Commit c366e9d
![renovate[bot]](https://github.githubassets.com/images/gravatars/gravatar-user-420.png?size=40){kind=avatar}
feat(deps): Update dependency requests to v2.33.0 [SECURITY] (#427)
This PR contains the following updates:
| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [requests](https://github.com/psf/requests) ([changelog](https://github.com/psf/requests/blob/master/HISTORY.md)) | `==2.32.5` → `==2.33.0` |  |  |
---
### Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function
[CVE-2026-25645](https://nvd.nist.gov/vuln/detail/CVE-2026-25645) / [GHSA-gc5v-m9x4-r6x2](GHSA-gc5v-m9x4-r6x2)
<details>
<summary>More information</summary>
#### Details
##### Impact
The `requests.utils.extract_zipped_paths()` utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one.
##### Affected usages
**Standard usage of the Requests library is not affected by this vulnerability.** Only applications that call `extract_zipped_paths()` directly are impacted.
##### Remediation
Upgrade to at least Requests 2.33.0, where the library now extracts files to a non-deterministic location.
If developers are unable to upgrade, they can set `TMPDIR` in their environment to a directory with restricted write access.
#### Severity
- CVSS Score: 4.4 / 10 (Medium)
- Vector String: `CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N`
#### References
- [https://github.com/psf/requests/security/advisories/GHSA-gc5v-m9x4-r6x2](https://github.com/psf/requests/security/advisories/GHSA-gc5v-m9x4-r6x2)
- [https://github.com/psf/requests/commit/66d21cb07bd6255b1280291c4fafb71803cdb3b7](https://github.com/psf/requests/commit/66d21cb07bd6255b1280291c4fafb71803cdb3b7)
- [https://github.com/psf/requests](https://github.com/psf/requests)
- [https://github.com/psf/requests/releases/tag/v2.33.0](https://github.com/psf/requests/releases/tag/v2.33.0)
This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-gc5v-m9x4-r6x2) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>
---
### Release Notes
<details>
<summary>psf/requests (requests)</summary>
### [`v2.33.0`](https://github.com/psf/requests/blob/HEAD/HISTORY.md#2330-2026-03-25)
[Compare Source](psf/requests@v2.32.5...v2.33.0)
**Announcements**
- 📣 Requests is adding inline types. If you have a typed code base that
uses Requests, please take a look at [#​7271](psf/requests#7271). Give it a try, and report
any gaps or feedback you may have in the issue. 📣
**Security**
- CVE-2026-25645 `requests.utils.extract_zipped_paths` now extracts
contents to a non-deterministic location to prevent malicious file
replacement. This does not affect default usage of Requests, only
applications calling the utility function directly.
**Improvements**
- Migrated to a PEP 517 build system using setuptools. ([#​7012](psf/requests#7012))
**Bugfixes**
- Fixed an issue where an empty netrc entry could cause
malformed authentication to be applied to Requests on
Python 3.11+. ([#​7205](psf/requests#7205))
**Deprecations**
- Dropped support for Python 3.9 following its end of support. ([#​7196](psf/requests#7196))
**Documentation**
- Various typo fixes and doc improvements.
</details>
---
### Configuration
📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.
♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box
---
This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My45MS4xIiwidXBkYXRlZEluVmVyIjoiNDMuOTEuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsic2VjdXJpdHkiXX0=-->
Reviewed-on: https://git.tainton.uk/repos/pypilot/pulls/427
Reviewed-by: Luke Tainton <luke@tainton.uk>
Co-authored-by: renovate[bot] <renovate-bot@git.tainton.uk>
Co-committed-by: renovate[bot] <renovate-bot@git.tainton.uk>1 parent 7680383 commit c366e9d
2 files changed
Lines changed: 5 additions & 5 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
9 | 9 | | |
10 | 10 | | |
11 | 11 | | |
12 | | - | |
| 12 | + | |
13 | 13 | | |
14 | 14 | | |
15 | 15 | | |
| |||
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
0 commit comments