From 3a12ccb84203f03c0550b1316258b6852b3c2c33 Mon Sep 17 00:00:00 2001
From: Walter Boring <waboring@hemna.com>
Date: Tue, 24 Mar 2026 13:37:07 -0400
Subject: [PATCH] security: bump urllib3 from 2.6.2 to 2.6.3

Fixes CVE-2026-21441 (8.9 High severity) - decompression-bomb safeguards
of the streaming API were bypassed when HTTP redirects were followed.

Closes #210
---
 requirements.txt | 137 +++++++++++++++--------------------------------
 uv.lock          |  20 +++----
 2 files changed, 54 insertions(+), 103 deletions(-)

diff --git a/requirements.txt b/requirements.txt
index 0d8363e..62e8836 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,96 +1,45 @@
 # This file was autogenerated by uv via the following command:
 #    uv pip compile --resolver backtracking --annotation-style=line requirements.in -o requirements.txt
-aprslib @ git+https://github.com/hemna/aprs-python.git@telemetry
-    # via -r requirements.in
-attrs==25.4.0
-    # via
-    #   ax253
-    #   kiss3
-    #   rush
-ax253==0.1.5.post1
-    # via kiss3
-bitarray==3.8.0
-    # via
-    #   ax253
-    #   kiss3
-certifi==2025.11.12
-    # via requests
-charset-normalizer==3.4.4
-    # via requests
-click==8.3.1
-    # via -r requirements.in
-dataclasses-json==0.6.7
-    # via -r requirements.in
-haversine==2.9.0
-    # via -r requirements.in
-idna==3.11
-    # via requests
-importlib-metadata==8.7.0
-    # via
-    #   ax253
-    #   kiss3
-kiss3==8.0.0
-    # via -r requirements.in
-loguru==0.7.3
-    # via -r requirements.in
-markdown-it-py==4.0.0
-    # via rich
-marshmallow==3.26.2
-    # via dataclasses-json
-mdurl==0.1.2
-    # via markdown-it-py
-mypy-extensions==1.1.0
-    # via typing-inspect
-netaddr==1.3.0
-    # via oslo-config
-oslo-config==10.1.0
-    # via -r requirements.in
-oslo-i18n==6.7.1
-    # via oslo-config
-packaging==25.0
-    # via marshmallow
-pbr==7.0.3
-    # via oslo-i18n
-pluggy==1.6.0
-    # via -r requirements.in
-pygments==2.19.2
-    # via rich
-pyserial==3.5
-    # via pyserial-asyncio
-pyserial-asyncio==0.6
-    # via kiss3
-pytz==2025.2
-    # via -r requirements.in
-pyyaml==6.0.3
-    # via oslo-config
-requests==2.32.5
-    # via
-    #   -r requirements.in
-    #   oslo-config
-    #   update-checker
-rfc3986==2.0.0
-    # via oslo-config
-rich==14.2.0
-    # via -r requirements.in
-rush==2021.4.0
-    # via -r requirements.in
-stevedore==5.6.0
-    # via oslo-config
-thesmuggler==1.0.1
-    # via -r requirements.in
-timeago==1.0.16
-    # via -r requirements.in
-typing-extensions==4.15.0
-    # via typing-inspect
-typing-inspect==0.9.0
-    # via dataclasses-json
-tzlocal==5.3.1
-    # via -r requirements.in
-update-checker==0.18.0
-    # via -r requirements.in
-urllib3==2.6.2
-    # via requests
-wrapt==2.0.1
-    # via -r requirements.in
-zipp==3.23.0
-    # via importlib-metadata
+aprslib @ git+https://github.com/hemna/aprs-python.git@09cd7a2829a2e9d28ee1566881c843cc4769e590  # via -r requirements.in
+attrs==25.4.0             # via ax253, kiss3, rush
+ax253==0.1.5.post1        # via kiss3
+bitarray==3.8.0           # via ax253, kiss3
+certifi==2025.11.12       # via requests
+charset-normalizer==3.4.4  # via requests
+click==8.3.1              # via -r requirements.in
+dataclasses-json==0.6.7   # via -r requirements.in
+haversine==2.9.0          # via -r requirements.in
+idna==3.11                # via requests
+importlib-metadata==8.7.0  # via ax253, kiss3
+kiss3==8.0.0              # via -r requirements.in
+loguru==0.7.3             # via -r requirements.in
+markdown-it-py==4.0.0     # via rich
+marshmallow==3.26.2       # via dataclasses-json
+mdurl==0.1.2              # via markdown-it-py
+mypy-extensions==1.1.0    # via typing-inspect
+netaddr==1.3.0            # via oslo-config
+oslo-config==10.1.0       # via -r requirements.in
+oslo-i18n==6.7.1          # via oslo-config
+packaging==25.0           # via marshmallow
+pbr==7.0.3                # via oslo-i18n
+pluggy==1.6.0             # via -r requirements.in
+pygments==2.19.2          # via rich
+pyserial==3.5             # via pyserial-asyncio
+pyserial-asyncio==0.6     # via kiss3
+pytz==2025.2              # via -r requirements.in
+pyyaml==6.0.3             # via oslo-config
+requests==2.32.5          # via oslo-config, update-checker, -r requirements.in
+rfc3986==2.0.0            # via oslo-config
+rich==14.2.0              # via -r requirements.in
+rush==2021.4.0            # via -r requirements.in
+setuptools==82.0.1        # via pbr
+stevedore==5.6.0          # via oslo-config
+thesmuggler==1.0.1        # via -r requirements.in
+timeago==1.0.16           # via -r requirements.in
+typing-extensions==4.15.0  # via typing-inspect
+typing-inspect==0.9.0     # via dataclasses-json
+tzlocal==5.3.1            # via -r requirements.in
+update-checker==0.18.0    # via -r requirements.in
+urllib3==2.6.3            # via requests
+wrapt==2.0.1              # via -r requirements.in
+zipp==3.23.0              # via importlib-metadata
diff --git a/uv.lock b/uv.lock
index fa199b2..8f2eea4 100644
--- a/uv.lock
+++ b/uv.lock
@@ -38,6 +38,7 @@ dependencies = [
     { name = "rfc3986" },
     { name = "rich" },
     { name = "rush" },
+    { name = "setuptools" },
     { name = "stevedore" },
     { name = "thesmuggler" },
     { name = "timeago" },
@@ -81,7 +82,7 @@ type = [
 
