Skip to content

chore: upgrade urllib3 to 2.6.0+ and update dependencies #292

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
sankeyraut wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore: upgrade urllib3 to 2.6.0+ and update dependencies #292

sankeyraut wants to merge 1 commit into from

Conversation

@sankeyraut
Copy link

@sankeyraut sankeyraut commented Dec 26, 2025

Summary

Upgrade urllib3 to version 2.6.0 or greater across all Lambda functions to address security vulnerabilities and ensure compatibility.

Changes

Dependency Updates (all 7 Lambda functions)

Package Old Version New Version
urllib3 2.2.3 (transitive) >=2.6.0,<3 (explicit, locked to 2.6.2)
requests ^2.32.3 ^2.32.5
boto3 ^1.35.30 ^1.38.0
moto ^4.1.4 ^5.0.0

Test Code Migration (moto 5.x breaking changes)

Updated test files to use unified mock_aws decorator instead of individual mocks (mock_s3, mock_wafv2, mock_dynamodb, etc.):

  • source/access_handler/test/conftest.py
  • source/custom_resource/test/conftest.py
  • source/helper/test/conftest.py
  • source/helper/test/test_stack_requirements.py
  • source/ip_retention_handler/test/conftest.py
  • source/log_parser/test/conftest.py

Affected Lambda Functions

  • access_handler
  • custom_resource
  • helper
  • ip_retention_handler
  • log_parser
  • reputation_lists_parser
  • timer

Testing

✅ All 100 unit tests pass across all Lambda functions:

Lambda Tests Status
access_handler 3 ✅ Passed
custom_resource 32 ✅ Passed
helper 15 ✅ Passed
ip_retention_handler 18 ✅ Passed
log_parser 28 ✅ Passed
reputation_lists_parser 3 ✅ Passed
timer 1 ✅ Passed

Transitive Dependency Compatibility

All parent packages support urllib3 2.6.0+:

  • requests 2.32.5 → urllib3 <3,>=1.21.1 ✓
  • boto3 1.42.16 → botocore → urllib3 !=2.2.0,<3,>=1.25.4 ✓
  • moto 5.1.18 → responses 0.25.3 → urllib3 <3.0,>=1.25.10 ✓

Checklist

  • Updated pyproject.toml for all 7 Lambda functions
  • Regenerated poetry.lock files
  • Migrated test code for moto 5.x compatibility
  • All unit tests pass

@sankeyraut
chore: upgrade urllib3 to >=2.6.0 for security compliance
1ec4761 
## Summary
Upgrade urllib3 from ^2.5.0 to >=2.6.0,<3 across all Lambda functions.

## Changes
- Updated urllib3 constraint in all 7 pyproject.toml files
- Regenerated poetry.lock files (urllib3 locked to 2.6.2)

## Affected Lambda Functions
- custom_resource
- helper
- ip_retention_handler
- log_parser
- metrics
- reputation_lists_parser
- timer

## Testing
All 140 unit tests pass.
@sankeyraut sankeyraut force-pushed the urllib3-upgrade-2.6.0 branch from 4ea40ad to 1ec4761 Compare December 26, 2025 12:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sankeyraut