🔒 security: upgrade urllib3 to 2.6.2 to fix CVE-2025-66471

Upgrade urllib3 from 2.5.0 to 2.6.2 to address CVE-2025-66471 (GHSA-2xpw-w6gg-jr37), a high-severity vulnerability related to improper handling of highly compressed data in the streaming API.

This vulnerability could lead to excessive CPU and memory consumption when processing highly compressed responses from untrusted sources, potentially causing denial of service.

Fixes: #120
Severity: High (CVSS v4: 8.9)
CWE-409: Improper Handling of Highly Compressed Data

Author: matrixise

requirements/dev.txt

@@ -2,77 +2,79 @@
 #    uv pip compile --output-file requirements/dev.txt requirements/dev.in
 asgiref==3.11.0
     # via
-    #   -c main.txt
+    #   -c requirements/main.txt
     #   django
 boolean-py==5.0
     # via license-expression
-cachecontrol[filecache]==0.14.4
-    # via
-    #   cachecontrol
-    #   pip-audit
+cachecontrol==0.14.4
+    # via pip-audit
 certifi==2025.11.12
     # via
-    #   -c main.txt
+    #   -c requirements/main.txt
     #   requests
 charset-normalizer==3.4.4
     # via
-    #   -c main.txt
+    #   -c requirements/main.txt
     #   requests
 coverage==7.12.0
-    # via -r dev.in
+    # via -r requirements/dev.in
 cyclonedx-python-lib==9.1.0
     # via pip-audit
 defusedxml==0.7.1
     # via
-    #   -c main.txt
+    #   -c requirements/main.txt
     #   py-serializable
 django==5.2.9
     # via
-    #   -c main.txt
+    #   -c requirements/main.txt
     #   django-debug-toolbar
     #   model-mommy
 django-debug-toolbar==6.1.0
-    # via -r dev.in
+    # via -r requirements/dev.in
 factory-boy==3.3.3
-    # via -r dev.in
+    # via -r requirements/dev.in
 faker==39.0.0
     # via factory-boy
 fakeredis==2.32.1
-    # via -r dev.in
+    # via -r requirements/dev.in
 filelock==3.20.1
     # via cachecontrol
 idna==3.11
     # via
-    #   -c main.txt
+    #   -c requirements/main.txt
     #   requests
 isort==7.0.0
-    # via -r dev.in
+    # via -r requirements/dev.in
 license-expression==30.4.4
     # via cyclonedx-python-lib
 markdown-it-py==4.0.0
     # via rich
 mdurl==0.1.2
     # via markdown-it-py
 model-mommy==2.0.0
-    # via -r dev.in
+    # via -r requirements/dev.in
 msgpack==1.1.2
     # via cachecontrol
 packageurl-python==0.17.6
     # via cyclonedx-python-lib
 packaging==25.0
     # via
-    #   -c main.txt
+    #   -c requirements/main.txt
     #   pip-audit
     #   pip-requirements-parser
     #   pipdeptree
+pip==25.3
+    # via
+    #   pip-api
+    #   pipdeptree
 pip-api==0.0.34
     # via pip-audit
 pip-audit==2.9.0
-    # via -r dev.in
+    # via -r requirements/dev.in
 pip-requirements-parser==32.0.1
     # via pip-audit
 pipdeptree==2.30.0
-    # via -r dev.in
+    # via -r requirements/dev.in
 platformdirs==4.5.0
     # via pip-audit
 py-serializable==2.1.0
@@ -83,35 +85,35 @@ pyparsing==3.2.5
     # via pip-requirements-parser
 redis==7.1.0
     # via
-    #   -c main.txt
+    #   -c requirements/main.txt
     #   fakeredis
 requests==2.32.5
     # via
-    #   -c main.txt
+    #   -c requirements/main.txt
     #   cachecontrol
     #   pip-audit
 rich==14.2.0
     # via pip-audit
 ruff==0.14.7
-    # via -r dev.in
+    # via -r requirements/dev.in
 sortedcontainers==2.4.0
     # via
     #   cyclonedx-python-lib
     #   fakeredis
 sqlparse==0.5.4
     # via
-    #   -c main.txt
+    #   -c requirements/main.txt
     #   django
     #   django-debug-toolbar
 toml==0.10.2
     # via pip-audit
 tzdata==2025.2
     # via
-    #   -c main.txt
+    #   -c requirements/main.txt
     #   faker
-urllib3==2.5.0
+urllib3==2.6.2
     # via
-    #   -c main.txt
+    #   -c requirements/main.txt
     #   requests
 uv==0.9.13
-    # via -r dev.in
+    # via -r requirements/dev.in

