Published 2023-01-04 by Seth Michael Larson
Reading time: 4 minutes
Subscribe for more content like this through the mailing list or RSS.
In total urllib3 received $26,615 USD in financial support and distributed $18,622 USD to maintainers and community contributors. We're thankful for the financial support we receive from our sponsors. Without funding we wouldn't be able to compensate maintainers to continuously lead, upkeep, and secure urllib3. Without funding we couldn't reward contributions and larger projects like urllib3 v2.0 would either never be finished or take even longer than the year+ it's taken already to ship.
Let's dive into our sources of financial support in 2022 and how the money was spent:
We disbursed ~$6,500 USD from our Open Collective to maintainers and community contributors for their work on the project. We go into 2023 with $18,827 in our Open Collective balance. In the new year our team will continue using Open Collective funds for "issue bounties" to attract new contributors and reward existing ones for their hard work. We'll also hopefully have time available for some contributors to work on larger initiatives as has been done in 2022.
We also had financial contributions that didn't go into our Open Collective. These are contributions that either dispersed directly from Tidelift to maintainers of the project or from financial awards that were given to individuals for maintaining urllib3.
The first pre-release of urllib3 v2.0.0 was made available in November 2022. Massive thank-you to the many contributors who helped achieve this milestone over multiple years. The final push in November required paid full-time work by maintainers Quentin Pradet and Seth Larson. Both of them documented their experiences. The release includes the following highlighted changes:
HTTPResponsefor easier processing of JSON data both for requests and responses (Thanks to Sai Vinay)
urllib3.request()method for sending HTTP requests without configuring a
PoolManager(Thanks to Franek Magiera)
HTTPHeaderDictand not have them be merged when sent (Thanks to Raphael Gaschignard)
commonNameby default, now only
multipart/form-dataheader formatting to match WHATWG standard (Thanks to David Lord)
The team is hopeful to publish the stable release in early 2023 after ensuring all major dependent packages are able to integrate safely. You can read the v2.0 migration guide or changelog if you're interested more information.
Tidelift sponsored exploratory work into improving urllib3's security posture by evaluating OpenSSF projects like Scorecard, Best Practices, Sigstore, and Supply chain Levels for Software Artifacts (SLSA). The results of the work resulted in urllib3 being scored 9.6/10 on OpenSSF Scorecard which tracks a wide range of security health metrics. This is at the time of writing the highest score achieved by any Python package on PyPI.
Starting in v1.26.12, urllib3 is now published with provenance attestations thanks to SLSA. We use the generic GitHub SLSA generator with GitHub OIDC to generate a provenance attestation and achieve SLSA level 3. This attestation allows consumers to prove their wheels and sdists were built for a specific git tag, GitHub repository, and GitHub Action workflow.
The work of integrating Scorecard, SLSA, and Sigstore with urllib3 resulted in at least 11 developer experience issues filed and fixed in the listed projects to help future project maintainers adopt these tools.
Some more statistics for urllib3 in 2022:
If you'd like to discuss this article you can join our community Discord.