Update urllib3 to 2.6.3

[pyup-bot]

This PR updates urllib3 from 2.2.2 to 2.6.3.

Changelog

2.6.3

==================

- Fixed a high-severity security issue where decompression-bomb safeguards of
the streaming API were bypassed when HTTP redirects were followed.
(`GHSA-38jv-5279-wg99 <https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99>`__)
- Started treating ``Retry-After`` times greater than 6 hours as 6 hours by
default. (`3743 <https://github.com/urllib3/urllib3/issues/3743>`__)
- Fixed ``urllib3.connection.VerifiedHTTPSConnection`` on Emscripten.
(`3752 <https://github.com/urllib3/urllib3/issues/3752>`__)

2.6.2

==================

- Fixed ``HTTPResponse.read_chunked()`` to properly handle leftover data in
the decoder's buffer when reading compressed chunked responses.
(`3734 <https://github.com/urllib3/urllib3/issues/3734>`__)

2.6.1

==================

- Restore previously removed ``HTTPResponse.getheaders()`` and
``HTTPResponse.getheader()`` methods.
(`3731 <https://github.com/urllib3/urllib3/issues/3731>`__)

2.6.0

==================

Security
--------

- Fixed a security issue where streaming API could improperly handle highly
compressed HTTP content ("decompression bombs") leading to excessive resource
consumption even when a small amount of data was requested. Reading small
chunks of compressed data is safer and much more efficient now.
(`GHSA-2xpw-w6gg-jr37 <https://github.com/urllib3/urllib3/security/advisories/GHSA-2xpw-w6gg-jr37>`__)
- Fixed a security issue where an attacker could compose an HTTP response with
virtually unlimited links in the ``Content-Encoding`` header, potentially
leading to a denial of service (DoS) attack by exhausting system resources
during decoding. The number of allowed chained encodings is now limited to 5.
(`GHSA-gm62-xv2j-4w53 <https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53>`__)

.. caution::
- If urllib3 is not installed with the optional `urllib3[brotli]` extra, but
 your environment contains a Brotli/brotlicffi/brotlipy package anyway, make
 sure to upgrade it to at least Brotli 1.2.0 or brotlicffi 1.2.0.0 to
 benefit from the security fixes and avoid warnings. Prefer using
 `urllib3[brotli]` to install a compatible Brotli package automatically.

- If you use custom decompressors, please make sure to update them to
 respect the changed API of ``urllib3.response.ContentDecoder``.


Features
--------

- Enabled retrieval, deletion, and membership testing in ``HTTPHeaderDict`` using bytes keys. (`3653 <https://github.com/urllib3/urllib3/issues/3653>`__)
- Added host and port information to string representations of ``HTTPConnection``. (`3666 <https://github.com/urllib3/urllib3/issues/3666>`__)
- Added support for Python 3.14 free-threading builds explicitly. (`3696 <https://github.com/urllib3/urllib3/issues/3696>`__)


Removals
--------

- Removed the ``HTTPResponse.getheaders()`` method in favor of ``HTTPResponse.headers``.
Removed the ``HTTPResponse.getheader(name, default)`` method in favor of ``HTTPResponse.headers.get(name, default)``. (`3622 <https://github.com/urllib3/urllib3/issues/3622>`__)


Bugfixes
--------

- Fixed redirect handling in ``urllib3.PoolManager`` when an integer is passed
for the retries parameter. (`3649 <https://github.com/urllib3/urllib3/issues/3649>`__)
- Fixed ``HTTPConnectionPool`` when used in Emscripten with no explicit port. (`3664 <https://github.com/urllib3/urllib3/issues/3664>`__)
- Fixed handling of ``SSLKEYLOGFILE`` with expandable variables. (`3700 <https://github.com/urllib3/urllib3/issues/3700>`__)


Misc
----

- Changed the ``zstd`` extra to install ``backports.zstd`` instead of ``zstandard`` on Python 3.13 and before. (`3693 <https://github.com/urllib3/urllib3/issues/3693>`__)
- Improved the performance of content decoding by optimizing ``BytesQueueBuffer`` class. (`3710 <https://github.com/urllib3/urllib3/issues/3710>`__)
- Allowed building the urllib3 package with newer setuptools-scm v9.x. (`3652 <https://github.com/urllib3/urllib3/issues/3652>`__)
- Ensured successful urllib3 builds by setting Hatchling requirement to >= 1.27.0. (`3638 <https://github.com/urllib3/urllib3/issues/3638>`__)

2.5.0

==================

Features
--------

- Added support for the ``compression.zstd`` module that is new in Python 3.14.
See `PEP 784 <https://peps.python.org/pep-0784/>`_ for more information. (`#3610 <https://github.com/urllib3/urllib3/issues/3610>`__)
- Added support for version 0.5 of ``hatch-vcs`` (`3612 <https://github.com/urllib3/urllib3/issues/3612>`__)


Bugfixes
--------

- Fixed a security issue where restricting the maximum number of followed
redirects at the ``urllib3.PoolManager`` level via the ``retries`` parameter
did not work.
- Made the Node.js runtime respect redirect parameters such as ``retries``
and ``redirects``.
- Raised exception for ``HTTPResponse.shutdown`` on a connection already released to the pool. (`3581 <https://github.com/urllib3/urllib3/issues/3581>`__)
- Fixed incorrect `CONNECT` statement when using an IPv6 proxy with `connection_from_host`. Previously would not be wrapped in `[]`. (`3615 <https://github.com/urllib3/urllib3/issues/3615>`__)

