Description
I upgraded my Python project's Pip requirements.txt file to depend on selenium==4.34.0, expecting that to depend on urllib3 version 2.5.0 instead of 2.4.0.
Environment: Ubuntu Linux 24.04, Python 3.12.3.
Reason I expected this: PR 15909 was merged as part of release 4.34.0, which was intended to update the urllib3 dependency to require 2.5.0 (ref: 367c8c1).
Reason for wanting the newer urllib3: version 2.4.0 of urllib3 is affected by CVE-2025-50182, and I wanted my vulnerability scanner to stop complaining. :-)
What actually happened: Installing via pip install selenium==4.34.0 still requires urllib3 version 2.4.0 and pip still thinks it (selenium 4.34.0) is incompatible with urllib3 version 2.5.0.
Potential fix: I suspect PR 15909 just forgot to update the py/BUILD.bazel file, so the fix may be as simple as:
diff -U3 a/py/BUILD.bazel b/py/BUILD.bazel
--- a/py/BUILD.bazel 2025-07-04 18:47:59.287487810 +1000
+++ b/py/BUILD.bazel 2025-07-04 18:48:40.040172731 +1000
@@ -308,10 +308,10 @@
python_requires = ">=3.9",
python_tag = "py3",
requires = [
- "urllib3[socks]~=2.4.0",
+ "urllib3[socks]~=2.5.0",
"trio~=0.30.0",
"trio-websocket~=0.12.2",
- "certifi>=2025.4.26",
+ "certifi>=2025.6.15",
"typing_extensions~=4.14.0",
"websocket-client~=1.8.0",
],Reproducible Code
pip install selenium==4.34.0
# Should report "urllib3==2.5.0", but reports "urllib3==2.4.0".
pip freeze | grep urllib3
Debugging Logs
What version of Selenium are you currently using?
4.34.0
The following statements are true
Did this work for you before?
Not sure, this is my first time trying it
If yes, what version of Selenium did it work with?
No response
Operating System
Linux (specify in the description)
Selenium Language Binding
Python
Which browsers are you experiencing the issue with?
No response
Are you using Selenium Grid?
No
Description
I upgraded my Python project's Pip
requirements.txtfile to depend onselenium==4.34.0, expecting that to depend onurllib3version 2.5.0 instead of 2.4.0.Environment: Ubuntu Linux 24.04, Python 3.12.3.
Reason I expected this: PR 15909 was merged as part of release 4.34.0, which was intended to update the
urllib3dependency to require 2.5.0 (ref: 367c8c1).Reason for wanting the newer
urllib3: version 2.4.0 ofurllib3is affected by CVE-2025-50182, and I wanted my vulnerability scanner to stop complaining. :-)What actually happened: Installing via
pip install selenium==4.34.0still requiresurllib3version 2.4.0 andpipstill thinks it (selenium4.34.0) is incompatible withurllib3version 2.5.0.Potential fix: I suspect PR 15909 just forgot to update the
py/BUILD.bazelfile, so the fix may be as simple as:Reproducible Code
Debugging Logs
What version of Selenium are you currently using?
4.34.0
The following statements are true
Did this work for you before?
Not sure, this is my first time trying it
If yes, what version of Selenium did it work with?
No response
Operating System
Linux (specify in the description)
Selenium Language Binding
Python
Which browsers are you experiencing the issue with?
No response
Are you using Selenium Grid?
No