Fix Scorecard issues related to vulnerable dev dependencies (#3755)

illia-v · web-flow · commit 70cecb27ca99 · 2026-01-07T17:41:24.000+02:00
* Upgrade filelock with `uv sync --upgrade-package filelock`

* Upgrade h2 with `uv sync --upgrade-package h2`

* Upgrade werkzeug with `uv sync --upgrade-package werkzeug`

* Add other changes uv wants to make to the lock file

* Fix mypy errors after upgrading h2

* Make Scorecard ignore dev dependencies
diff --git a/osv-scanner.toml b/osv-scanner.toml
@@ -0,0 +1,4 @@
+# https://google.github.io/osv-scanner/configuration/#override-packages
+[[PackageOverrides]]
+vulnerability.ignore = true
+reason = "Vulnerabilities in dev dependencies should not affect our OpenSSF score."
diff --git a/src/urllib3/http2/connection.py b/src/urllib3/http2/connection.py
@@ -6,9 +6,9 @@
 import types
 import typing
 
-import h2.config  # type: ignore[import-untyped]
-import h2.connection  # type: ignore[import-untyped]
-import h2.events  # type: ignore[import-untyped]
+import h2.config
+import h2.connection
+import h2.events
 
 from .._base_connection import _TYPE_BODY
 from .._collections import HTTPHeaderDict
diff --git a/test/test_http2_connection.py b/test/test_http2_connection.py
@@ -121,9 +121,9 @@ def test_send_bytes(self) -> None:
         conn.sock = mock.MagicMock(
             sendall=mock.Mock(return_value=None),
         )
-        conn._h2_conn._obj.data_to_send = mock.Mock(return_value=b"bar")
-        conn._h2_conn._obj.send_data = mock.Mock(return_value=None)
-        conn._h2_conn._obj.get_next_available_stream_id = mock.Mock(return_value=1)
+        conn._h2_conn._obj.data_to_send = mock.Mock(return_value=b"bar")  # type: ignore[method-assign]
+        conn._h2_conn._obj.send_data = mock.Mock(return_value=None)  # type: ignore[method-assign]
+        conn._h2_conn._obj.get_next_available_stream_id = mock.Mock(return_value=1)  # type: ignore[method-assign]
 
         conn.putrequest("GET", "/")
         conn.endheaders()
@@ -138,9 +138,9 @@ def test_send_str(self) -> None:
         conn.sock = mock.MagicMock(
             sendall=mock.Mock(return_value=None),
         )
-        conn._h2_conn._obj.data_to_send = mock.Mock(return_value=b"bar")
-        conn._h2_conn._obj.send_data = mock.Mock(return_value=None)
-        conn._h2_conn._obj.get_next_available_stream_id = mock.Mock(return_value=1)
+        conn._h2_conn._obj.data_to_send = mock.Mock(return_value=b"bar")  # type: ignore[method-assign]
+        conn._h2_conn._obj.send_data = mock.Mock(return_value=None)  # type: ignore[method-assign]
+        conn._h2_conn._obj.get_next_available_stream_id = mock.Mock(return_value=1)  # type: ignore[method-assign]
 
         conn.putrequest("GET", "/")
         conn.endheaders(message_body=b"foo")
@@ -155,10 +155,10 @@ def test_send_iter(self) -> None:
         conn.sock = mock.MagicMock(
             sendall=mock.Mock(return_value=None),
         )
-        conn._h2_conn._obj.data_to_send = mock.Mock(return_value=b"baz")
-        conn._h2_conn._obj.send_data = mock.Mock(return_value=None)
-        conn._h2_conn._obj.get_next_available_stream_id = mock.Mock(return_value=1)
-        conn._h2_conn._obj.end_stream = mock.Mock(return_value=None)
+        conn._h2_conn._obj.data_to_send = mock.Mock(return_value=b"baz")  # type: ignore[method-assign]
+        conn._h2_conn._obj.send_data = mock.Mock(return_value=None)  # type: ignore[method-assign]
+        conn._h2_conn._obj.get_next_available_stream_id = mock.Mock(return_value=1)  # type: ignore[method-assign]
+        conn._h2_conn._obj.end_stream = mock.Mock(return_value=None)  # type: ignore[method-assign]
 
         conn.putrequest("GET", "/")
         conn.endheaders(message_body=[b"foo", b"bar"])
@@ -191,10 +191,10 @@ def test_send_file_str(self) -> None:
             conn.sock = mock.MagicMock(
                 sendall=mock.Mock(return_value=None),
             )
-            conn._h2_conn._obj.data_to_send = mock.Mock(return_value=b"foo")
-            conn._h2_conn._obj.send_data = mock.Mock(return_value=None)
-            conn._h2_conn._obj.get_next_available_stream_id = mock.Mock(return_value=1)
-            conn._h2_conn._obj.end_stream = mock.Mock(return_value=None)
+            conn._h2_conn._obj.data_to_send = mock.Mock(return_value=b"foo")  # type: ignore[method-assign]
+            conn._h2_conn._obj.send_data = mock.Mock(return_value=None)  # type: ignore[method-assign]
+            conn._h2_conn._obj.get_next_available_stream_id = mock.Mock(return_value=1)  # type: ignore[method-assign]
+            conn._h2_conn._obj.end_stream = mock.Mock(return_value=None)  # type: ignore[method-assign]
 
