cp: Upgrade urllib3 to 2.6.3 (#2431) into r0.3.0

[chtruong814]

What does this PR do ?

cp: Upgrade urllib3 to 2.6.3 (#2431) into r0.3.0

Changelog

• Add specific line by line info of high level changes in this PR.

GitHub Actions CI

See the CI sectionin the Contributing doc for how to trigger the CI. A Nvidia developer will need to approve and trigger the CI for external contributors.

Before your PR is "Ready for review"

Pre checks:

• Make sure you read and followed Contributor guidelines
• Did you write any new necessary tests?
• Did you add or update any necessary documentation?
• Does the PR affect components that are optional to install? (Ex: Numba, Pynini, Apex etc)
  • Reviewer: Does the PR have correct import guards for all optional libraries?

If you haven't finished some of the above items you can still open "Draft" PR.

Additional Information

• Related to # (issue)

Summary by CodeRabbit

• Chores
  • Updated build dependencies to include urllib3>=2.6.3 and refined dependency override configuration.

[coderabbitai]

📝 Walkthrough

Walkthrough

A build configuration update to pyproject.toml that reformats an existing NVIDIA resiliency dependency entry and adds a new urllib3 version override constraint with a comment, modifying the UV tool's dependency resolution rules.

Changes

Cohort / File(s)	Summary
Build Configuration pyproject.toml	Reformatted nvidia-resiliency-ext entry (added trailing comma and space) and added urllib3>=2.6.3 override with an inline comment to the [tool.uv].override-dependencies list.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

• build: Upgrade urllib3 to 2.6.3 #2431: Adds the same urllib3>=2.6.3 override to override-dependencies in pyproject.toml
• cp: build: Bump modelopt and TE (2304) into r0.3.0 #2314: Also modifies the nvidia-resiliency-ext dependency in the same override-dependencies section

Suggested labels

Run CICD, cherry-pick, r0.3.0

Suggested reviewers

• ko3n1g

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: upgrading urllib3 to version 2.6.3, which aligns with the raw summary showing the addition of urllib3>=2.6.3 to pyproject.toml.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Test Results For Major Changes	✅ Passed	PR contains only minor changes: security-focused urllib3 dependency upgrade to 2.6.3 for CVE-2026-21441 with no impact on algorithmic behavior or performance.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chtruong/r0.3.0-vulns

Tip

Issue Planner is now in beta. Read the docs and try it out! Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

pyproject.toml (1)

120-120: Consider adding an upper-bound cap to the urllib3 override.

urllib3>=2.6.3 is unbounded. If urllib3 3.x is released with breaking API changes, uv could resolve to it automatically. Other security overrides in this file (e.g. cryptography>=43.0.0,<47) use an upper bound for exactly this reason.

🔒 Proposed cap

-    "urllib3>=2.6.3",    # To address CVE-2026-21441
+    "urllib3>=2.6.3,<3",    # To address CVE-2026-21441

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pyproject.toml` at line 120, The urllib3 override is unbounded
("urllib3>=2.6.3") and could allow an incompatible future major release; update
the requirement string in pyproject.toml to add an upper bound (for example
change "urllib3>=2.6.3" to "urllib3>=2.6.3,<3") so it pins to the current major
and prevents automatic resolution to a breaking 3.x release; make this edit
where the dependency string "urllib3>=2.6.3" appears.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@pyproject.toml`:
- Line 120: The urllib3 override is unbounded ("urllib3>=2.6.3") and could allow
an incompatible future major release; update the requirement string in
pyproject.toml to add an upper bound (for example change "urllib3>=2.6.3" to
"urllib3>=2.6.3,<3") so it pins to the current major and prevents automatic
resolution to a breaking 3.x release; make this edit where the dependency string
"urllib3>=2.6.3" appears.