update urllib3 package to address vulnerabities

[rv0lt]

Read this before submitting the PR

1. Always create a Draft PR first
2. Go through sections 1-5 below, fill them in and check all the boxes
3. Make sure that the branch is updated; if there's an "Update branch" button at the bottom of the PR, rebase or update branch.
4. When all boxes are checked, information is filled in, and the branch is updated: mark as Ready For Review and tag reviewers (top right)
5. Once there is a submitted review, implement the suggestions (if reasonable, otherwise discuss) and request an new review.

If there is a field which you are unsure about, enter the edit mode of this description or go to the PR template; There are invisible comments providing descriptions which may be of help.

1. Description / Summary

Update urrllib3 to solve known vulnerabilities

• CVE-2023-45803
• CVE-2023-43804
• Request body not stripped after redirect from 303 status changes request method to GET
• Cookie request header isn't stripped during cross-origin redirects

---

Urllib3 is a Python package used as an HTTP client. It is not used by us in any parts of the code, but by other packages. Such as requests (for the testing modules)

The changes are minor and no backward incompatible changes
Changelog

The pipdeptree output show no incompatibility with updating from 1.26.8 to 1.26.18 either

urllib3==1.26.18
├── botocore==1.23.47 [requires: urllib3>=1.25.4,<1.27]
└── requests-cache==0.9.4 [requires: urllib3>=1.25.5,<2.0.0]

2. Jira task / GitHub issue

https://scilifelab.atlassian.net/jira/software/projects/DDS/boards/13?selectedIssue=DDS-1822

3. What type of change(s) does the PR contain?

Check the relevant boxes below. For an explanation of the different sections, enter edit mode of this PR description template.

• New feature
  • Breaking: Why / How? Add info here.
  • Non-breaking
• Database change: Remember the to include a new migration version, or explain here why it's not needed.
• Bug fix
• Security Alert fix
  • Package update
    • Major update
• Documentation
• Workflow
• Tests only

4. Additional information

• Sprintlog
• Blocking PRs
  • Merged
• PR to master branch: _If checked, read the release instructions
  • I have followed steps 1-8.

5. Actions / Scans

Check the boxes when the specified checks have passed.

For information on what the different checks do and how to fix it if they're failing, enter edit mode of this description or go to the PR template.

• Black

• Prettier

• Yamllint

• Tests

• CodeQL

• Trivy

• Snyk

[codecov]

Codecov Report

Merging #1487 (b955ac2) into dev (a0e24c0) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##              dev    #1487   +/-   ##
=======================================
  Coverage   91.48%   91.48%           
=======================================
  Files          29       29           
  Lines        4617     4617           
=======================================
  Hits         4224     4224           
  Misses        393      393           

[i-oden]

Urllib3 is a Python package used as an HTTP client. It is not used by us in any parts of the code, but by other packages.

Hmm haven't thought of this. I thought we also used it, but seems we don't, we use urllib.. Not sure if there's a reason we're not using urllib3. Nothing to change here obviously but maybe something to look into at some point.

[i-oden]

Didn't see anything strange in the changelog and seems to be no issues.