Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Relax urllib3 dependency to support >=2.0 for CVE remediation #4498

New issue
Copy link
New issue
Copy link
Closed as not planned
Closed as not planned
Relax urllib3 dependency to support >=2.0 for CVE remediation#4498
Copy link
Labels
BugPythonSDKSDK
@sylviayap

Description

@sylviayap
sylviayap
opened on Jun 19, 2025
Issue body actions

How do you use Sentry?

Sentry Saas (sentry.io)

Version

2.10.0

Steps to Reproduce

  1. Install sentry-sdk in a Python project
  2. Run pip install urllib3==2.5.0 to patch known CVEs
  3. Observe version conflict: sentry-sdk requires urllib3<1.27
  4. Attempt to use security scanning tools like Trivy or pip-audit
  5. Receive vulnerability warnings due to old urllib3==1.26.19

Expected Result

sentry-sdk should allow urllib3>=1.26.5 to permit upgrading to a secure version (e.g., 2.5.0)
This would unblock teams trying to comply with CVE scanning and patching policies

Actual Result

sentry-sdk pins urllib3<1.27, blocking upgrades past 1.26.x
This prevents upgrading to secure versions like 2.5.0, which are required to patch active CVEs, including:

Metadata

Metadata

Assignees

No one assigned

    Labels

    BugPythonSDKSDK

    Type

    No type

    Projects

    GitHub Issues with 👀 3

    Status

    Waiting for: Product Owner
    Show more project fields

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions
      Morty Proxy This is a proxified and sanitized view of the page, visit original site.