From 50310661ff9b1244655d3e6cd87ce3295b37fb5f Mon Sep 17 00:00:00 2001
From: icanhasmath <marcg@activestate.com>
Date: Fri, 12 Jun 2026 08:24:45 -0500
Subject: [PATCH 1/2] Strip PEP 440 local version in urllib3 compatibility
 check

urllib3's ActiveState build reports '1.26.20+security.2'; splitting on '.'
yielded ['1','26','20+security','2'], breaking the major/minor/patch unpack
and int(patch). Drop the '+security.N' (PEP 440 local) segment before
splitting. Python 2 compatible.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 requests/__init__.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/requests/__init__.py b/requests/__init__.py
index 53a5b42af6..ab56c206d5 100644
--- a/requests/__init__.py
+++ b/requests/__init__.py
@@ -55,7 +55,11 @@
     chardet_version = None
 
 def check_compatibility(urllib3_version, chardet_version, charset_normalizer_version):
-    urllib3_version = urllib3_version.split('.')
+    # Drop any PEP 440 local-version segment (e.g. the ActiveState '+security.N'
+    # tag) before parsing: '1.26.20+security.2' would otherwise split into
+    # ['1', '26', '20+security', '2'], breaking the major/minor/patch unpack and
+    # the int(patch) conversion.
+    urllib3_version = urllib3_version.split('+', 1)[0].split('.')
     assert urllib3_version != ['dev']  # Verify urllib3 isn't installed from git.
 
     # Sometimes, urllib3 only reports its version as 16.1.

From a7c5e64f5b75720465e2fb0d374534be443f54bb Mon Sep 17 00:00:00 2001
From: icanhasmath <marcg@activestate.com>
Date: Fri, 12 Jun 2026 08:24:45 -0500
Subject: [PATCH 2/2] Version string: 2.27.1+security.3 (tag stays 2.27.1.3)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 HISTORY.md              | 11 +++++++++++
 requests/__version__.py |  2 +-
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/HISTORY.md b/HISTORY.md
index d2879c5437..4fda387fbe 100644
--- a/HISTORY.md
+++ b/HISTORY.md
@@ -6,6 +6,17 @@ dev
 
 - \[Short description of non-trivial change.\]
 
+2.27.1+security.3 (2026-06-12)
+-------------------------------
+
+**Bugfix**
+
+- `check_compatibility()` no longer fails when urllib3 reports a PEP 440
+  local version such as the ActiveState `1.26.20+security.2` build. The
+  `+security.N` segment is now stripped before parsing, so the version no
+  longer splits into `['1', '26', '20+security', '2']` (which broke the
+  major/minor/patch unpack and the `int()` conversion). Python 2 compatible.
+
 2.27.1+security.2 (2026-05-28)
 -------------------------------
 
diff --git a/requests/__version__.py b/requests/__version__.py
index b6453cf583..0c956c86f7 100644
--- a/requests/__version__.py
+++ b/requests/__version__.py
@@ -5,7 +5,7 @@
 __title__ = 'requests'
 __description__ = 'Python HTTP for Humans.'
 __url__ = 'https://requests.readthedocs.io'
-__version__ = '2.27.1+security.2'
+__version__ = '2.27.1+security.3'
 __build__ = 0x022701
 __author__ = 'Kenneth Reitz'
 __author_email__ = 'me@kennethreitz.org'