Upgrade to urllib3 to v2.x.x

[di]

What's the problem this feature will solve?

Currently pip vendors the urllib3 1.26.x version branch as a dependency of requests:

pip/src/pip/_vendor/vendor.txt

Lines 8 to 11 in 5fb46a3

	requests==2.32.3
	certifi==2024.7.4
	idna==3.7
	urllib3==1.26.18

Since requests==2.30.0, requests has been compatible with urllib3>=2.0: psf/requests#6432 (comment)

This will upgrade a vendored dependency and unblock issues such as #11153.

Describe the solution you'd like

Upgrade the vendored version of urllib3 to a release on the v2.x.x release branch, preferably urllib3==2.2.2 (the latest current release) if possible.

Alternative Solutions

Remain on the v1.x.x branch indefinitely.

Additional context

I couldn't find any issue discussing upgrading this specific dependency.

Code of Conduct

• I agree to follow the PSF Code of Conduct.

[notatallshaw]

Last I checked this was blocked until pip dropped Python 3.9 support, which won't be at least until the end of 2025.

Please read the details here: #12026 (comment)

[di]

Ah, thats unfortunate. Thanks for the pointer, I'll leave this open until we can resolve it by dropping support for 3.9.

[notatallshaw]

I never quite understood what the failure case is, so I just skimmed through urllib3/urllib3#2168, it seems that if a user installs urllib3 2+ and does not have OpenSSL 1.1.1 or newer they get an error like:

[ERROR] Runtime.ImportModuleError: Unable to import module 'function': urllib3 v2.0 only supports OpenSSL 1.1.1+, currently the 'ssl' module is compiled with 'OpenSSL 1.0.2k-fips 26 Jan 2017'. See: urllib3/urllib3#2168

They are then advised to either pin to urllib3 < 2 or upgrade their environment to have OpenSSL 1.1.1+. For urllib3 this is sufficent enough of an edge case and users have recourse to fix things. But for pip users who hit this they would have no way to vendor a different version of urllib3, and their pip installation would be broken and they would be unable to downgrade pip using pip.

I mention this, because it's possible that the CI could pass on urllib3 2+ right now if all the relevant Python installs use OpenSSL 1.1.1+. It should still not be treated as a success.

[pradyunsg]

x-ref #12026