The Fix
pip install urllib3==1.26.6
Based on closed urllib3/urllib3 issue #3010 · PR/commit linked
Production note: Most teams hit this during upgrades or environment changes. Roll out with a canary and smoke critical endpoints (health, OpenAPI/docs) before 100%.
@@ -9,3 +9,4 @@ trustme==0.7.0
python-dateutil==2.8.1
typing-extensions==3.7.4.3
+requests
diff --git a/src/urllib3/poolmanager.py b/src/urllib3/poolmanager.py
index fc4e791536..a885230930 100644
repro.py
Traceback (most recent call last):
...
File "/usr/local/lib/python3.8/site-packages/firebase_admin/auth.py", line 220, in verify_id_token
return client.verify_id_token(id_token, check_revoked=check_revoked)
File "/usr/local/lib/python3.8/site-packages/firebase_admin/_auth_client.py", line 127, in verify_id_token
verified_claims = self._token_verifier.verify_id_token(id_token)
File "/usr/local/lib/python3.8/site-packages/firebase_admin/_token_gen.py", line 293, in verify_id_token
return self.id_token_verifier.verify(id_token, self.request)
File "/usr/local/lib/python3.8/site-packages/firebase_admin/_token_gen.py", line 392, in verify
verified_claims = google.oauth2.id_token.verify_token(
File "/usr/local/lib/python3.8/site-packages/google/oauth2/id_token.py", line 133, in verify_token
certs = _fetch_certs(request, certs_url)
File "/usr/local/lib/python3.8/site-packages/google/oauth2/id_token.py", line 99, in _fetch_certs
response = request(certs_url, method="GET")
File "/usr/local/lib/python3.8/site-packages/firebase_admin/_token_gen.py", line 265, in __call__
return self._delegate(
File "/usr/local/lib/python3.8/site-packages/google/auth/transport/requests.py", line 193, in __call__
response = self.session.request(
File "/usr/local/lib/python3.8/site-packages/requests/sessions.py", line 587, in request
resp = self.send(prep, **send_kwargs)
File "/usr/local/lib/python3.8/site-packages/requests/sessions.py", line 745, in send
r.content
File "/usr/local/lib/python3.8/site-packages/requests/models.py", line 899, in content
self._content = b"".join(self.iter_content(CONTENT_CHUNK_SIZE)) or b""
File "/usr/local/lib/python3.8/site-packages/requests/models.py", line 816, in generate
yield from self.raw.stream(chunk_size, decode_content=True)
File "/usr/local/lib/python3.8/site-packages/urllib3/response.py", line 935, in stream
data = self.read(amt=amt, decode_content=decode_content)
File "/usr/local/lib/python3.8/site-packages/urllib3/response.py", line 874, in read
data = self._raw_read(amt)
File "/usr/local/lib/python3.8/site-packages/urllib3/response.py", line 809, in _raw_read
data = self._fp_read(amt) if not fp_closed else b""
File "/usr/local/lib/python3.8/site-packages/urllib3/response.py", line 794, in _fp_read
return self._fp.read(amt) if amt is not None else self._fp.read()
File "/usr/local/lib/python3.8/site-packages/cachecontrol/filewrapper.py", line 96, in read
self._close()
File "/usr/local/lib/python3.8/site-packages/cachecontrol/filewrapper.py", line 76, in _close
self.__callback(result)
File "/usr/local/lib/python3.8/site-packages/cachecontrol/controller.py", line 370, in cache_response
self._cache_set(
File "/usr/local/lib/python3.8/site-packages/cachecontrol/controller.py", line 274, in _cache_set
self.serializer.dumps(request, response, body),
File "/usr/local/lib/python3.8/site-packages/cachecontrol/serialize.py", line 54, in dumps
u"strict": response.strict,
AttributeError: 'HTTPResponse' object has no attribute 'strict'
verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.
fix.md
Option A — Upgrade to fixed release\npip install urllib3==1.26.6\nWhen NOT to use: This fix should not be used if the application relies on the strict parameter being removed in future versions.\n\n
Why This Fix Works in Production
- Mechanism: Adds a warning for the deprecated 'strict' parameter in urllib3, addressing breaking changes for third-party libraries.
- Why the fix works: Adds a warning for the deprecated 'strict' parameter in urllib3, addressing breaking changes for third-party libraries. (first fixed release: 1.26.6).
Production impact:
- If left unfixed, the same config can fail only in production (env differences), causing startup failures or partial feature outages.
Why This Breaks in Prod
- Shows up under Python 3.8 in real deployments (not just unit tests).
- Surfaces as: Traceback (most recent call last):
Proof / Evidence
- GitHub issue: #3010
- Fix PR: https://github.com/urllib3/urllib3/pull/2267
- First fixed release: 1.26.6
- Reproduced locally: No (not executed)
- Last verified: 2026-02-09
- Confidence: 0.95
- Did this fix it?: Yes (upstream fix exists)
- Own content ratio: 0.25
Discussion
High-signal excerpts from the issue thread (symptoms, repros, edge-cases).
“Since urllib is so widely used - it seems like adding it back and going through with the removal in v2.1.0 is better”
“cachecontrol is nearly unmaintained. I don't believe it has working CI. It depends on a lockfile library that hasn't been maintained in many years. I…”
“@pquentin has swayed me that adding back a deprecated hard-coded property for 2.0.x won't hurt us much so we can do so to help adoption…”
“Pretty sure betamax doesn't implement the full API that urllib3 expects, not a problem with strict based upon that report”
Error Message
Stack trace
error.txt
Error Message
-------------
Traceback (most recent call last):
...
