Programmers-Paradise · arnavk23 · Dec 7, 2025 · Dec 7, 2025 · Dec 7, 2025 · Dec 7, 2025
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -17,7 +17,7 @@ jobs:
 
     strategy:
       matrix:
-        python-version: ['3.9', '3.10', '3.11', '3.12']
+        python-version: ['3.10', '3.11', '3.12']
 
     steps:
     - name: Checkout repository

diff --git a/.github/workflows/link-and-size-check.yml b/.github/workflows/link-and-size-check.yml
@@ -39,7 +39,7 @@ jobs:
       - name: Check all Markdown links (internal & external)
         uses: lycheeverse/lychee-action@v2.0.2
         with:
-          args: --verbose --no-progress --exclude-mail --require-https --timeout 15 --max-concurrency 10 '**/*.md' 'site/**/*.html'
+          args: --verbose --no-progress --exclude-mail --timeout 15 --max-concurrency 10 --max-retries 3 --exclude 'https://github.com/.*/edit/.*' --exclude 'https://github.com/.*/raw/.*' --exclude 'https://fonts.gstatic.com' --exclude 'http://localhost:.*' --exclude '^file://.*' --exclude 'https://www.youtube.com/watch\?v=example.*' --exclude 'https://plausible.io/docs/experiments' '**/*.md' 'site/**/*.html'
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 

diff --git a/docs/changelog.md b/docs/changelog.md
@@ -0,0 +1,23 @@
+# Changelog
+
+All notable changes to the Annie documentation website will be documented in this file.
+
+## [Unreleased]
+
+### Changed
+
+- Updated urllib3 from 2.5.0 to 2.6.0 to address security vulnerabilities (CVE-2025-66471, CVE-2025-66418)
+- Added brotli>=1.2.0 dependency for enhanced security in HTTP content decompression
+- Ensures compatibility with urllib3 2.6.0's improved handling of decompression bombs and chained encodings
+- Dropped Python 3.9 support from CI testing (Python 3.9 reached end of life in October 2025, and newer dependencies require Python 3.10+)
+
+### Security
+
+- Fixed potential decompression bomb vulnerabilities through urllib3 2.6.0 update
+- Fixed potential DoS attack via unlimited chained encodings through urllib3 2.6.0 update
+- Added brotli 1.2.0+ for security fixes in brotli decompression
+
+### Notes
+
+- No code changes were required as the codebase does not use the deprecated urllib3 APIs (HTTPResponse.getheaders(), HTTPResponse.getheader())
+- The repository only uses urllib3 indirectly through the requests library
diff --git a/mkdocs.yml b/mkdocs.yml
@@ -78,6 +78,7 @@ nav:
       - Filtered Search: filtering.md
   - Examples: examples.md
   - Contributing: contributing.md
+  - Changelog: changelog.md
 
 markdown_extensions:
   - toc:

diff --git a/requirements.in b/requirements.in
@@ -1,3 +1,4 @@
 mkdocs>=1.5.0
 mkdocs-material>=9.0.0
 PyYAML>=6.0
+brotli>=1.2.0  # Security fix for urllib3 2.6.0
diff --git a/requirements.txt b/requirements.txt
@@ -1,13 +1,15 @@
 #
-# This file is autogenerated by pip-compile with Python 3.11
+# This file is autogenerated by pip-compile with Python 3.12
 # by the following command:
 #
-#    pip-compile requirements.in
+#    pip-compile --output-file=requirements.txt.new requirements.in
 #
 babel==2.17.0
     # via mkdocs-material
 backrefs==6.1
     # via mkdocs-material
+brotli==1.2.0
+    # via -r requirements.in
 certifi==2025.11.12
     # via requests
 charset-normalizer==3.4.4
@@ -53,7 +55,7 @@ paginate==0.5.7
     # via mkdocs-material
 pathspec==0.12.1
     # via mkdocs
-platformdirs==4.5.0
+platformdirs==4.5.1
     # via mkdocs-get-deps
 pygments==2.19.2
     # via mkdocs-material
@@ -74,7 +76,7 @@ requests==2.32.5
     # via mkdocs-material
 six==1.17.0
     # via python-dateutil
-urllib3==2.5.0
+urllib3==2.6.0
     # via requests
 watchdog==6.0.0
     # via mkdocs