urllib3 in 2022

Published 2023-01-04 by Seth Michael Larson

Funding

In total urllib3 received $26,615 USD in financial support and distributed $18,622 USD to maintainers and community contributors. We're thankful for the financial support we receive from our sponsors. Without funding we wouldn't be able to compensate maintainers to continuously lead, upkeep, and secure urllib3. Without funding we couldn't reward contributions and larger projects like urllib3 v2.0 would either never be finished or take even longer than the year+ it's taken already to ship.

Let's dive into our sources of financial support in 2022 and how the money was spent:

Open Collective

We disbursed ~$6,500 USD from our Open Collective to maintainers and community contributors for their work on the project. We go into 2023 with $18,827 in our Open Collective balance. In the new year our team will continue using Open Collective funds for "issue bounties" to attract new contributors and reward existing ones for their hard work. We'll also hopefully have time available for some contributors to work on larger initiatives as has been done in 2022.

Direct payments and awards

We also had financial contributions that didn't go into our Open Collective. These are contributions that either dispersed directly from Tidelift to maintainers of the project or from financial awards that were given to individuals for maintaining urllib3.

  • $6,152 from Tidelift, split between Seth Larson and Quentin Pradet
  • $5,000 from Tidelift to Seth Larson
  • $550 from GitHub Maintainer Month to Seth Larson via GitHub Sponsors
  • $420 from Indeed to Seth Larson via GitHub Sponsors

2.0.0 alpha is now available!

The first pre-release of urllib3 v2.0.0 was made available in November 2022. Massive thank-you to the many contributors who helped achieve this milestone over multiple years. The final push in November required paid full-time work by maintainers Quentin Pradet and Seth Larson. Both of them documented their experiences. The release includes the following highlighted changes:

  • Added a complete set of type hints (Thanks to Hasan Ramenzani)
  • Added a json parameter to .request() methods and .json() method to HTTPResponse for easier processing of JSON data both for requests and responses (Thanks to Sai Vinay)
  • Added a top-level urllib3.request() method for sending HTTP requests without configuring a PoolManager (Thanks to Franek Magiera)
  • Added ability to append multiple headers names to HTTPHeaderDict and not have them be merged when sent (Thanks to Raphael Gaschignard)
  • Added support for zstandard compression (Thanks to Mauro Amico and Gregory Szorc)
  • Removed support for verifying certificates with commonName by default, now only subjectAltName is used.
  • Changed the default minimum TLS version to 1.2 (was TLS 1.0)
  • Changed multipart/form-data header formatting to match WHATWG standard (Thanks to David Lord)
  • Removed support for Python 3.6 and earlier. Codebase has been optimized for Python 3.7+
  • Removed the urllib3.contrib.ntlmpool module
  • Deprecated the urllib3.contrib.pyopenssl and urllib3.contrib.securetransport modules
  • Removed support for non-OpenSSL TLS libraries (ie LibreSSL, wolfSSL)
  • Removed support for OpenSSL versions before 1.1.1
  • Removed support for unmaintained Python implementations (Google App Engine, Jython)

The team is hopeful to publish the stable release in early 2023 after ensuring all major dependent packages are able to integrate safely. You can read the v2.0 migration guide or changelog if you're interested more information.

Security posture improvements

Tidelift sponsored exploratory work into improving urllib3's security posture by evaluating OpenSSF projects like Scorecard, Best Practices, Sigstore, and Supply chain Levels for Software Artifacts (SLSA). The results of the work resulted in urllib3 being scored 9.6/10 on OpenSSF Scorecard which tracks a wide range of security health metrics. This is at the time of writing the highest score achieved by any Python package on PyPI.

Starting in v1.26.12, urllib3 is now published with provenance attestations thanks to SLSA. We use the generic GitHub SLSA generator with GitHub OIDC to generate a provenance attestation and achieve SLSA level 3. This attestation allows consumers to prove their wheels and sdists were built for a specific git tag, GitHub repository, and GitHub Action workflow.

The work of integrating Scorecard, SLSA, and Sigstore with urllib3 resulted in at least 11 developer experience issues filed and fixed in the listed projects to help future project maintainers adopt these tools.

2022 in numbers

Some more statistics for urllib3 in 2022:

If you'd like to discuss this article you can join our community Discord.