kubernetes-client
urllib3 pinned to <2.4.0 breaks packaging
Is there a more permanent solution to the issues with python 2.4.0+ pending? https://github.com/kubernetes-client/python/blob/master/requirements.txt#L10 https://bodhi.fedoraproject.org/updates/FEDORA-2025-34e5603fe3
Fedora 43+ has moved to urllib3 2.5.0 so in order to continue packaging the python kubernetes-client will mean carrying a patch to revert this change.
urllib3 versions < 2.5.0 have the following known CVEs:
- CVE-2025-50181
- CVE-2025-50182
Pinning urllib3 to < 2.4.0 also prevents users taking a version which addresses these CVEs.
For reference, these are some of the issues that motivated the original constraint: https://github.com/kubernetes-client/python/issues/2394
The <2.4.0 pin was from https://github.com/kubernetes-client/python/pull/2417.
cc @Tenzer
@Tenzer Based on the description in https://github.com/kubernetes-client/python/pull/2417, could you check if there is a good urllib3 version that is greater than 2.4.0?
/help
@roycaihw: This request has been marked as needing help from a contributor.
Guidelines
Please ensure that the issue body includes answers to the following questions:
- Why are we solving this issue?
- To address this issue, are there any code changes? If there are code changes, what needs to be done in the code and what places can the assignee treat as reference points?
- How can the assignee reach out to you for help?
For more details on the requirements of such an issue, please see here and ensure that they are met.
If this request no longer meets these requirements, the label can be removed
by commenting with the /remove-help command.
In response to this:
@Tenzer Based on the description in https://github.com/kubernetes-client/python/pull/2417, could you check if there is a good urllib3 version that is greater than 2.4.0?
/help
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.
@Tenzer Based on the description in #2417, could you check if there is a good urllib3 version that is greater than 2.4.0?
The only more recent urllib3 release, v2.5.0, does not back down on the increased security stance, and I don't imagine it's something they would want to do, since they specifically made the change in v2.4.0 to align with what Python 3.13 does.
In the original discussion about the urllib3 v2.4.0 issue, I suggested that an alternative way to address this could be to add an option to easily disable the extra strictness in urllib3: https://github.com/kubernetes-client/python/issues/2394#issuecomment-2899188514. Perhaps that's an option worth investigating, so the maximum urllib3 version can be removed?
As far as I understand, urllib3 2.4 and above only breaks an edge-case scenario. Could we maybe remove the upper version constraint and instead let those affected pin urllib3 on their side?
Sounds good to me. There's also the workaround mentioned in https://github.com/kubernetes-client/python/issues/2394#issuecomment-2884974440 for disabling the SSL verification for people who are affected.
We still need a release to get the solution. When is the next anticipated release?
Just bumping this to see when a release might happen, since this is blocking work/releases for other projects. Thanks.
Just another bumping this to see when a release might happen, since this is blocking work/releases for other projects. Thanks.
Now we need to allow 2.6.x as well due to two new high-severity CVEs:
- https://avd.aquasec.com/nvd/2025/cve-2025-66471/
- https://avd.aquasec.com/nvd/2025/cve-2025-66418/
There are also some more minor ones:
- https://avd.aquasec.com/nvd/2025/cve-2025-50182/
- https://avd.aquasec.com/nvd/2025/cve-2025-50181/