Skip to content

Bump urllib3 and gdown to resolve open Dependabot alerts#396

Open
animmosmith wants to merge 3 commits into
mainfrom
dependabot-urllib3-gdown
Open

Bump urllib3 and gdown to resolve open Dependabot alerts#396
animmosmith wants to merge 3 commits into
mainfrom
dependabot-urllib3-gdown

Conversation

@animmosmith

Copy link
Copy Markdown
Collaborator

Summary

Resolves the two currently-open Dependabot alerts:

Neither ceiling had a documented reason (no comment, no explanatory commit message); the urllib3<2.0 pin traces back to 2023 and looks like leftover macOS/SSL compatibility cruft.

Risk assessment:

  • urllib3 isn't imported directly anywhere in pyopia — transitive dependency only.
  • gdown is used in exactly one place (pyopia/exampledata.py, via gdown.download_folder), not the vulnerable extractall() function. download_folder's call signature is unchanged through the latest 6.1.0.

Test plan

  • Installed urllib3==2.7.0 and gdown==6.1.0 (latest within the new ranges) and ran the full test suite: 18 passed
  • Ran pipeline-holo.ipynb end-to-end via jupyter nbconvert --execute with the bumped versions installed

Both packages were pinned below their patched versions, so
Dependabot couldn't auto-resolve:
- urllib3<2.0 blocked CVE-2025-50181's fix (2.5.0)
- gdown<5 blocked CVE-2026-40491's fix (5.2.2)

urllib3 is only a transitive dependency (not imported directly).
gdown is used in exactly one place (exampledata.get_classifier_database_from_pysilcam_blob
via download_folder), not the vulnerable extractall() function, and
download_folder's signature is unchanged through 6.1.0.

Verified by running the full test suite and pipeline-holo.ipynb with
urllib3 2.7.0 and gdown 6.1.0 actually installed.
emlynjdavies
emlynjdavies previously approved these changes Jul 6, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants