From 8463644ef3d912d178a1178f7200ce2a86be472b Mon Sep 17 00:00:00 2001
From: "ahsan.sheraz" <ahsan.sheraz@bonial.com>
Date: Tue, 24 Mar 2026 16:27:28 +0100
Subject: [PATCH 1/2] security: remove vulnerable Python 2 dependencies
 pyopenssl, pyasn1, ndg-httpsclient

These dependencies were only used for Python 2 SNI support (gated behind
`sys.version_info < (3,)` in requests.py) and are unnecessary on Python 3,
which handles SNI natively via the stdlib ssl module.

Removes:
- pyopenssl (CVE-2026-27459, fixed in 26.0.0)
- pyasn1 (CVE-2026-30922, fixed in 0.6.3)
- ndg-httpsclient (depends on both)
---
 pusher/requests.py | 5 -----
 setup.py           | 3 ---
 2 files changed, 8 deletions(-)

diff --git a/pusher/requests.py b/pusher/requests.py
index f90522c..1d1f073 100644
--- a/pusher/requests.py
+++ b/pusher/requests.py
@@ -9,14 +9,9 @@
 from pusher.http import process_response
 
 import requests
-import sys
 import os
 
 
-if sys.version_info < (3,):
-    import urllib3.contrib.pyopenssl
-    urllib3.contrib.pyopenssl.inject_into_urllib3()
-
 CERT_PATH = os.path.dirname(os.path.abspath(__file__)) + '/cacert.pem'
 
 
diff --git a/setup.py b/setup.py
index eba5109..3fe16f8 100644
--- a/setup.py
+++ b/setup.py
@@ -40,9 +40,6 @@
         'six',
         'requests>=2.3.0',
         'urllib3',
-        'pyopenssl',
-        'ndg-httpsclient',
-        'pyasn1',
         'pynacl'
     ],
 

From d2bae009bbd60e3a6dfb0e3b2ef6d120cb381c57 Mon Sep 17 00:00:00 2001
From: "ahsan.sheraz" <ahsan.sheraz@bonial.com>
Date: Tue, 24 Mar 2026 16:35:03 +0100
Subject: [PATCH 2/2] security: remove vulnerable Python 2 deps and drop Python
 2 references

Remove pyopenssl (CVE-2026-27459), pyasn1 (CVE-2026-30922), and
ndg-httpsclient from install_requires. These were only needed for
Python 2 SNI support and are dead code on Python 3.

- Remove Python 2 pyopenssl injection in pusher/requests.py
- Remove 'Python :: 2' classifier from setup.py
- Update README to note Python 2 is no longer supported

Closes #252
---
 README.md | 8 +-------
 setup.py  | 2 +-
 2 files changed, 2 insertions(+), 8 deletions(-)

diff --git a/README.md b/README.md
index 2f7b1d4..8c7a0a9 100644
--- a/README.md
+++ b/README.md
@@ -48,13 +48,7 @@ normally `easy_install` or `pip`. For example:
 pip install pusher
 ```
 
-Users on Python 2.x and older versions of pip may get a warning, due to pip compiling the optional `pusher.aiohttp` module, which uses Python 3 syntax. However, as `pusher.aiohttp` is not used by default, this does not affect the library's functionality. See [our Github issue](https://github.com/pusher/pusher-http-python/issues/52), as well as [this issue from Gunicorn](https://github.com/benoitc/gunicorn/issues/788) for more details.
-
-On Linux, you must ensure that OpenSSL is installed, e.g. on Debian/Ubuntu:
-
-```sh
-$ sudo apt-get install build-essential libssl-dev libffi-dev
-```
+**Note: Python 2 is no longer supported.** Python 2 reached end-of-life on January 1, 2020. This library requires Python 3.6+.
 
 ## Getting started
 
diff --git a/setup.py b/setup.py
index 3fe16f8..d541a63 100644
--- a/setup.py
+++ b/setup.py
@@ -26,8 +26,8 @@
         'Development Status :: 4 - Beta',
         'Intended Audience :: Developers',
         'Topic :: Internet :: WWW/HTTP',
-        'Programming Language :: Python :: 2',
         'Programming Language :: Python :: 3',
+        'Programming Language :: Python :: 3 :: Only',
     ],
     keywords='pusher rest realtime websockets service',
     license='MIT',