Patch urllib3 CVEs in enforcer: bump to 2.7.0

[moshemorad]

Summary

Follow-up to #527, which bumped urllib3 in the main krr image but left the enforcer image still pinned to the vulnerable urllib3==2.6.3.

Bumps enforcer/requirements.txt 2.6.3 → 2.7.0 to resolve both HIGH-severity findings on the krr-enforcer image:

• CVE-2026-44431 (5.3): sensitive headers (Authorization/Cookie/Proxy-Authorization) forwarded on cross-origin redirects.
• CVE-2026-44432 (7.5): DoS via excessive HTTP response decompression — CWE-409.

Note

The krr-enforcer image is built/pushed manually (no CI workflow), so a new image build is required after merge for the fix to reach deployments.

🤖 Generated with Claude Code

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e1111c45-4b06-4e9d-863b-c3d6edec7ea4

📥 Commits

Reviewing files that changed from the base of the PR and between 2d07503 and 90ef231.

📒 Files selected for processing (1)

• enforcer/requirements.txt

---

Walkthrough

A single dependency version is updated in the enforcer requirements manifest. The urllib3 package is bumped from version 2.6.3 to 2.7.0, ensuring the enforcer environment uses the latest urllib3 release.

Changes

Dependencies

Layer / File(s)	Summary
urllib3 version bump enforcer/requirements.txt	urllib3 is pinned to version 2.7.0, updated from 2.6.3.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• robusta-dev/krr#527: Updates urllib3 to 2.7.0 in parallel in pyproject.toml and main requirements.txt.

Suggested reviewers

• Sheeproid

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: updating urllib3 to patch CVEs in the enforcer image, matching the core changeset.
Description check	✅ Passed	The description is directly related to the changeset, providing context about the CVEs being patched and explaining the dependency update with relevant security details.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch patch-enforcer-urllib3-cve

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}