urllib3 version restrictions force use of vulnerable version

[tomwatson1024]

Conan 1.39.0 requires urllib3 >=1.25.8,<1.26. However versions of urllib3 before 1.26.5 are vulnerable to CVE-2021-33503.

Regardless of whether conan itself is affected by this issue the presence of urllib3 at this version is likely to cause problems in security scanning.

[memsharded]

Hi @tomwatson1024

Thanks for reporting this. We have been trying to upgrade this dependency, but unfortunately the ecosystem of many of our users is a bit delayed (very old distros, etc), so it had been a challenge to do it without breaking. As the URLs is Conan are quite controlled (Artifactory servers, recipes defined urls), doesn't seem a very problematic vuln.

But certainly, we should probably keep pushing for this, lets try to do it next 1.40.

[tapia]

Fixed on 1.40 (PR: #9405 )