I see this is using a vendored urllib3, and quite an old one, branched off at PyPI version 1.25.6.

There are a few vulnerabilities since then.

https://www.cvedetails.com/vulnerability-list/vendor_id-10210/product_id-35569/Python-Urllib3.html

Are there critical changes in the vendored copy, which need to be retained? Have they been proposed to the main urllib3 project?
etc.