…abot

Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.6.3 to 2.7.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/urllib3/urllib3/releases">urllib3's
releases</a>.</em></p>
<blockquote>
<h2>2.7.0</h2>
<h2>🚀 urllib3 is fundraising for HTTP/2 support</h2>
<p><a href="https://sethmlarson.dev/urllib3-is-fundraising-for-
http2-support">urllib3 is raising ~$40,000 USD</a> to release HTTP/2
support and ensure long-term sustainable maintenance of the project
after a sharp decline in financial support. If your company or
organization uses Python and would benefit from HTTP/2 support in
Requests, pip, cloud SDKs, and thousands of other projects <a
href="https://opencollective.com/urllib3">please consider contributing
financially</a> to ensure HTTP/2 support is developed sustainably and
maintained for the long-haul.</p>
<p>Thank you for your support.</p>
<h2>Security</h2>
<p>Addressed high-severity security issues. Impact was limited to
specific use cases detailed in the accompanying advisories; overall user
exposure was estimated to be marginal.</p>
<ul>
<li>
<p>Decompression-bomb safeguards of the streaming API were bypassed:</p>
<ol>
<li>When <code>HTTPResponse.drain_conn()</code> was called after the
response had been read and decompressed partially. (Reported by <a
href="https://github.com/Cycloctane"><code>@​Cycloctane</code></a>)</li>
<li>During the second <code>HTTPResponse.read(amt=N)</code> or
<code>HTTPResponse.stream(amt=N)</code> call when the response was
decompressed using the official <a
href="https://pypi.org/project/brotli/">Brotli</a> library. (Reported by
<a
href="https://github.com/kimkou2024"><code>@​kimkou2024</code></a>)</li>
</ol>
<p>See GHSA-mf9v-mfxr-j63j for details.</p>
</li>
<li>
<p>HTTP pools created using
<code>ProxyManager.connection_from_url</code> did not strip sensitive
headers specified in <code>Retry.remove_headers_on_redirect</code> when
redirecting to a different host. (GHSA-qccp-gfcp-xxvc reported by <a
href="https://github.com/christos-spearbit"><code>@​christos-
spearbit</code></a>)</p>
</li>
</ul>
<h2>Deprecations and Removals</h2>
<ul>
<li>Used <code>FutureWarning</code> instead of
<code>DeprecationWarning</code> for better visibility of existing
deprecation notices. Rescheduled the removal of deprecated features to
version 3.0. (<a href="https://redirect.github.com/urllib3/urllib3/issue
s/3763">urllib3/urllib3#3763</a>)</li>
<li>Removed support for end-of-life Python 3.9. (<a href="/proxy?url=https%3A%2F%2Fredire%0Act.github.com%2F%3Ca%20class%3D"issue-link js-issue-link" data-error-text="Failed to load title" data-id="3645949785" data-permission-text="Title is private" data-url="https://github.com/urllib3/urllib3/issues/3720" data-hovercard-type="pull_request" data-hovercard-url="/urllib3/urllib3/pull/3720/hovercard" href="/proxy?url=https%3A%2F%2Fgithub.com%2Furllib3%2Furllib3%2Fpull%2F3720">urllib3/urllib3/issues/3720">urllib3/urllib3#3720</a>)</li
>
<li>Removed support for end-of-life PyPy3.10. (<a href="/proxy?url=https%3A%2F%2Fredirect%0A.github.com%2F%3Ca%20class%3D"issue-link js-issue-link" data-error-text="Failed to load title" data-id="4351951116" data-permission-text="Title is private" data-url="https://github.com/urllib3/urllib3/issues/4979" data-hovercard-type="pull_request" data-hovercard-url="/urllib3/urllib3/pull/4979/hovercard" href="/proxy?url=https%3A%2F%2Fgithub.com%2Furllib3%2Furllib3%2Fpull%2F4979">urllib3/urllib3/issues/4979">urllib3/urllib3#4979</a>)</li>
<li>Bumped the minimum supported pyOpenSSL version to 19.0.0. (<a href="
https://redirect.github.com/urllib3/urllib3/issues/3777">urllib3/urllib3
#3777</a>)</li>
</ul>
<h2>Bugfixes</h2>
<ul>
<li>Fixed a bug where <code>HTTPResponse.read(amt=None)</code> was
ignoring decompressed data buffered from previous partial reads. (<a hre
f="https://redirect.github.com/urllib3/urllib3/issues/3636">urllib3/urll
ib3#3636</a>)</li>
<li>Fixed a bug where <code>HTTPResponse.read()</code> could cache only
part of the response after a partial read when
<code>cache_content=True</code>. (<a href="https://redirect.github.com/u
rllib3/urllib3/issues/4967">urllib3/urllib3#4967</a>)</li>
<li>Fixed <code>HTTPResponse.stream()</code> and
<code>HTTPResponse.read_chunked()</code> to handle <code>amt=0</code>.
