[Snyk] Security upgrade urllib3 from 2.0.7 to 2.6.0

[glenn-jocher]

Snyk has created this PR to fix 1 vulnerabilities in the pip dependencies of this project.

Snyk changed the following file(s):

• requirements.txt

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.
• Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the affected dependencies could be upgraded.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

🛠️ PR Summary

_{Made with ❤️ by Ultralytics Actions}

🌟 Summary

🔒 Bumps urllib3 to a secure minimum version to address a Snyk-reported vulnerability.

📊 Key Changes

• Added urllib3>=2.6.0 to requirements.txt (explicit security pin)
• Noted the dependency is “not directly required” and added due to Snyk guidance

🎯 Purpose & Impact

• Improves security posture by ensuring installs use a non-vulnerable urllib3 version 🛡️
• May affect environments that relied on older transitive urllib3 versions (potential compatibility constraints) ⚠️
• No functional code changes expected; impact is limited to dependency resolution 📦

[UltralyticsAssistant]

👋 Hello @glenn-jocher, thank you for submitting a ultralytics/yolov3 🚀 PR! This is an automated message—an engineer will review and help as needed. Please review the checklist below to keep things moving smoothly ✅

-✅ Define a Purpose: Clearly explain the purpose of your fix or feature in your PR description, and link to any relevant issues. Ensure your commit messages are clear, concise, and adhere to the project's conventions.
-✅ Synchronize with Source: Confirm your PR is synchronized with the ultralytics/yolov3 main branch. If it's behind, update it by clicking the 'Update branch' button or by running git pull and git merge main locally.
-✅ Ensure CI Checks Pass: Verify all Ultralytics Continuous Integration (CI) checks are passing. If any checks fail, please address the issues.
-✅ Update Documentation: Update the relevant documentation for any new or modified features.
-✅ Add Tests: If applicable, include or update tests to cover your changes, and confirm that all tests are passing.
-✅ Sign the CLA: Please ensure you have signed our Contributor License Agreement if this is your first Ultralytics PR by writing "I have read the CLA Document and I sign the CLA" in a new message.
-✅ Minimize Changes: Limit your changes to the minimum necessary for your bug fix or feature addition. "It is not daily increase but daily decrease, hack away the unessential. The closer to the source, the less wastage there is." — Bruce Lee

For more guidance, please refer to our Contributing Guide. Don't hesitate to leave a comment if you have any questions. Thank you for contributing to Ultralytics! 🚀

[UltralyticsAssistant]

🔍 PR Review

_{Made with ❤️ by Ultralytics Actions}

Clean, minimal security-driven change. The main risk is compatibility: enforcing urllib3>=2.6.0 globally in requirements.txt can break installs for older Python/OpenSSL environments. If the repo targets such environments, consider adding an environment marker or scoping the pin to avoid unintended installation failures.

💬 Posted 1 inline comment

[UltralyticsAssistant]

💡 MEDIUM: This project may support Python versions where urllib3>=2.6.0 is not installable/compatible (urllib3 2.x has dropped older Python/OpenSSL combos in the past). A hard minimum here can break installs even if the vulnerable transitive path isn’t present. Consider aligning the constraint with the repo’s supported Python range (e.g., conditional marker) or pinning only in the environments that need it (CI/dev), if applicable.