 [package.metadata]
 requires-dist = [
-    { name = "aprslib", git = "https://github.com/hemna/aprs-python.git?rev=telemetry" },
+    { name = "aprslib", git = "https://github.com/hemna/aprs-python.git?rev=09cd7a2829a2e9d28ee1566881c843cc4769e590" },
     { name = "attrs", specifier = "==25.4.0" },
     { name = "ax253", specifier = "==0.1.5.post1" },
     { name = "bitarray", specifier = "==3.8.0" },
@@ -125,6 +126,7 @@ requires-dist = [
     { name = "rich", specifier = "==14.2.0" },
     { name = "ruff", marker = "extra == 'dev'" },
     { name = "rush", specifier = "==2021.4.0" },
+    { name = "setuptools", specifier = "==82.0.1" },
     { name = "stevedore", specifier = "==5.6.0" },
     { name = "thesmuggler", specifier = "==1.0.1" },
     { name = "timeago", specifier = "==1.0.16" },
@@ -140,7 +142,7 @@ requires-dist = [
     { name = "typing-inspect", specifier = "==0.9.0" },
     { name = "tzlocal", specifier = "==5.3.1" },
     { name = "update-checker", specifier = "==0.18.0" },
-    { name = "urllib3", specifier = "==2.6.2" },
+    { name = "urllib3", specifier = "==2.6.3" },
     { name = "wheel", marker = "extra == 'dev'" },
     { name = "wrapt", specifier = "==2.0.1" },
     { name = "zipp", specifier = "==3.23.0" },
@@ -150,7 +152,7 @@ provides-extras = ["dev", "tests", "type"]
 [[package]]
 name = "aprslib"
 version = "0.7.2"
-source = { git = "https://github.com/hemna/aprs-python.git?rev=telemetry#09cd7a2829a2e9d28ee1566881c843cc4769e590" }
+source = { git = "https://github.com/hemna/aprs-python.git?rev=09cd7a2829a2e9d28ee1566881c843cc4769e590#09cd7a2829a2e9d28ee1566881c843cc4769e590" }
 
