Re: [PR] Bump urllib3 to patched release in Python container requirements [beam]

Tue, 12 May 2026 06:57:47 -0700 


gemini-code-assist[bot] commented on code in PR #38467:
URL: https://github.com/apache/beam/pull/38467#discussion_r3226976614


##########
sdks/python/container/ml/py310/base_image_requirements.txt:
##########
@@ -222,7 +222,7 @@ typing_extensions==4.15.0
 tzdata==2025.3
 tzlocal==5.3.1
 uritemplate==4.2.0
-urllib3==2.6.3
+urllib3==2.7.0

Review Comment:
   
![security-high](https://www.gstatic.com/codereviewagent/security-high-priority.svg)
 ![high](https://www.gstatic.com/codereviewagent/high-priority.svg)
   
   This security update is inconsistent across the container requirement files. 
The following files are missing from this PR: 
sdks/python/container/py312/base_image_requirements.txt (Standard Python 3.12) 
and sdks/python/container/ml/py313/gpu_image_requirements.txt (ML Python 3.13 
GPU). Please ensure all relevant containers are updated to maintain a 
consistent security posture.



##########
sdks/python/container/ml/py310/base_image_requirements.txt:
##########
@@ -222,7 +222,7 @@ typing_extensions==4.15.0
 tzdata==2025.3
 tzlocal==5.3.1
 uritemplate==4.2.0
-urllib3==2.6.3
+urllib3==2.7.0

Review Comment:
   
![security-critical](https://www.gstatic.com/codereviewagent/security-critical.svg)
 ![critical](https://www.gstatic.com/codereviewagent/critical.svg)
   
   The version "2.7.0" for urllib3 does not appear to exist on PyPI (the 
current latest stable version is 2.3.0). Pinning to a non-existent version will 
cause container build failures. Please verify the intended version; if this is 
meant to address recent security advisories, you likely intended to use 2.2.2, 
2.2.3, or 2.3.0. Additionally, the previous version 2.6.3 also appears to be 
non-existent on PyPI, suggesting a systematic typo in these requirement files 
that should be corrected across all instances.



##########
sdks/python/container/py314/base_image_requirements.txt:
##########
@@ -184,7 +184,7 @@ tqdm==4.67.3
 typing-inspection==0.4.2
 typing_extensions==4.15.0
 tzdata==2025.3
-urllib3==2.6.3
+urllib3==2.7.0

Review Comment:
   
![security-critical](https://www.gstatic.com/codereviewagent/security-critical.svg)
 ![critical](https://www.gstatic.com/codereviewagent/critical.svg)
   
   As noted in other files, urllib3==2.7.0 is not a valid version on PyPI. 
Please correct this to a valid patched version (e.g., 2.3.0) to avoid build 
failures.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to