Relax requests dependency constraint once psf/requests issue 6432 is resolved

[mgyucht]

Currently we add a strict upper bound of <2.29 to the requests library. Requests 2.30+ is incompatible with urllib <2, but users of databricks-sdk may still depend on older versions of urllib. Once psf/requests#6432 is resolved, we should relax the upper bound to allow more recent versions of the requests library which incorporate the most recent release of urllib. This should improve the security posture of the SDK.

[judahrand]

Requests 2.30+ is incompatible with urllib <2

This isn't true. The release notes explicitly state that users who need an older urllib3 can pin it (urllib3<2).

but users of databricks-sdk may still depend on older versions of urllib

They may depend on an older versions of urllib3 but they also may not. Should it not be left to consumers of this package to pin their dependencies to a working set?

eg.

databricks-sdk
requests>=2.31
urllib3<2

Can we please either unpin requests and leave it up to the consumer to pin urllib3 if they need to (which is the right answer here) or unpin requests but pin urllib3<2 in this package (less good solution but a compromise!).

Additionally, this is a duplicate of #136

[mgyucht]

My mistake, it was only version 2.29 which was incompatible with urllib3 at version 2. 2.30 does seem to support urllib3 @ version 2. Thanks for noting the duplicate, let's continue to discuss on #136 going forward.