Currently taskcat is pinned to versions below v2 of urllib3.
This is causing issues as we use pip-audit in our projects which is now failing builds due to a couple of new CVEs which impact urllib3 < 2.6.0:
Name Version ID Fix Versions
------- ------- -------------- ------------
urllib3 1.26.20 CVE-2025-66418 2.6.0
urllib3 1.26.20 CVE-2025-66471 2.6.0
Is there a known version for this specific pin? When I was looking to see where this transitive could have came from I found that botocore uses a ranged dependency to restrict below 2.x for older python versions - would something similar be suitable here?
urllib3>=1.25.4,<1.27; python_version<"3.10"
urllib3>=1.25.4,!=2.2.0,<3; python_version>="3.10"
``
I'm aiming to try this out later, but putting this up first in case there are any known reasons for this exact pin.
Currently taskcat is pinned to versions below v2 of urllib3.
This is causing issues as we use pip-audit in our projects which is now failing builds due to a couple of new CVEs which impact urllib3 < 2.6.0:
Is there a known version for this specific pin? When I was looking to see where this transitive could have came from I found that botocore uses a ranged dependency to restrict below 2.x for older python versions - would something similar be suitable here?