[Snyk] Security upgrade urllib3 from 2.0.7 to 2.6.0

[glenn-jocher]

Snyk has created this PR to fix 1 vulnerabilities in the pip dependencies of this project.

Snyk changed the following file(s):

• requirements.txt

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.
• Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the affected dependencies could be upgraded.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

🛠️ PR Summary

_{Made with ❤️ by Ultralytics Actions}

🌟 Summary

🔒 Adds a security-focused dependency pin for urllib3 in requirements.txt.

📊 Key Changes

• ➕ Added urllib3>=2.6.0 to requirements.txt
• 🛡️ Comment notes this is not directly required by the project, but is pinned per Snyk to avoid a known vulnerability

🎯 Purpose & Impact

• ✅ Improves supply-chain/security hygiene by ensuring a safe urllib3 version is installed 🔐
• 📦 Helps prevent vulnerable transitive installs when other dependencies pull in urllib3 indirectly
• ⚠️ Potential minor impact: may affect environments pinned to older urllib3 versions due to compatibility constraints, requiring dependency resolution updates 🧩

[UltralyticsAssistant]

👋 Hello @glenn-jocher, thank you for submitting a ultralytics/yolov3 🚀 PR! This is an automated message—an engineer will review and help as needed. Please review the checklist below to keep things moving smoothly ✅

-✅ Define a Purpose: Clearly explain the purpose of your fix or feature in your PR description, and link to any relevant issues. Ensure your commit messages are clear, concise, and adhere to the project's conventions.
-✅ Synchronize with Source: Confirm your PR is synchronized with the ultralytics/yolov3 main branch. If it's behind, update it by clicking the 'Update branch' button or by running git pull and git merge main locally.
-✅ Ensure CI Checks Pass: Verify all Ultralytics Continuous Integration (CI) checks are passing. If any checks fail, please address the issues.
-✅ Update Documentation: Update the relevant documentation for any new or modified features.
-✅ Add Tests: If applicable, include or update tests to cover your changes, and confirm that all tests are passing.
-✅ Sign the CLA: Please ensure you have signed our Contributor License Agreement if this is your first Ultralytics PR by writing "I have read the CLA Document and I sign the CLA" in a new message.
-✅ Minimize Changes: Limit your changes to the minimum necessary for your bug fix or feature addition. "It is not daily increase but daily decrease, hack away the unessential. The closer to the source, the less wastage there is." — Bruce Lee

For more guidance, please refer to our Contributing Guide. Don't hesitate to leave a comment if you have any questions. Thank you for contributing to Ultralytics! 🚀

[UltralyticsAssistant]

🔍 PR Review

_{Made with ❤️ by Ultralytics Actions}

Clean, minimal security-driven change. The main risk is compatibility: enforcing urllib3>=2.6.0 globally in requirements.txt can break installs for older Python/OpenSSL environments. If the repo targets such environments, consider adding an environment marker or scoping the pin to avoid unintended installation failures.

💬 Posted 1 inline comment

[UltralyticsAssistant]

💡 MEDIUM: This project may support Python versions where urllib3>=2.6.0 is not installable/compatible (urllib3 2.x has dropped older Python/OpenSSL combos in the past). A hard minimum here can break installs even if the vulnerable transitive path isn’t present. Consider aligning the constraint with the repo’s supported Python range (e.g., conditional marker) or pinning only in the environments that need it (CI/dev), if applicable.