             with open("foo") as body:
                 conn.putrequest("GET", "/")
@@ -215,10 +215,10 @@ def test_send_file_bytes(self) -> None:
             conn.sock = mock.MagicMock(
                 sendall=mock.Mock(return_value=None),
             )
-            conn._h2_conn._obj.data_to_send = mock.Mock(return_value=b"foo")
-            conn._h2_conn._obj.send_data = mock.Mock(return_value=None)
-            conn._h2_conn._obj.get_next_available_stream_id = mock.Mock(return_value=1)
-            conn._h2_conn._obj.end_stream = mock.Mock(return_value=None)
+            conn._h2_conn._obj.data_to_send = mock.Mock(return_value=b"foo")  # type: ignore[method-assign]
+            conn._h2_conn._obj.send_data = mock.Mock(return_value=None)  # type: ignore[method-assign]
+            conn._h2_conn._obj.get_next_available_stream_id = mock.Mock(return_value=1)  # type: ignore[method-assign]
+            conn._h2_conn._obj.end_stream = mock.Mock(return_value=None)  # type: ignore[method-assign]
 
             body = open("foo", "rb")
             conn.putrequest("GET", "/")
@@ -244,11 +244,11 @@ def test_request_GET(self) -> None:
             sendall=mock.Mock(return_value=None),
         )
         sendall = conn.sock.sendall
-        data_to_send = conn._h2_conn._obj.data_to_send = mock.Mock(return_value=b"foo")
-        send_headers = conn._h2_conn._obj.send_headers = mock.Mock(return_value=None)
-        conn._h2_conn._obj.send_data = mock.Mock(return_value=None)
-        conn._h2_conn._obj.get_next_available_stream_id = mock.Mock(return_value=1)
-        close_connection = conn._h2_conn._obj.close_connection = mock.Mock(
+        data_to_send = conn._h2_conn._obj.data_to_send = mock.Mock(return_value=b"foo")  # type: ignore[method-assign]
+        send_headers = conn._h2_conn._obj.send_headers = mock.Mock(return_value=None)  # type: ignore[method-assign]
+        conn._h2_conn._obj.send_data = mock.Mock(return_value=None)  # type: ignore[method-assign]
+        conn._h2_conn._obj.get_next_available_stream_id = mock.Mock(return_value=1)  # type: ignore[method-assign]
+        close_connection = conn._h2_conn._obj.close_connection = mock.Mock(  # type: ignore[method-assign]
             return_value=None
         )
 
@@ -277,11 +277,11 @@ def test_request_POST(self) -> None:
             sendall=mock.Mock(return_value=None),
         )
         sendall = conn.sock.sendall
-        data_to_send = conn._h2_conn._obj.data_to_send = mock.Mock(return_value=b"foo")
-        send_headers = conn._h2_conn._obj.send_headers = mock.Mock(return_value=None)
-        send_data = conn._h2_conn._obj.send_data = mock.Mock(return_value=None)
-        conn._h2_conn._obj.get_next_available_stream_id = mock.Mock(return_value=1)
-        close_connection = conn._h2_conn._obj.close_connection = mock.Mock(
+        data_to_send = conn._h2_conn._obj.data_to_send = mock.Mock(return_value=b"foo")  # type: ignore[method-assign]
+        send_headers = conn._h2_conn._obj.send_headers = mock.Mock(return_value=None)  # type: ignore[method-assign]
+        send_data = conn._h2_conn._obj.send_data = mock.Mock(return_value=None)  # type: ignore[method-assign]
+        conn._h2_conn._obj.get_next_available_stream_id = mock.Mock(return_value=1)  # type: ignore[method-assign]
+        close_connection = conn._h2_conn._obj.close_connection = mock.Mock(  # type: ignore[method-assign]
             return_value=None
         )
 
@@ -310,8 +310,8 @@ def test_close(self) -> None:
             sendall=mock.Mock(side_effect=Exception("foo")),
         )
         sendall = conn.sock.sendall
-        data_to_send = conn._h2_conn._obj.data_to_send = mock.Mock(return_value=b"foo")
-        close_connection = conn._h2_conn._obj.close_connection = mock.Mock(
+        data_to_send = conn._h2_conn._obj.data_to_send = mock.Mock(return_value=b"foo")  # type: ignore[method-assign]
+        close_connection = conn._h2_conn._obj.close_connection = mock.Mock(  # type: ignore[method-assign]
             return_value=None
         )
 
@@ -332,11 +332,11 @@ def test_request_ignore_chunked(self) -> None:
             sendall=mock.Mock(return_value=None),
         )
         sendall = conn.sock.sendall
-        data_to_send = conn._h2_conn._obj.data_to_send = mock.Mock(return_value=b"foo")
-        send_headers = conn._h2_conn._obj.send_headers = mock.Mock(return_value=None)
-        conn._h2_conn._obj.send_data = mock.Mock(return_value=None)
-        conn._h2_conn._obj.get_next_available_stream_id = mock.Mock(return_value=1)
-        close_connection = conn._h2_conn._obj.close_connection = mock.Mock(
+        data_to_send = conn._h2_conn._obj.data_to_send = mock.Mock(return_value=b"foo")  # type: ignore[method-assign]
+        send_headers = conn._h2_conn._obj.send_headers = mock.Mock(return_value=None)  # type: ignore[method-assign]
+        conn._h2_conn._obj.send_data = mock.Mock(return_value=None)  # type: ignore[method-assign]
+        conn._h2_conn._obj.get_next_available_stream_id = mock.Mock(return_value=1)  # type: ignore[method-assign]
+        close_connection = conn._h2_conn._obj.close_connection = mock.Mock(  # type: ignore[method-assign]
             return_value=None
         )
 
diff --git a/uv.lock b/uv.lock
