.0.0", "requests>=2.28.0", - "urllib3>=2.5.0", + "urllib3>=2.6.3", ] [project.optional-dependencies]