Update urllib3 to 2.6.3+ (#136)

kstribrnAmzn · web-flow · commit e604ea1973d6 · 2026-01-13T14:30:07.000-08:00
This dependency update adds decompression-bomb safeguards to HTTP redirects. See CVE-2026-21441. https://nvd.nist.gov/vuln/detail/CVE-2026-21441
diff --git a/.github/workflows/pr_checks.yml b/.github/workflows/pr_checks.yml
@@ -29,6 +29,7 @@ jobs:
               run-spelling-check: true,
               run-complexity: false,
               run-doxygen: false,
+              exclude-urls: 'https://www.microchip.com, https://www.microchip.com/support',
             },
             {
               repository: FreeRTOS-Plus-TCP,
@@ -39,6 +40,7 @@ jobs:
               run-complexity: false,
               run-doxygen: false,
               exclude-dirs: 'source/portable/NetworkInterface/STM32'
+              exclude-urls: 'https://www.microchip.com/en-us/support/design-help, http://www.atmel.com/design-support'
             },
             {
               repository: FreeRTOS,
@@ -209,7 +211,7 @@ jobs:
         with:
           path: repo/${{ matrix.inputs.repository }}
           exclude-dirs: complexity, formatting
-          exclude-urls: https://dummy-url.com/ota.bin, https://s3.region.amazonaws.com/joe-ota, https://www.gnu.org/software/complexity/manual/complexity.html, https://www.u-blox.com/en/product/sara-r4-series
+          exclude-urls: https://dummy-url.com/ota.bin, https://s3.region.amazonaws.com/joe-ota, https://www.gnu.org/software/complexity/manual/complexity.html, https://www.u-blox.com/en/product/sara-r4-series${{ matrix.inputs.exclude-urls && format(',{0}', matrix.inputs.exclude-urls) || '' }}
 
       - name: "Complexity Check: ${{ matrix.inputs.repository }}"
         if: matrix.inputs.run-complexity && ( success() || failure() )
diff --git a/link-verifier/requirements.txt b/link-verifier/requirements.txt
@@ -6,4 +6,4 @@ idna==3.7
 requests==2.32.4
 soupsieve==2.1
 termcolor==1.1.0
-urllib3>=2.6.0
+urllib3>=2.6.3