2.4.0

==================

Features
--------

- Applied PEP 639 by specifying the license fields in pyproject.toml. (`3522 <https://github.com/urllib3/urllib3/issues/3522>`__)
- Updated exceptions to save and restore more properties during the pickle/serialization process. (`3567 <https://github.com/urllib3/urllib3/issues/3567>`__)
- Added ``verify_flags`` option to ``create_urllib3_context`` with a default of ``VERIFY_X509_PARTIAL_CHAIN`` and ``VERIFY_X509_STRICT`` for Python 3.13+. (`3571 <https://github.com/urllib3/urllib3/issues/3571>`__)


Bugfixes
--------

- Fixed a bug with partial reads of streaming data in Emscripten. (`3555 <https://github.com/urllib3/urllib3/issues/3555>`__)


Misc
----

- Switched to uv for installing development dependecies. (`3550 <https://github.com/urllib3/urllib3/issues/3550>`__)
- Removed the ``multiple.intoto.jsonl`` asset from GitHub releases. Attestation of release files since v2.3.0 can be found on PyPI. (`3566 <https://github.com/urllib3/urllib3/issues/3566>`__)

2.3.0

==================

Features
--------

- Added ``HTTPResponse.shutdown()`` to stop any ongoing or future reads for a specific response. It calls ``shutdown(SHUT_RD)`` on the underlying socket. This feature was `sponsored by LaunchDarkly <https://opencollective.com/urllib3/contributions/815307>`__. (`#2868 <https://github.com/urllib3/urllib3/issues/2868>`__)
- Added support for JavaScript Promise Integration on Emscripten. This enables more efficient WebAssembly
requests and streaming, and makes it possible to use in Node.js if you launch it as  ``node --experimental-wasm-stack-switching``. (`3400 <https://github.com/urllib3/urllib3/issues/3400>`__)
- Added the ``proxy_is_tunneling`` property to ``HTTPConnection`` and ``HTTPSConnection``. (`3285 <https://github.com/urllib3/urllib3/issues/3285>`__)
- Added pickling support to ``NewConnectionError`` and ``NameResolutionError``. (`3480 <https://github.com/urllib3/urllib3/issues/3480>`__)


Bugfixes
--------

- Fixed an issue in debug logs where the HTTP version was rendering as "HTTP/11" instead of "HTTP/1.1". (`3489 <https://github.com/urllib3/urllib3/issues/3489>`__)


Deprecations and Removals
-------------------------

- Removed support for Python 3.8. (`3492 <https://github.com/urllib3/urllib3/issues/3492>`__)

2.2.3

==================

Features
--------

- Added support for Python 3.13. (`3473 <https://github.com/urllib3/urllib3/issues/3473>`__)

Bugfixes
--------

- Fixed the default encoding of chunked request bodies to be UTF-8 instead of ISO-8859-1.
All other methods of supplying a request body already use UTF-8 starting in urllib3 v2.0. (`3053 <https://github.com/urllib3/urllib3/issues/3053>`__)
- Fixed ResourceWarning on CONNECT with Python < 3.11.4 by backporting https://github.com/python/cpython/issues/103472. (`#3252 <https://github.com/urllib3/urllib3/issues/3252>`__)
- Adjust tolerance for floating-point comparison on Windows to avoid flakiness in CI (`3413 <https://github.com/urllib3/urllib3/issues/3413>`__)
- Fixed a crash where certain standard library hash functions were absent in restricted environments. (`3432 <https://github.com/urllib3/urllib3/issues/3432>`__)
- Fixed mypy error when adding to ``HTTPConnection.default_socket_options``. (`3448 <https://github.com/urllib3/urllib3/issues/3448>`__)

HTTP/2 (experimental)
---------------------

HTTP/2 support is still in early development.

- Excluded Transfer-Encoding: chunked from HTTP/2 request body (`3425 <https://github.com/urllib3/urllib3/issues/3425>`__)
- Added version checking for ``h2`` (https://pypi.org/project/h2/) usage.

Now only accepting supported h2 major version 4.x.x. (`3290 <https://github.com/urllib3/urllib3/issues/3290>`__)
- Added a probing mechanism for determining whether a given target origin
supports HTTP/2 via ALPN. (`3301 <https://github.com/urllib3/urllib3/issues/3301>`__)
- Add support for sending a request body with HTTP/2 (`3302 <https://github.com/urllib3/urllib3/issues/3302>`__)


Deprecations and Removals
-------------------------

- Note for downstream distributors: the ``_version.py`` file has been removed and is now created at build time by hatch-vcs. (`3412 <https://github.com/urllib3/urllib3/issues/3412>`__)
- Drop support for end-of-life PyPy3.8 and PyPy3.9. (`3475 <https://github.com/urllib3/urllib3/issues/3475>`__)

Links

• PyPI: https://pypi.org/project/urllib3
• Changelog: https://data.safetycli.com/changelogs/urllib3/