AboutBlogNewsletterLinks

urllib3 in 2022

Published 2023-01-04 by Seth Larson
Reading time: 4 minutes

Funding

In total urllib3 received $26,615 USD in financial support and distributed $18,622 USD to maintainers and community contributors. We're thankful for the financial support we receive from our sponsors. Without funding we wouldn't be able to compensate maintainers to continuously lead, upkeep, and secure urllib3. Without funding we couldn't reward contributions and larger projects like urllib3 v2.0 would either never be finished or take even longer than the year+ it's taken already to ship.

Let's dive into our sources of financial support in 2022 and how the money was spent:

Open Collective

We disbursed ~$6,500 USD from our Open Collective to maintainers and community contributors for their work on the project. We go into 2023 with $18,827 in our Open Collective balance. In the new year our team will continue using Open Collective funds for "issue bounties" to attract new contributors and reward existing ones for their hard work. We'll also hopefully have time available for some contributors to work on larger initiatives as has been done in 2022.

Direct payments and awards

We also had financial contributions that didn't go into our Open Collective. These are contributions that either dispersed directly from Tidelift to maintainers of the project or from financial awards that were given to individuals for maintaining urllib3.

2.0.0 alpha is now available!

The first pre-release of urllib3 v2.0.0 was made available in November 2022. Massive thank-you to the many contributors who helped achieve this milestone over multiple years. The final push in November required paid full-time work by maintainers Quentin Pradet and Seth Larson. Both of them documented their experiences. The release includes the following highlighted changes:

The team is hopeful to publish the stable release in early 2023 after ensuring all major dependent packages are able to integrate safely. You can read the v2.0 migration guide or changelog if you're interested more information.

Security posture improvements

Tidelift sponsored exploratory work into improving urllib3's security posture by evaluating OpenSSF projects like Scorecard, Best Practices, Sigstore, and Supply chain Levels for Software Artifacts (SLSA). The results of the work resulted in urllib3 being scored 9.6/10 on OpenSSF Scorecard which tracks a wide range of security health metrics. This is at the time of writing the highest score achieved by any Python package on PyPI.

Starting in v1.26.12, urllib3 is now published with provenance attestations thanks to SLSA. We use the generic GitHub SLSA generator with GitHub OIDC to generate a provenance attestation and achieve SLSA level 3. This attestation allows consumers to prove their wheels and sdists were built for a specific git tag, GitHub repository, and GitHub Action workflow.

The work of integrating Scorecard, SLSA, and Sigstore with urllib3 resulted in at least 11 developer experience issues filed and fixed in the listed projects to help future project maintainers adopt these tools.

2022 in numbers

Some more statistics for urllib3 in 2022:

If you'd like to discuss this article you can join our community Discord.

Thanks for reading! ♡ Did you find this article helpful and want more content like it? Get notified of new posts by subscribing to the RSS feed or the email newsletter.


This work is licensed under CC BY-SA 4.0