(<a href="https://redirect.github.com/urllib3/urllib3/issues/3793">urlli
b3/urllib3#3793</a>)</li>
<li>Updated <code>_TYPE_BODY</code> type alias to include missing
<code>Iterable[str]</code>, matching the documented and runtime behavior
of chunked request bodies. (<a href="https://redirect.github.com/urllib3
/urllib3/issues/3798">urllib3/urllib3#3798</a>)</li>
<li>Fixed <code>LocationParseError</code> when paths resembling
schemeless URIs were passed to
<code>HTTPConnectionPool.urlopen()</code>. (<a href="https://redirect.gi
thub.com/urllib3/urllib3/issues/3352">urllib3/urllib3#3352</a>)</li>
<li>Fixed <code>BaseHTTPResponse.readinto()</code> type annotation to
accept <code>memoryview</code> in addition to <code>bytearray</code>,
matching the <code>io.RawIOBase.readinto</code> contract and enabling
use with <code>io.BufferedReader</code> without type errors. (<a href="h
ttps://redirect.github.com/urllib3/urllib3/issues/3764">urllib3/urllib3#
3764</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a href="https://github.com/urllib3/urllib3/blob/mai
n/CHANGES.rst">urllib3's changelog</a>.</em></p>
<blockquote>
<h1>2.7.0 (2026-05-07)</h1>
<h2>Security</h2>
<p>Addressed high-severity security issues.
Impact was limited to specific use cases detailed in the accompanying
advisories; overall user exposure was estimated to be marginal.</p>
<ul>
<li>
<p>Decompression-bomb safeguards of the streaming API were bypassed:</p>
<ol>
<li>When <code>HTTPResponse.drain_conn()</code> was called after the
response had been
read and decompressed partially.</li>
<li>During the second <code>HTTPResponse.read(amt=N)</code> or
<code>HTTPResponse.stream(amt=N)</code> call when the response was
decompressed
using the official <code>Brotli
&lt;https://pypi.org/project/brotli/&gt;</code>__ library.</li>
</ol>
<p>See <code>GHSA-mf9v-mfxr-j63j
&lt;https://github.com/urllib3/urllib3/security/advisories/GHSA-
mf9v-mfxr-j63j&gt;</code>__
for details.</p>
</li>
<li>
<p>HTTP pools created using
<code>ProxyManager.connection_from_url</code> did not strip
sensitive headers specified in
<code>Retry.remove_headers_on_redirect</code> when
redirecting to a different host.
(<code>GHSA-qccp-gfcp-xxvc
&lt;https://github.com/urllib3/urllib3/security/advisories/GHSA-qccp-
gfcp-xxvc&gt;</code>__)</p>
</li>
</ul>
<h2>Deprecations and Removals</h2>
<ul>
<li>Used <code>FutureWarning</code> instead of
<code>DeprecationWarning</code> for better
visibility of existing deprecation notices. Rescheduled the removal of
deprecated features to version 3.0.
(<code>[#3763](urllib3/urllib3#3763)
&lt;https://github.com/urllib3/urllib3/issues/3763&gt;</code>__)</li>
<li>Removed support for end-of-life Python 3.9.
(<code>[#3720](urllib3/urllib3#3720)
&lt;https://github.com/urllib3/urllib3/issues/3720&gt;</code>__)</li>
<li>Removed support for end-of-life PyPy3.10.
