[BUG] urllib3 version constraints prevent security updates for Python <3.10

[maayan-cohen-hs]

What is the bug?

The current urllib3 version constraints in opensearch-py prevent users running Python <3.10 from upgrading to secure versions of urllib3. The constraint 'urllib3>=1.26.19,<1.27 ; python_version < "3.10"' caps urllib3 at versions below 1.27 for Python 3.9 and earlier, which forces users to remain on versions vulnerable to security issues that are only fixed in urllib3 2.5.0 and later.

How can one reproduce the bug?

• Set up a Python 3.9 environment
• Install opensearch-py
• Attempt to upgrade urllib3 to version 2.5.0 or later to address security vulnerabilities
• Observe that pip will prevent the upgrade due to opensearch-py's dependency constraints

What is the expected behavior?

Users should be able to upgrade to secure versions of urllib3 (2.5.0+) to address known vulnerabilities, regardless of their Python version. The urllib3 version constraints should allow security updates while maintaining compatibility.

What is your host/environment?

Python 3.9.x environments affected by this constraint limitation.

Do you have any screenshots?

N/A - This is a dependency constraint issue.

Do you have any additional context?

The specific vulnerabilities that cannot be addressed with the current constraints are:
https://data.safetycli.com/v/77745/f17/
https://data.safetycli.com/v/77744/f17/

These affect urllib3 versions <2.5.0. The current constraint forces Python <3.10 users to remain on urllib3 1.26.x, preventing them from receiving these critical security fixes. If possible, consider relaxing the urllib3 upper bound for Python <3.10 to allow secure versions, or provide guidance on how users can safely override this constraint for security purposes.