[Snyk] Security upgrade urllib3 from 2.0.7 to 2.5.0

[glenn-jocher]

Snyk has created this PR to fix 2 vulnerabilities in the pip dependencies of this project.

Snyk changed the following file(s):

• requirements.txt

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.
• Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the affected dependencies could be upgraded.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Open Redirect

🛠️ PR Summary

_{Made with ❤️ by Ultralytics Actions}

🌟 Summary

Adds a conditional pin for urllib3 to mitigate a known security vulnerability on modern Python versions. 🔒

📊 Key Changes

• requirements.txt: Added urllib3>=2.5.0 ; python_version > "3.8" with a note that it’s pinned by Snyk to avoid a vulnerability.

🎯 Purpose & Impact

• Security: Ensures a safe urllib3 version on Python 3.9+ based on Snyk findings, reducing exposure to known issues. 🛡️
• Stability: Improves dependency resolution in secure environments and CI pipelines.
• Compatibility: No change for Python 3.8 and below; minimal runtime impact for users on newer Python versions.
• Potential Trade-off: On Python 3.9+, environments that require older urllib3 may see version conflicts; users can adjust via their own constraints if needed.

[UltralyticsAssistant]

👋 Hello @glenn-jocher, thank you for submitting an ultralytics/yolov5 🚀 PR! This is an automated response to help streamline the review process. An Ultralytics engineer will review your contribution and assist you soon.

To ensure a smooth integration, please review the following checklist:

• ✅ Define a Purpose: Make sure the purpose of this update is clearly explained in your PR description, and reference any relevant issues if applicable. Clear, concise commit messages are appreciated!
• ✅ Synchronize with Source: Confirm your PR is up to date with the ultralytics/yolov5 main branch. Use the 'Update branch' button or run git pull and git merge main locally if needed.
• ✅ Ensure CI Checks Pass: Verify all Ultralytics Continuous Integration (CI) checks have passed. Please address any failures before requesting review.
• ✅ Update Documentation: If this update affects user-facing features or dependencies, consider updating the documentation as needed.
• ✅ Add Tests: If relevant, include or update tests to cover this change, and ensure all tests pass.
• ✅ Sign the CLA: If this is your first Ultralytics PR, please sign our Contributor License Agreement (CLA) by commenting "I have read the CLA Document and I sign the CLA" below.
• ✅ Minimize Changes: Limit your changes to the minimum required for this update. "It is not daily increase but daily decrease, hack away the unessential. The closer to the source, the less wastage there is." — Bruce Lee

For full details, see our Contributing Guide. If you have any questions or need further assistance, feel free to leave a comment below. Thank you for helping keep Ultralytics projects secure and up to date! 🔒✨

[UltralyticsAssistant]

Fantastic merge! Huge thanks to @glenn-jocher for leading this and to @snyk-bot and @Borda for the security-first collaboration. As Benjamin Franklin said, “An ounce of prevention is worth a pound of cure.” This conditional urllib3 pin is exactly that—proactive protection that strengthens our pipelines and keeps users on Python 3.9+ safe without disrupting 3.8 and below.

• PR: PR #13622: Conditional urllib3 pin for secure environments
• Automation: Ultralytics Actions

Appreciate the thoughtful balance of security, stability, and compatibility. This makes the YOLOv5 ecosystem more resilient for everyone—including Ultralytics HUB workflows. Thank you!

[milovan68]

This change breaks compatibility with Python 3.8.
When trying to load a model using:

torch.hub.load('ultralytics/yolov5:master', 'custom', path=path)

it throws the following error:

pip._vendor.packaging._tokenizer.ParserSyntaxError: Expected a marker variable or quoted string
    python_version > 3.8

[pderrenger]

Thanks for the report—Python 3.8 support shouldn’t be broken here; this is a packaging marker parsing issue. To unblock, either load a tagged release instead of master, e.g. torch.hub.load('ultralytics/yolov5:v7.0', 'custom', path=path), or upgrade pip/setuptools/packaging (python -m pip install -U pip setuptools packaging) and pull the latest master; we’ll adjust the marker so Hub parsing is 3.8-safe. See the Ultralytics Docs for details: https://docs.ultralytics.com

[Borda]

My take is that this breaks installing on py3.8 as it is bumping the min version compare to the

yolov5/pyproject.toml

Line 31 in f5ebc52

requires-python = ">=3.8"

[milovan68]

This doesn't affect the model's work, but there are errors in the logs during model loading. You can verify this here in test detection: https://github.com/ultralytics/yolov5/actions/runs/18373195251/job/52341069271
In my environment in logs

pip._vendor.packaging._tokenizer.ParserSyntaxError: Expected a marker variable or quoted string
    python_version > 3.8

[pderrenger]

Thanks for the repro link—confirmed; we’ll swap the requirement to a 3.8-safe marker (urllib3>=2.5.0; python_version >= '3.9') and add a CI check to prevent this; once the patch lands on master, please update and confirm the logs are clean.