File "/usr/local/lib/python3.8/site-packages/firebase_admin/auth.py", line 220, in verify_id_token
return client.verify_id_token(id_token, check_revoked=check_revoked)
File "/usr/local/lib/python3.8/site-packages/firebase_admin/_auth_client.py", line 127, in verify_id_token
verified_claims = self._token_verifier.verify_id_token(id_token)
File "/usr/local/lib/python3.8/site-packages/firebase_admin/_token_gen.py", line 293, in verify_id_token
return self.id_token_verifier.verify(id_token, self.request)
File "/usr/local/lib/python3.8/site-packages/firebase_admin/_token_gen.py", line 392, in verify
verified_claims = google.oauth2.id_token.verify_token(
File "/usr/local/lib/python3.8/site-packages/google/oauth2/id_token.py", line 133, in verify_token
certs = _fetch_certs(request, certs_url)
File "/usr/local/lib/python3.8/site-packages/google/oauth2/id_token.py", line 99, in _fetch_certs
response = request(certs_url, method="GET")
File "/usr/local/lib/python3.8/site-packages/firebase_admin/_token_gen.py", line 265, in __call__
return self._delegate(
File "/usr/local/lib/python3.8/site-packages/google/auth/transport/requests.py", line 193, in __call__
response = self.session.request(
File "/usr/local/lib/python3.8/site-packages/requests/sessions.py", line 587, in request
resp = self.send(prep,
... (truncated) ...
Minimal Reproduction
repro.py
Traceback (most recent call last):
...
File "/usr/local/lib/python3.8/site-packages/firebase_admin/auth.py", line 220, in verify_id_token
return client.verify_id_token(id_token, check_revoked=check_revoked)
File "/usr/local/lib/python3.8/site-packages/firebase_admin/_auth_client.py", line 127, in verify_id_token
verified_claims = self._token_verifier.verify_id_token(id_token)
File "/usr/local/lib/python3.8/site-packages/firebase_admin/_token_gen.py", line 293, in verify_id_token
return self.id_token_verifier.verify(id_token, self.request)
File "/usr/local/lib/python3.8/site-packages/firebase_admin/_token_gen.py", line 392, in verify
verified_claims = google.oauth2.id_token.verify_token(
File "/usr/local/lib/python3.8/site-packages/google/oauth2/id_token.py", line 133, in verify_token
certs = _fetch_certs(request, certs_url)
File "/usr/local/lib/python3.8/site-packages/google/oauth2/id_token.py", line 99, in _fetch_certs
response = request(certs_url, method="GET")
File "/usr/local/lib/python3.8/site-packages/firebase_admin/_token_gen.py", line 265, in __call__
return self._delegate(
File "/usr/local/lib/python3.8/site-packages/google/auth/transport/requests.py", line 193, in __call__
response = self.session.request(
File "/usr/local/lib/python3.8/site-packages/requests/sessions.py", line 587, in request
resp = self.send(prep, **send_kwargs)
File "/usr/local/lib/python3.8/site-packages/requests/sessions.py", line 745, in send
r.content
File "/usr/local/lib/python3.8/site-packages/requests/models.py", line 899, in content
self._content = b"".join(self.iter_content(CONTENT_CHUNK_SIZE)) or b""
File "/usr/local/lib/python3.8/site-packages/requests/models.py", line 816, in generate
yield from self.raw.stream(chunk_size, decode_content=True)
File "/usr/local/lib/python3.8/site-packages/urllib3/response.py", line 935, in stream
data = self.read(amt=amt, decode_content=decode_content)
File "/usr/local/lib/python3.8/site-packages/urllib3/response.py", line 874, in read
data = self._raw_read(amt)
File "/usr/local/lib/python3.8/site-packages/urllib3/response.py", line 809, in _raw_read
data = self._fp_read(amt) if not fp_closed else b""
File "/usr/local/lib/python3.8/site-packages/urllib3/response.py", line 794, in _fp_read
return self._fp.read(amt) if amt is not None else self._fp.read()
File "/usr/local/lib/python3.8/site-packages/cachecontrol/filewrapper.py", line 96, in read
self._close()
File "/usr/local/lib/python3.8/site-packages/cachecontrol/filewrapper.py", line 76, in _close
self.__callback(result)
File "/usr/local/lib/python3.8/site-packages/cachecontrol/controller.py", line 370, in cache_response
self._cache_set(
File "/usr/local/lib/python3.8/site-packages/cachecontrol/controller.py", line 274, in _cache_set
self.serializer.dumps(request, response, body),
File "/usr/local/lib/python3.8/site-packages/cachecontrol/serialize.py", line 54, in dumps
u"strict": response.strict,
AttributeError: 'HTTPResponse' object has no attribute 'strict'
Environment
- Python: 3.8
- urllib3: 2
What Broke
Third-party libraries fail to function correctly, leading to errors in production environments.
Fix Options (Details)
Option A — Upgrade to fixed release Safe default (recommended)
pip install urllib3==1.26.6
When NOT to use: This fix should not be used if the application relies on the strict parameter being removed in future versions.
Use when you can deploy the upstream fix. It is usually lower-risk than long-lived workarounds.
Fix reference: https://github.com/urllib3/urllib3/pull/2267
First fixed release: 1.26.6
Last verified: 2026-02-09. Validate in your environment.
When NOT to Use This Fix
- This fix should not be used if the application relies on the strict parameter being removed in future versions.
Verify Fix
verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.
Did This Fix Work in Your Case?
Quick signal helps us prioritize which fixes to verify and improve.
Prevention
- Add a CI check that diffs key outputs after upgrades (OpenAPI schema snapshots, JSON payload shapes, CLI output).
- Upgrade behind a canary and run integration tests against the canary before 100% rollout.
Version Compatibility Table
| Version | Status |
|---|---|
| 1.26.6 | Fixed |
Related Issues
No related fixes found.
Sources
We don’t republish the full GitHub discussion text. Use the links above for context.