CVS commit: pkgsrc/www/py-urllib3

["Adam Ciarcinski" <adam%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   adam
Date:           Fri May  8 11:58:35 UTC 2026

Modified Files:
        pkgsrc/www/py-urllib3: Makefile distinfo

Log Message:
py-urllib3: updated to 2.7.0

2.7.0 (2026-05-07)

Security

Addressed high-severity security issues.
Impact was limited to specific use cases detailed in the accompanying
advisories; overall user exposure was estimated to be marginal.

- Decompression-bomb safeguards of the streaming API were bypassed:

  1. When ``HTTPResponse.drain_conn()`` was called after the response had been
     read and decompressed partially.
  2. During the second ``HTTPResponse.read(amt=N)`` or
     ``HTTPResponse.stream(amt=N)`` call when the response was decompressed
     using the official `Brotli <https://pypi.org/project/brotli/>`__ library.

  See `GHSA-mf9v-mfxr-j63j <https://github.com/urllib3/urllib3/security/advisories/GHSA-mf9v-mfxr-j63j>`__
  for details.

- HTTP pools created using ``ProxyManager.connection_from_url`` did not strip
  sensitive headers specified in ``Retry.remove_headers_on_redirect`` when
  redirecting to a different host.
  (`GHSA-qccp-gfcp-xxvc <https://github.com/urllib3/urllib3/security/advisories/GHSA-qccp-gfcp-xxvc>`__)

Deprecations and Removals

- Used ``FutureWarning`` instead of ``DeprecationWarning`` for better
  visibility of existing deprecation notices. Rescheduled the removal of
  deprecated features to version 3.0.
- Removed support for end-of-life Python 3.9.
- Removed support for end-of-life PyPy3.10.
- Bumped the minimum supported pyOpenSSL version to 19.0.0.

Bugfixes

- Fixed a bug where ``HTTPResponse.read(amt=None)`` was ignoring decompressed
  data buffered from previous partial reads.
- Fixed a bug where ``HTTPResponse.read()`` could cache only part of the
  response after a partial read when ``cache_content=True``.
- Fixed ``HTTPResponse.stream()`` and ``HTTPResponse.read_chunked()`` to handle
  ``amt=0``.
- Updated ``_TYPE_BODY`` type alias to include missing ``Iterable[str]``,
  matching the documented and runtime behavior of chunked request bodies.
- Fixed ``LocationParseError`` when paths resembling schemeless URIs were
  passed to ``HTTPConnectionPool.urlopen()``.
- Fixed ``BaseHTTPResponse.readinto()`` type annotation to accept
  ``memoryview`` in addition to ``bytearray``, matching the
  ``io.RawIOBase.readinto`` contract and enabling use with
  ``io.BufferedReader`` without type errors.


To generate a diff of this commit:
cvs rdiff -u -r1.71 -r1.72 pkgsrc/www/py-urllib3/Makefile
cvs rdiff -u -r1.57 -r1.58 pkgsrc/www/py-urllib3/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/www/py-urllib3/Makefile
diff -u pkgsrc/www/py-urllib3/Makefile:1.71 pkgsrc/www/py-urllib3/Makefile:1.72
--- pkgsrc/www/py-urllib3/Makefile:1.71 Wed Jan  7 18:42:04 2026
+++ pkgsrc/www/py-urllib3/Makefile      Fri May  8 11:58:35 2026
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.71 2026/01/07 18:42:04 adam Exp $
+# $NetBSD: Makefile,v 1.72 2026/05/08 11:58:35 adam Exp $
 
-DISTNAME=      urllib3-2.6.3
+DISTNAME=      urllib3-2.7.0
 PKGNAME=       ${PYPKGPREFIX}-${DISTNAME}
 CATEGORIES=    www python
 MASTER_SITES=  ${MASTER_SITE_PYPI:=u/urllib3/}

Index: pkgsrc/www/py-urllib3/distinfo
diff -u pkgsrc/www/py-urllib3/distinfo:1.57 pkgsrc/www/py-urllib3/distinfo:1.58
--- pkgsrc/www/py-urllib3/distinfo:1.57 Wed Jan  7 18:42:04 2026
+++ pkgsrc/www/py-urllib3/distinfo      Fri May  8 11:58:35 2026
@@ -1,5 +1,5 @@
-$NetBSD: distinfo,v 1.57 2026/01/07 18:42:04 adam Exp $
+$NetBSD: distinfo,v 1.58 2026/05/08 11:58:35 adam Exp $
 
-BLAKE2s (urllib3-2.6.3.tar.gz) = 82c42f2b9a36c49b4de453df830899035383b7cb289cc07d0f1ef06255130aa8
-SHA512 (urllib3-2.6.3.tar.gz) = 663c83a78908dac9bb05c7ac833183c2fdc2969d0662d21dd8751ba13c51880ee264f7804760f33ebdabfd1c1f04a5d44171a420396de6ae582f9789801b141c
-Size (urllib3-2.6.3.tar.gz) = 435556 bytes
+BLAKE2s (urllib3-2.7.0.tar.gz) = 45f8c35da649071fb001e268ae37d99b409a39fb7eec3cba65cc2d7b5f027a90
+SHA512 (urllib3-2.7.0.tar.gz) = 6f75e5873f18301de37c0d7f17c726b21c9928f2fe9ec58d843f1172b80be6eb05117bdf7af27dd7eb1ab0175a94e0f49cde01d8d8919f61de8710e163fabc03
+Size (urllib3-2.7.0.tar.gz) = 433602 bytes