[FIX] Unblock urllib3 2.x via google-auth bump (clear urllib3 Dependabot alerts)#2042
Merged
jaseemjaskp merged 5 commits intoJun 19, 2026
mainZipstack/unstract:mainfrom
fix/dependabot-urllib3-protobufZipstack/unstract:fix/dependabot-urllib3-protobufCopy head branch name to clipboard
Merged
[FIX] Unblock urllib3 2.x via google-auth bump (clear urllib3 Dependabot alerts)#2042jaseemjaskp merged 5 commits intomainZipstack/unstract:mainfrom fix/dependabot-urllib3-protobufZipstack/unstract:fix/dependabot-urllib3-protobufCopy head branch name to clipboard
jaseemjaskp merged 5 commits into
mainZipstack/unstract:mainfrom
fix/dependabot-urllib3-protobufZipstack/unstract:fix/dependabot-urllib3-protobufCopy head branch name to clipboard
Conversation
…ndabot alerts) urllib3 was held at 1.26.20 across root/backend/workers/connectors because google-auth==2.20.0 (pinned in unstract-connectors) requires urllib3<2.0. google-auth>=2.22.0 drops that cap, letting urllib3 resolve to 2.7.0 and clearing the urllib3 high-severity alerts (header leakage on redirects, decompression-bomb bypass, unbounded decompression chain). - unstract/connectors/pyproject.toml: google-auth==2.20.0 -> >=2.22.0 - root/backend/workers/connectors uv.lock: urllib3 1.26.20 -> 2.7.0, google-auth 2.20.0 -> 2.53.0 (cachetools dropped — no longer a hard dep of google-auth 2.53) Verified: all 4 locks pass 'uv lock --check'; connectors env smoke test imports urllib3 2.7.0, google.auth, google.cloud.bigquery, pymysql cleanly. Deferred (NOT in this PR): protobuf 5.x is still capped <5 by additional google/grpc libraries (beyond google-cloud-bigquery) and is a major-version jump; protobuf stays on the 4.25.x LTS line for now.
Contributor
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (4)
📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
Summary by CodeRabbit
WalkthroughThe PR updates the ChangesDependency Version Constraint
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Contributor
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@unstract/connectors/pyproject.toml`:
- Line 25: Update the inline comment on the dependency entry
"google-auth>=2.22.0" to remove the incorrect claim that it “drops the urllib3<2
cap” (google-auth==2.22.0 still pins urllib3<2.0); instead note that upgrading
to a google-auth version that truly allows urllib3>=2 is required to lift that
cap. Also audit any direct use of urllib3.util.Retry in your codebase: replace
deprecated parameters such as method_whitelist with allowed_methods and update
any references to renamed DEFAULT_* constants to their urllib3 2.0 equivalents
so Retry construction is compatible with urllib3 2.x.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: af6aa938-a3c3-4f3f-9c8b-3f917ffdf9f4
⛔ Files ignored due to path filters (4)
backend/uv.lockis excluded by!**/*.lockunstract/connectors/uv.lockis excluded by!**/*.lockuv.lockis excluded by!**/*.lockworkers/uv.lockis excluded by!**/*.lock
📒 Files selected for processing (1)
unstract/connectors/pyproject.toml
Contributor
|
| Filename | Overview |
|---|---|
| unstract/connectors/pyproject.toml | Loosens google-auth pin from ==2.20.0 to >=2.22.0,<3 with an explanatory comment; minor version note inaccuracy in the inline comment (says >=2.53, lock resolves 2.55.0, minimum floor is 2.22.0). |
| backend/uv.lock | google-auth bumped 2.20.0→2.55.0, urllib3 bumped 1.26.20→2.7.0, cachetools removed (no longer a transitive dep of google-auth 2.55); cryptography added as google-auth dep. |
| unstract/connectors/uv.lock | Same three-package change as backend: google-auth 2.55.0, urllib3 2.7.0, cachetools removed; lock is internally consistent. |
| uv.lock | Root workspace lock updated consistently with the same three-package change; no unexpected cascade. |
| workers/uv.lock | Workers lock updated consistently; same surgical three-package change as the other three lock files. |
Flowchart
%%{init: {'theme': 'neutral'}}%%
flowchart TD
A["pyproject.toml\ngoogle-auth ==2.20.0\n(urllib3<2 cap)"] -->|"Bump to >=2.22.0,<3"| B["google-auth 2.55.0\n(no urllib3<2 constraint)"]
B --> C["urllib3 2.7.0\n(CVEs cleared)"]
B --> D["cryptography added\n(replaces rsa)"]
B --> E["cachetools removed\n(no longer required)"]
C --> F["All 4 uv.lock files\nbackend / connectors\nworkers / root"]
%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
flowchart TD
A["pyproject.toml\ngoogle-auth ==2.20.0\n(urllib3<2 cap)"] -->|"Bump to >=2.22.0,<3"| B["google-auth 2.55.0\n(no urllib3<2 constraint)"]
B --> C["urllib3 2.7.0\n(CVEs cleared)"]
B --> D["cryptography added\n(replaces rsa)"]
B --> E["cachetools removed\n(no longer required)"]
C --> F["All 4 uv.lock files\nbackend / connectors\nworkers / root"]
Reviews (4): Last reviewed commit: "Merge branch 'main' into fix/dependabot-..." | Re-trigger Greptile
jaseemjaskp
commented
Jun 12, 2026
jaseemjaskp
left a comment
Contributor
Author
There was a problem hiding this comment.
