1

Project specified python version: 3.7.9

urllib3 version from Pipfile.lock: "version": "==1.25.11"

Due to a security problem I want to update urllib3 to ">=1.26.5"

As this comes with Python, and we can't upgrade python right now I wanted to bump it separately. I'm fairly new to Python.

What I tried:

pipenv install urllib3~=1.26.5

What I got:

Resolving dependencies... ✘ Locking Failed! Warning: Your dependencies could not be resolved. You likely have a mismatch in your sub-dependencies.

Is it not possible to ugrade urllib3 without bumping my Python version? If it is possible, what am I doing wrong? I also checked pipenv was up to date.

alichur
  • 925
  • 7
  • 19
  • 1
    `pipenv update`? – drum Jul 26 '21 at 04:13
  • pipenv update ran successfully, but did not update urllib3 to the version needed. I even tried removing it from the lockfile, then running pipenv update, but it just goes back to 1.25.11 – alichur Jul 26 '21 at 05:21
  • You seem to have a library that explicitly requires a `urllib3` version other then 1.26.5. Of you find it there might be a chance that it can be upgraded as well. – Klaus D. Jul 26 '21 at 06:14
  • Hi Klaus, I don't think it's a library requirement, it's just a security vulnerability in the old version that I would like to avoid as per the link above – alichur Jul 26 '21 at 21:19

1 Answers1

1

I had same problem, I just update my requests version in pipfile from

requests = "==2.22.0"

to

requests = "==2.27.1"

because usually urllib3 is a dependency of requests it should solve the problem.

If it didn't solve the problem you could use pipenv graph to find the dependency that depends on <1.26.5

littleali
  • 408
  • 1
  • 6
  • 22