RE: https://hachyderm.io/@github/116088660663888747
@quentinpradet and I can finally share that we participated in Session 3 of the GitHub Secure Open Source Fund. As part of this cohort, we focused on hardening the library's security, setting up a formal Security Policy, and auditing our repository settings.
Open source sustainability isn't just about features; it's about security.
Read more on the blog: https://volochii.dev/blog/github-secure-open-source-session/
Using the new Tachyon profiler coming to Python 3.15 I profiled a one-liner to find a bottleneck, then sped up some 26-year-old code in @pillow!
https://hugovk.dev/blog/2026/faster-pillow/
#Python #python315 #Tachyon #Pillow #PythonPillow #performance
I've finally launched my personal blog! ๐
To kick things off, my first post is the urllib3 2025 Annual Report. We discuss entering the "Billion-a-Month" club, our strengthened security posture, and the road to Python 3.14.
Check it out: https://volochii.dev/blog/urllib3-in-2025/
Welcome to the 2025 annual report for urllib3. Iโm Illia, and this is my first time writing this update for the second most downloaded Python package. Long-time readers will recognize these reports from Seth Larson or Quentin Pradet, but this year Iโm taking the baton to share what weโve been up to. 2025 was a busy year defined by security hardening and future-proofing. We released 5 versions and merged over 100 pull requests, working to secure the library and prepare it for Python 3.14. For the first time ever, urllib3 was installed over 1 billion times per month consistently throughout the last quarter, signaling new levels of adoption for both the Python language and foundational open source libraries like urllib3.
๐ฆ urllib3 2.6.3 is now available!
This release continues our recent series of decompression-related security fixes by mitigating decompression bombs in HTTP redirect responses (see GHSA-38jv-5279-wg99).
Also, the new version avoids indefinite sleeps with big Retry-After values and improves compatibility with popular dependents in Emscripten environments.
๐ฆ urllib3 2.6.0 is now available!
It fixes two high-severity security issues related to decompression of response content.
Additionally, the new version:
- switched to the backports.zstd package for the zstd support on Python 3.13 and before
- added explicit support for Python 3.14 and free threading
- removed two deprecated methods
- fixed a few bugs, added new small features, and improved performance
Check details in our release notes https://github.com/urllib3/urllib3/releases/tag/2.6.0
๐ฆ urllib3 2.5.0 is now available!
It fixes two moderate security issues:
- pool managers now properly control redirects when `retries` is passed โ CVE-2025-50181 (5.3 Medium) reported by Jacob Sandum
- redirects are now controlled by urllib3 in the Node.js runtime โ CVE-2025-50182 (5.3 Medium)
Additionally, the new version adds support for the zstd module in Python 3.14 and fixes issues related to shutting down responses and HTTP tunneling with IPv6.
๐ฆ urllib3 2.4.0 is now available! It hardens certificate verification for Python 3.13+, fixes an Emscripten issue, improves own exceptions, and applies PEP 639.
It's here! The 2024 annual report for #urllib3, a relatively quiet year that included work on HTTP/2 and Web Assembly (WASM). We include our plans for Python 2 deprecation, please take a look. $3,300 worth of bounty issues exist today!
Hugo van Kemenade
Seth Larson
Quentin Pradet