Bump urllib3 and gdown to resolve open Dependabot alerts#396
Open
animmosmith wants to merge 3 commits into
Open
Bump urllib3 and gdown to resolve open Dependabot alerts#396animmosmith wants to merge 3 commits into
animmosmith wants to merge 3 commits into
Conversation
Both packages were pinned below their patched versions, so Dependabot couldn't auto-resolve: - urllib3<2.0 blocked CVE-2025-50181's fix (2.5.0) - gdown<5 blocked CVE-2026-40491's fix (5.2.2) urllib3 is only a transitive dependency (not imported directly). gdown is used in exactly one place (exampledata.get_classifier_database_from_pysilcam_blob via download_folder), not the vulnerable extractall() function, and download_folder's signature is unchanged through 6.1.0. Verified by running the full test suite and pipeline-holo.ipynb with urllib3 2.7.0 and gdown 6.1.0 actually installed.
emlynjdavies
previously approved these changes
Jul 6, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Resolves the two currently-open Dependabot alerts:
gdown— path traversal ingdown.extractall()(CVE-2026-40491), fixed in 5.2.2. Thegdown<5ceiling blocked the fix.urllib3— redirects not disabled when retries are disabled onPoolManagerinit (CVE-2025-50181), fixed in 2.5.0. Theurllib3<2.0ceiling blocked the fix.Neither ceiling had a documented reason (no comment, no explanatory commit message); the
urllib3<2.0pin traces back to 2023 and looks like leftover macOS/SSL compatibility cruft.Risk assessment:
urllib3isn't imported directly anywhere inpyopia— transitive dependency only.gdownis used in exactly one place (pyopia/exampledata.py, viagdown.download_folder), not the vulnerableextractall()function.download_folder's call signature is unchanged through the latest 6.1.0.Test plan
urllib3==2.7.0andgdown==6.1.0(latest within the new ranges) and ran the full test suite: 18 passedpipeline-holo.ipynbend-to-end viajupyter nbconvert --executewith the bumped versions installed