urllib3 is a critical package in the Python ecosystem, with over 450 million downloads each month. Its security is vital, as it handles web requests and certificate validation.
Thanks to Tidelift, maintainers Seth Michael Larson, Andrey Petrov, and Quentin Pradet have been able to improve security practices, including adding two-factor authentication and automating release processes. Their efforts led to urllib3 achieving an impressive 9.6/10 score on the OpenSSF Scorecard. Tidelift customers contribute directly to these improvements, ensuring the ongoing health and security of the project.
urllib3 is a critical open source package in the Python ecosystem. It's downloaded nearly 450 million times per month and used by over 1.5 million repositories. Because the project is so popular and because it manages critical functionalities like web requests, TLS, SSL, and certificate validation, its security is extremely important. Vulnerabilities in these areas could expose users to significant security risks.
Meet Seth Michael Larson, Andrey Petrov, and Quentin Pradet, the team of maintainers behind urllib3. Because many Tidelift customers use urllib3, these maintainers get paid to implement enterprise class secure software development practices and commit to continuing this work over time. They also use the income from Tidelift to up level their security practices, including paying an additional maintainer, Ilya Olocci, to work on important projects like securing maintainer access with two factor authentication, automating release processes for consistency and security, and achieving reproducible builds to prevent supply chain attacks.
Through these efforts, urllib3 became the first Python project to achieve an almost perfect OpenSSF scorecard score of 9.6 out of 10. Now Tidelift customers can use urllib3 with confidence, knowing they directly contributed to funding the maintainer's efforts and are helping ensure the project's health and security for the future.
50 Milk St, 16th Floor, Boston, MA 02109
.svg){kind=icon}