Skip to content
This repository was archived by the owner on Jan 2, 2026. It is now read-only.
/ urllib3-lts Public archive

urllib3-lts – Secure, stable long-term support fork of urllib3 for legacy Python (3.7, 3.8). Backports all CVE fixes, fully compatible, and a drop-in replacement. Ideal for production, research, and enterprise use. Works seamlessly with filelock-lts to keep your Python stack safe and reliable.

Notifications You must be signed in to change notification settings

1minds3t/urllib3-lts

Repository files navigation

urllib3-lts 🛡️

The Long-Term Support Security Release for urllib3.

This ecosystem backports critical security fixes to legacy Python environments (3.7 & 3.8) that official maintainers have dropped.

🏆 Patch Status (v2025.66471)

This release secures 941M+ downloads against the following vulnerabilities:

Vulnerability Severity Impact Py3.7 Py3.8
CVE-2025-66471 🔴 HIGH Compression Bomb DoS 🛡️ Fixed 🛡️ Fixed
CVE-2025-66418 🔴 HIGH Unbounded Links DoS 🛡️ Fixed 🛡️ Fixed
CVE-2025-50182 🟡 MOD Node.js Redirect Bypass N/A 🛡️ Fixed
CVE-2025-50181 🟡 MOD Redirect Retry Bypass 🛡️ Fixed 🛡️ Fixed
CVE-2024-37891 🟡 MOD Proxy-Auth Header Leak 🛡️ Fixed N/A

📦 Usage

Standard Installation:

pip install urllib3-lts

This meta-package automatically detects your Python version and installs the correct secured backport.

🌐 The OmniPKG Ecosystem

Maintained by 1minds3t.

Manage your environment:

pip install omnipkg
omnipkg reset -y

🚧 Coming Soon: omnipkg-runtime

We are building a runtime enforcer that allows configurable WARN or BLOCK policies for unpatched vulnerabilities. Stay tuned.

⚠️ Important: Installation for Python 3.7-3.8

Before installing urllib3-lts, uninstall any existing urllib3:

pip uninstall urllib3 -y
pip install urllib3-lts

This ensures you get the security patches. If you install urllib3-lts without removing urllib3 first, other packages may reinstall the vulnerable version.

Alternative: Pin in requirements.txt

urllib3-lts-py37==2025.66471.3 ; python_version<'3.8'
urllib3-lts-py38==2025.66471.2 ; python_version>='3.8' and python_version<'3.9'

About

urllib3-lts – Secure, stable long-term support fork of urllib3 for legacy Python (3.7, 3.8). Backports all CVE fixes, fully compatible, and a drop-in replacement. Ideal for production, research, and enterprise use. Works seamlessly with filelock-lts to keep your Python stack safe and reliable.

Resources

Stars

Watchers

Forks

Packages

No packages published

Languages