Automated review (PR Review Toolkit). This is a clean, internally-consistent dependency bump; the 4 lock files match each other and the pyproject change, and platform-service/prompt-service/sdk1 were correctly left untouched (they already resolve urllib3 2.7.0). One line carries two minor, non-blocking points below — distinct from the floor-version question @coderabbitai already raised.
Address PR review: the '>=2.22 drops urllib3<2 cap' comment was wrong (2.22.0 still pins urllib3<2; google-auth 2.53 resolved in lock has no urllib3 dep at all). Also cap the only unbounded specifier in the block.
…3-protobuf # Conflicts: # backend/uv.lock # unstract/connectors/uv.lock # uv.lock # workers/uv.lock
Contributor
Unstract test resultsPer-group results
Critical paths
|
muhammad-ali-e
approved these changes
Jun 19, 2026
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Unblocks urllib3 1.26.20 → 2.7.0 across root / backend / workers / connectors by lifting the constraint that pinned it to the 1.x line.
unstract/connectors/pyproject.toml:google-auth==2.20.0→google-auth>=2.22.0uv.lock,backend/uv.lock,workers/uv.lock,unstract/connectors/uv.lock: urllib3 → 2.7.0, google-auth → 2.53.0 (cachetools dropped — no longer a hard dep of google-auth 2.53)Why
urllib3 was held at 1.26.20 everywhere, and its CVEs (sensitive-header leakage across redirects, decompression-bomb bypass, unbounded decompression chain) have no 1.26.x patch — the fixes exist only in 2.x. The resolver was capped by a single pin:
google-auth==2.20.0, which declaresurllib3<2.0.google-auth>=2.22.0removed that cap, so urllib3 resolves to 2.7.0 and the alerts clear. It was the onlyurllib3<2constraint in the graph (verified by forcingurllib3>=2.7.0and reading the resolver conflict).How
urllib3>=2.7.0into the resolver until it namedgoogle-auth==2.20.0.google-cloud-bigquerypinned, since the remaining protobuf cap is separate — see below).>=matches existing repo style (boto3~=,httpx>=,croniter>=, …).Can this PR break any existing features. If yes, please list possible items. If no, please explain why. (PS: Admins do not merge the PR without this section filled)
This is the highest-risk PR in the Dependabot series and should get real integration testing before merge. It changes the HTTP layer (urllib3 1.x → 2.x) and the GCP auth library (google-auth 2.20 → 2.53), both used across the cloud connectors (GCS, BigQuery, GCP-auth) and anything doing HTTP via requests/botocore/etc.
Mitigating evidence:
uv lock --check.urllib32.7.0,google.auth,google.cloud.bigquery,pymysqlall import cleanly.👉 Please exercise the cloud connectors (GCS / BigQuery / GCP auth) and any outbound-HTTP paths in CI/staging. A full local run isn't possible (backend env blocked by the unrelated django-celery-beat 2.5.0 wheel quirk); connectors-level imports are verified but live auth/transfer flows are not.
Database Migrations
None.
Env Config
None.
Relevant Docs
urllib3 2.0 migration guide · google-auth changelog
Related Issues or PRs
Final PR of the Dependabot remediation series (#2038 frontend, #2039 python-transitive, #2040 Django, #2041 Authlib/PyMySQL).
Deferred — protobuf 5.x
protobuf is still capped
<5by additional google/grpc libraries (beyondgoogle-cloud-bigquery, which this PR leaves pinned), and 4 → 5 is a major-version jump. It stays on the 4.25.x LTS line (latest patch), which carries the relevant backported fixes. Moving to 5.x warrants its own PR with a coordinated google-cloud / grpcio upgrade + testing.Dependencies Versions
urllib3 1.26.20 → 2.7.0 · google-auth 2.20.0 → 2.53.0
Notes on Testing
uv lock --checkon all 4 workspaces ✓Screenshots
N/A — dependency change.
Checklist
I have read and understood the Contribution Guidelines.