requirements/main.txt

@@ -11,7 +11,7 @@ babel==2.17.0
 beautifulsoup4==4.14.2
     # via wagtail
 boto3==1.41.5
-    # via -r main.in
+    # via -r requirements/main.in
 botocore==1.41.5
     # via
     #   boto3
@@ -21,20 +21,20 @@ certifi==2025.11.12
 charset-normalizer==3.4.4
     # via requests
 colander==2.0
-    # via -r main.in
+    # via -r requirements/main.in
 defusedxml==0.7.1
     # via
-    #   -r main.in
+    #   -r requirements/main.in
     #   willow
 delorean==1.0.0
-    # via -r main.in
+    # via -r requirements/main.in
 dj-database-url==3.0.1
-    # via -r main.in
+    # via -r requirements/main.in
 dj-static==0.0.6
-    # via -r main.in
+    # via -r requirements/main.in
 django==5.2.9
     # via
-    #   -r main.in
+    #   -r requirements/main.in
     #   dj-database-url
     #   django-appconf
     #   django-compressor
@@ -55,27 +55,27 @@ django-appconf==1.2.0
     # via django-compressor
 django-compressor==4.6.0
     # via
-    #   -r main.in
+    #   -r requirements/main.in
     #   django-libsass
 django-extensions==4.1
-    # via -r main.in
+    # via -r requirements/main.in
 django-filter==25.2
     # via wagtail
 django-libsass==0.9
-    # via -r main.in
+    # via -r requirements/main.in
 django-modelcluster==6.4
     # via
-    #   -r main.in
+    #   -r requirements/main.in
     #   wagtail
 django-permissionedforms==0.1
     # via wagtail
 django-storages==1.14.6
-    # via -r main.in
+    # via -r requirements/main.in
 django-stubs-ext==5.2.7
     # via django-tasks
 django-taggit==6.1.0
     # via
-    #   -r main.in
+    #   -r requirements/main.in
     #   wagtail
 django-tasks==0.9.0
     # via
@@ -92,7 +92,7 @@ et-xmlfile==2.0.0
 filetype==1.2.0
     # via willow
 gunicorn==23.0.0
-    # via -r main.in
+    # via -r requirements/main.in
 humanize==4.14.0
     # via delorean
 idna==3.11
@@ -116,35 +116,35 @@ openpyxl==3.1.5
 packaging==25.0
     # via gunicorn
 pandas==2.3.3
-    # via -r main.in
+    # via -r requirements/main.in
 pillow==12.0.0
     # via
     #   pillow-heif
     #   wagtail
 pillow-heif==1.1.1
     # via willow
 pydantic==2.12.5
-    # via -r main.in
+    # via -r requirements/main.in
 pydantic-core==2.41.5
     # via pydantic
 python-dateutil==2.9.0.post0
     # via
-    #   -r main.in
+    #   -r requirements/main.in
     #   botocore
     #   delorean
     #   pandas
 pytz==2025.2
     # via
-    #   -r main.in
+    #   -r requirements/main.in
     #   delorean
     #   pandas
 rcssmin==1.2.2
     # via django-compressor
 redis==7.1.0
-    # via -r main.in
+    # via -r requirements/main.in
 requests==2.32.5
     # via
-    #   -r main.in
+    #   -r requirements/main.in
     #   wagtail
 rjsmin==1.2.5
     # via django-compressor
@@ -176,15 +176,15 @@ tzdata==2025.2
     # via pandas
 tzlocal==5.3.1
     # via delorean
-urllib3==2.5.0
+urllib3==2.6.2
     # via
     #   botocore
     #   requests
 wagtail==7.2.1
-    # via -r main.in
+    # via -r requirements/main.in
 whitenoise==6.11.0
-    # via -r main.in
-willow[heif]==1.12.0
+    # via -r requirements/main.in
+willow==1.12.0
     # via
-    #   -r main.in
+    #   -r requirements/main.in
     #   wagtail

requirements/production.txt

@@ -4,3 +4,7 @@ psycopg==3.2.13
     # via -r requirements/production.in
 psycopg-binary==3.2.13
     # via psycopg
+typing-extensions==4.15.0
+    # via
+    #   -c requirements/main.txt
+    #   psycopg