build: Upgrade urllib3 to 2.6.3

[chtruong814]

What does this PR do ?

Upgrade urllib3 to 2.6.3

Changelog

• Add specific line by line info of high level changes in this PR.

GitHub Actions CI

See the CI sectionin the Contributing doc for how to trigger the CI. A Nvidia developer will need to approve and trigger the CI for external contributors.

Before your PR is "Ready for review"

Pre checks:

• Make sure you read and followed Contributor guidelines
• Did you write any new necessary tests?
• Did you add or update any necessary documentation?
• Does the PR affect components that are optional to install? (Ex: Numba, Pynini, Apex etc)
  • Reviewer: Does the PR have correct import guards for all optional libraries?

If you haven't finished some of the above items you can still open "Draft" PR.

Additional Information

• Related to # (issue)

Summary by CodeRabbit

• Chores
  • Updated urllib3 dependency to address security concerns and ensure system stability.

[coderabbitai]

📝 Walkthrough

Walkthrough

A single dependency override has been added to pyproject.toml, pinning urllib3 to version 2.6.3 or higher to address CVE-2026-21441 within the UV build framework's override-dependencies configuration.

Changes

Cohort / File(s)	Summary
Dependency Override pyproject.toml	Added urllib3>=2.6.3 override dependency with CVE-2026-21441 mitigation comment in [tool.uv].override-dependencies section.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Suggested reviewers

• thomasdhc

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Test Results For Major Changes	✅ Passed	This PR contains a minor security patch version bump for urllib3 (transitive dependency) that does not affect model numerics, convergence, or core performance.
Title check	✅ Passed	The title clearly and specifically identifies the main change: upgrading urllib3 to version 2.6.3, which matches the primary modification in pyproject.toml.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chtruong/vulns

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

pyproject.toml (1)

111-120: CVE reference and version constraint are correct — minor trailing comma inconsistency.

The version floor >=2.6.3 is the correct mitigation: users should upgrade to at least urllib3 v2.6.3, in which the library does not decode content of redirect responses when preload_content=False. This fixed a security issue where decompression-bomb safeguards of the streaming API were bypassed when HTTP redirects were followed (CVE-2026-21441, CVSS 8.9 High, GHSA-38jv-5279-wg99).

The new entry on line 119 is missing the trailing comma present on every other entry in the override-dependencies array (lines 112–118). While TOML allows a trailing-comma-free last element, consistency with the existing style would be:

✏️ Proposed style fix

-    "urllib3>=2.6.3"    # To address CVE-2026-21441
+    "urllib3>=2.6.3",   # To address CVE-2026-21441

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pyproject.toml` around lines 111 - 120, The override-dependencies array in
pyproject.toml has a style inconsistency: the last item "urllib3>=2.6.3" lacks
the trailing comma used on the other entries; update the urllib3 entry inside
the override-dependencies list to include a trailing comma so it matches the
existing comma-separated style used by the other entries in that array.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pyproject.toml`:
- Line 119: The pyproject.toml dependency change for "urllib3>=2.6.3" requires
regenerating and committing the lockfile so installs remain reproducible; run
the appropriate Univention/Vendored tool (e.g. `uv lock` or `uv add
urllib3>=2.6.3 --override`) to regenerate uv.lock, verify the lockfile includes
the updated urllib3 constraint, and commit the updated uv.lock alongside the
pyproject.toml change so both files stay in sync.

---

Nitpick comments:
In `@pyproject.toml`:
- Around line 111-120: The override-dependencies array in pyproject.toml has a
style inconsistency: the last item "urllib3>=2.6.3" lacks the trailing comma
used on the other entries; update the urllib3 entry inside the
override-dependencies list to include a trailing comma so it matches the
existing comma-separated style used by the other entries in that array.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

uv.lock must be regenerated and committed alongside this change.

The coding guidelines require both pyproject.toml and uv.lock to be updated together whenever dependencies change. This PR only modifies pyproject.toml, leaving uv.lock out of sync. Without the updated lockfile, reproducible installs won't enforce the urllib3>=2.6.3 floor and the CVE fix won't be reliably applied in locked environments.

Run uv lock (or uv add urllib3>=2.6.3 --override) and commit the resulting uv.lock.

As per coding guidelines: "Update pyproject.toml and uv.lock when adding new dependencies via uv add command."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pyproject.toml` at line 119, The pyproject.toml dependency change for
"urllib3>=2.6.3" requires regenerating and committing the lockfile so installs
remain reproducible; run the appropriate Univention/Vendored tool (e.g. `uv
lock` or `uv add urllib3>=2.6.3 --override`) to regenerate uv.lock, verify the
lockfile includes the updated urllib3 constraint, and commit the updated uv.lock
alongside the pyproject.toml change so both files stay in sync.