 [[package]]
 name = "attrs"
@@ -1108,11 +1110,11 @@ wheels = [
 
 [[package]]
 name = "setuptools"
-version = "80.9.0"
+version = "82.0.1"
 source = { registry = "https://pypi.org/simple" }
-sdist = { url = "https://files.pythonhosted.org/packages/18/5d/3bf57dcd21979b887f014ea83c24ae194cfcd12b9e0fda66b957c69d1fca/setuptools-80.9.0.tar.gz", hash = "sha256:f36b47402ecde768dbfafc46e8e4207b4360c654f1f3bb84475f0a28628fb19c", size = 1319958, upload-time = "2025-05-27T00:56:51.443Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/4f/db/cfac1baf10650ab4d1c111714410d2fbb77ac5a616db26775db562c8fab2/setuptools-82.0.1.tar.gz", hash = "sha256:7d872682c5d01cfde07da7bccc7b65469d3dca203318515ada1de5eda35efbf9", size = 1152316, upload-time = "2026-03-09T12:47:17.221Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/a3/dc/17031897dae0efacfea57dfd3a82fdd2a2aeb58e0ff71b77b87e44edc772/setuptools-80.9.0-py3-none-any.whl", hash = "sha256:062d34222ad13e0cc312a4c02d73f059e86a4acbfbdea8f8f76b28c99f306922", size = 1201486, upload-time = "2025-05-27T00:56:49.664Z" },
+    { url = "https://files.pythonhosted.org/packages/9d/76/f789f7a86709c6b087c5a2f52f911838cad707cc613162401badc665acfe/setuptools-82.0.1-py3-none-any.whl", hash = "sha256:a59e362652f08dcd477c78bb6e7bd9d80a7995bc73ce773050228a348ce2e5bb", size = 1006223, upload-time = "2026-03-09T12:47:15.026Z" },
 ]
 
 [[package]]
@@ -1314,11 +1316,11 @@ wheels = [
 
 [[package]]
 name = "urllib3"
-version = "2.6.2"
+version = "2.6.3"
 source = { registry = "https://pypi.org/simple" }
-sdist = { url = "https://files.pythonhosted.org/packages/1e/24/a2a2ed9addd907787d7aa0355ba36a6cadf1768b934c652ea78acbd59dcd/urllib3-2.6.2.tar.gz", hash = "sha256:016f9c98bb7e98085cb2b4b17b87d2c702975664e4f060c6532e64d1c1a5e797", size = 432930, upload-time = "2025-12-11T15:56:40.252Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/c7/24/5f1b3bdffd70275f6661c76461e25f024d5a38a46f04aaca912426a2b1d3/urllib3-2.6.3.tar.gz", hash = "sha256:1b62b6884944a57dbe321509ab94fd4d3b307075e0c2eae991ac71ee15ad38ed", size = 435556, upload-time = "2026-01-07T16:24:43.925Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/6d/b9/4095b668ea3678bf6a0af005527f39de12fb026516fb3df17495a733b7f8/urllib3-2.6.2-py3-none-any.whl", hash = "sha256:ec21cddfe7724fc7cb4ba4bea7aa8e2ef36f607a4bab81aa6ce42a13dc3f03dd", size = 131182, upload-time = "2025-12-11T15:56:38.584Z" },
+    { url = "https://files.pythonhosted.org/packages/39/08/aaaad47bc4e9dc8c725e68f9d04865dbcb2052843ff09c97b08904852d84/urllib3-2.6.3-py3-none-any.whl", hash = "sha256:bf272323e553dfb2e87d9bfd225ca7b0f467b919d7bbd355436d3fd37cb0acd4", size = 131584, upload-time = "2026-01-07T16:24:42.685Z" },
 ]
 
 [[package]]