Skip to content

Relax urllib3 dependency to support >=2.0 for CVE remediation #4498

New issue
New issue
Open
Open
Relax urllib3 dependency to support >=2.0 for CVE remediation#4498
Labels
BugPythonSDKWaiting for: Product Owner
@sylviayap

Description

@sylviayap
sylviayap
opened on Jun 19, 2025

How do you use Sentry?

Sentry Saas (sentry.io)

Version

2.10.0

Steps to Reproduce

  1. Install sentry-sdk in a Python project
  2. Run pip install urllib3==2.5.0 to patch known CVEs
  3. Observe version conflict: sentry-sdk requires urllib3<1.27
  4. Attempt to use security scanning tools like Trivy or pip-audit
  5. Receive vulnerability warnings due to old urllib3==1.26.19

Expected Result

sentry-sdk should allow urllib3>=1.26.5 to permit upgrading to a secure version (e.g., 2.5.0)
This would unblock teams trying to comply with CVE scanning and patching policies

Actual Result

sentry-sdk pins urllib3<1.27, blocking upgrades past 1.26.x
This prevents upgrading to secure versions like 2.5.0, which are required to patch active CVEs, including:

Metadata

Metadata

Assignees

No one assigned

    Labels

    BugPythonSDKWaiting for: Product Owner

    Type

    No type

    Projects

    GitHub Issues with 👀 3

    Status

    Waiting for: Product Owner

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions