Backport patch for GHSA-48p4-8xcf-vxj5 to vendored urllib3

[jdstrand]

Description

Hi,

Filing this publicly since today I noticed that Ubuntu issued an advisory for pip to fix its bundled urllib3: https://ubuntu.com/security/notices/USN-7599-2. I then looked to see what version of pip this was fixed in and found these issues about not being able to upgrade urllib3 until pip removes python 3.9 support:

• Upgrade vendored requests and urllib3 #12026
• Upgrade to urllib3 to v2.x.x #12857

Looking at the urllib3 patch at urllib3/urllib3@7eb4a2a, I didn't see that pip has incorporated this patch yet (sorry if I missed something).

Reading the advisory at GHSA-48p4-8xcf-vxj5, it's not clear (to me) if the pip project would want to incorporate this patch (since the advisory talks about running urllib3 in a Pyodide runtime, which doesn't seem like it would apply to pip?), but wanted to file the issue so you're aware and can comment.

Thanks!

Expected behavior

No response

pip version

master

Python version

any

OS

any

How to Reproduce

See description

Output

No response

Code of Conduct

• I agree to follow the PSF Code of Conduct.

[notatallshaw]

As best as I can tell this security issue doesn't look relevant to pip. IMO if it's not important enough for urllib3 to backport to 1.x, it's highly unlikely to be important enough for pip to take a patch.

[ichard26]

I'm not really sure who to ping, soooo @ryanking13 as a member of the pyodide/micropip team, are you aware of any Python in browser or Node.js toolchains which use pip? (or can pip be used directly on those platforms) I'm aware that micropip does not (despite its similar name) but I'm not familiar with the Python-in-JS ecosystem beyond pyodide.

Thanks in advance!

[ryanking13]

@ichard26 Thanks for the ping!

Pyodide does not directly use pip in the browser. micropip does not rely on pip. We use pip when building packages or installing packages in a simulated virtualenv, but neither triggers pip inside Pyodide runtime.

So I think there is no Pyodide-side requirement to adopt this patch in pip.

cc: @jtpio (just in case if Jupyterlite uses pip)

[agriyakhetarpal]

I can confirm that neither JupyterLite nor the Pyodide kernel are using pip, at least to my understanding.

[jtpio]

Thanks @ryanking13 for the ping 👍

Yeah like @agriyakhetarpal mentioned above it should be fine for JupyterLite, which defines a piplite wrapper around micropip (but not pip)

[ichard26]

Thanks all for confirmation that your projects are not exposed to this vulnerability. I was about to mark this issue as resolution: no action When the resolution is to not do anything but I thought to check whether a patched version of pip on JS exists somewhere. PEP 776 (which is a draft) includes this line:

Pyodide virtual environments contain a patched copy of pip and a custom pip.conf so that pip will install Pyodide wheels.

I assume that this is what you mean by "We use pip when building packages or installing packages in a simulated virtualenv, but neither triggers pip inside Pyodide runtime."

Accordingly, I will mark this as resolution: no action When the resolution is to not do anything .