(<code>[#4979](urllib3/urllib3#4979)
&lt;https://github.com/urllib3/urllib3/issues/4979&gt;</code>__)</li>
<li>Bumped the minimum supported pyOpenSSL version to 19.0.0.
(<code>[#3777](urllib3/urllib3#3777)
&lt;https://github.com/urllib3/urllib3/issues/3777&gt;</code>__)</li>
</ul>
<h2>Bugfixes</h2>
<ul>
<li>Fixed a bug where <code>HTTPResponse.read(amt=None)</code> was
ignoring decompressed
data buffered from previous partial reads.
(<code>[#3636](urllib3/urllib3#3636)
&lt;https://github.com/urllib3/urllib3/issues/3636&gt;</code>__)</li>
<li>Fixed a bug where <code>HTTPResponse.read()</code> could cache only
part of the
response after a partial read when <code>cache_content=True</code>.</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="urllib3/urllib3@9a950b92d999f906b
6020bb2d1076ee56cddd5d2"><code>9a950b9</code></a> Release 2.7.0</li>
<li><a href="urllib3/urllib3@5ec0de499b9166ca7
1c65ab04f2a7e4eb0d66fcc"><code>5ec0de4</code></a> Merge commit from
fork</li>
<li><a href="urllib3/urllib3@2bdcc44d1e163fb5c
c48a8662425e35e15adfe6a"><code>2bdcc44</code></a> Merge commit from
fork</li>
<li><a href="urllib3/urllib3@f45b0df09d8620ac6
ed0491eb9362c8c87b7bc2c"><code>f45b0df</code></a> Fix a misleading
example for <code>ProxyManager</code> (<a href="https://redirect.github.
com/urllib3/urllib3/issues/4970">#4970</a>)</li>
<li><a href="urllib3/urllib3@577193ca029872384
f82c133449e0935f6d8a64b"><code>577193c</code></a> Switch to nightly
PyPy3.11 in CI for now (<a href="https://redirect.github.com/urllib3/url
lib3/issues/4984">#4984</a>)</li>
<li><a href="urllib3/urllib3@e90af45bb006c3a45
2a3a21644a2681523f5c7fc"><code>e90af45</code></a> Avoid infinite loop in
<code>HTTPResponse.read_chunked</code> when <code>amt=0</code> (<a href=
"https://redirect.github.com/urllib3/urllib3/issues/4974">#4974</a>)</li
>
<li><a href="urllib3/urllib3@67ed74fdaec6659a6
534621ec8e3aaaa6f976210"><code>67ed74f</code></a> Bump dev dependencies
(<a href="https://redirect.github.com/urllib3/urllib3/issues/4972">#4972
</a>)</li>
<li><a href="urllib3/urllib3@3abd481097b54d87b
574ac7ea593c3f40938a84d"><code>3abd481</code></a> Upgrade mypy to
version 1.20.2 (<a href="https://redirect.github.com/urllib3/urllib3/iss
ues/4978">#4978</a>)</li>
<li><a href="urllib3/urllib3@2b8725dfcac4f21d4
d93cc0cc3a64a33af08f890"><code>2b8725d</code></a> Drop support for EOL
PyPy3.10 (<a href="https://redirect.github.com/urllib3/urllib3/issues/49
79">#4979</a>)</li>
<li><a href="urllib3/urllib3@2944b2a0a6c573f55
48a39cfd17196f98ee21b33"><code>2944b2a</code></a> Upgrade <code>setup-
chrome</code> and <code>setup-firefox</code> to fix warnings (<a href="h
ttps://redirect.github.com/urllib3/urllib3/issues/4973">#4973</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/urllib3/urllib3/compare/2.6.3...2.7.0">compare
view</a></li>
</ul>
</details>
<br />
[![Dependabot compatibility score](https://dependabot-
badges.githubapp.com/badges/compatibility_score?dependency-
name=urllib3&package-manager=uv&previous-version=2.6.3&new-
version=2.7.0)](https://docs.github.com/en/github/managing-security-
vulnerabilities/about-dependabot-security-updates#about-compatibility-
scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/tursodatabase/turso/network/alerts).
</details>

Closes #7092