roboluke

repos/roboluke

Fork 0

Author SHA1 Message Date

Author	SHA1	Message	Date
renovate[bot]	e4f753c9a1	feat(deps): Update dependency requests to v2.33.0 [SECURITY] (#436 ) All checks were successful Release / Tag release (push) Successful in 11s Details Release / Create Release (push) Successful in 32s Details Release / Publish Docker Images (push) Successful in 1m51s Details This PR contains the following updates: \| Package \| Change \| [Age](https://docs.renovatebot.com/merge-confidence/) \| [Confidence](https://docs.renovatebot.com/merge-confidence/) \| \|---\|---\|---\|---\| \| [requests](https://github.com/psf/requests) ([changelog](https://github.com/psf/requests/blob/master/HISTORY.md)) \| `2.32.5` → `2.33.0` \| ![age](https://developer.mend.io/api/mc/badges/age/pypi/requests/2.33.0?slim=true) \| ![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/requests/2.32.5/2.33.0?slim=true) \| --- ### Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function [CVE-2026-25645](https://nvd.nist.gov/vuln/detail/CVE-2026-25645) / [GHSA-gc5v-m9x4-r6x2](https://github.com/advisories/GHSA-gc5v-m9x4-r6x2) <details> <summary>More information</summary> #### Details ##### Impact The `requests.utils.extract_zipped_paths()` utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one. ##### Affected usages Standard usage of the Requests library is not affected by this vulnerability. Only applications that call `extract_zipped_paths()` directly are impacted. ##### Remediation Upgrade to at least Requests 2.33.0, where the library now extracts files to a non-deterministic location. If developers are unable to upgrade, they can set `TMPDIR` in their environment to a directory with restricted write access. #### Severity - CVSS Score: 4.4 / 10 (Medium) - Vector String: `CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N` #### References - [https://github.com/psf/requests/security/advisories/GHSA-gc5v-m9x4-r6x2](https://github.com/psf/requests/security/advisories/GHSA-gc5v-m9x4-r6x2) - [`66d21cb07b`) - [https://github.com/psf/requests](https://github.com/psf/requests) - [https://github.com/psf/requests/releases/tag/v2.33.0](https://github.com/psf/requests/releases/tag/v2.33.0) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-gc5v-m9x4-r6x2) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>psf/requests (requests)</summary> ### [`v2.33.0`](https://github.com/psf/requests/blob/HEAD/HISTORY.md#2330-2026-03-25) [Compare Source](https://github.com/psf/requests/compare/v2.32.5...v2.33.0) Announcements - 📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at [#7271](https://github.com/psf/requests/issues/7271). Give it a try, and report any gaps or feedback you may have in the issue. 📣 Security - CVE-2026-25645 `requests.utils.extract_zipped_paths` now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly. Improvements - Migrated to a PEP 517 build system using setuptools. ([#7012](https://github.com/psf/requests/issues/7012)) Bugfixes - Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+. ([#7205](https://github.com/psf/requests/issues/7205)) Deprecations - Dropped support for Python 3.9 following its end of support. ([#7196](https://github.com/psf/requests/issues/7196)) Documentation - Various typo fixes and doc improvements. </details> --- ### Configuration 📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied. ♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My45MS4xIiwidXBkYXRlZEluVmVyIjoiNDMuOTEuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsic2VjdXJpdHkiXX0=--> Reviewed-on: https://git.tainton.uk/repos/roboluke/pulls/436 Reviewed-by: Luke Tainton <luke@tainton.uk> Co-authored-by: renovate[bot] <renovate-bot@git.tainton.uk> Co-committed-by: renovate[bot] <renovate-bot@git.tainton.uk>	2026-03-27 18:06:12 +00:00

renovate[bot]

e4f753c9a1

feat(deps): Update dependency requests to v2.33.0 [SECURITY] (#436 )

Release / Tag release (push) Successful in 11s

Details

Release / Create Release (push) Successful in 32s

Details

Release / Publish Docker Images (push) Successful in 1m51s

Details

This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [requests](https://github.com/psf/requests) ([changelog](https://github.com/psf/requests/blob/master/HISTORY.md)) | `2.32.5` → `2.33.0` | ![age](https://developer.mend.io/api/mc/badges/age/pypi/requests/2.33.0?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/requests/2.32.5/2.33.0?slim=true) |

---

### Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function
[CVE-2026-25645](https://nvd.nist.gov/vuln/detail/CVE-2026-25645) / [GHSA-gc5v-m9x4-r6x2](https://github.com/advisories/GHSA-gc5v-m9x4-r6x2)

<details>
<summary>More information</summary>

#### Details
##### Impact
The `requests.utils.extract_zipped_paths()` utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one.

##### Affected usages
**Standard usage of the Requests library is not affected by this vulnerability.** Only applications that call `extract_zipped_paths()` directly are impacted.

##### Remediation
Upgrade to at least Requests 2.33.0, where the library now extracts files to a non-deterministic location.

If developers are unable to upgrade, they can set `TMPDIR` in their environment to a directory with restricted write access.

#### Severity
- CVSS Score: 4.4 / 10 (Medium)
- Vector String: `CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N`

#### References
- [https://github.com/psf/requests/security/advisories/GHSA-gc5v-m9x4-r6x2](https://github.com/psf/requests/security/advisories/GHSA-gc5v-m9x4-r6x2)
- [66d21cb07b)
- [https://github.com/psf/requests](https://github.com/psf/requests)
- [https://github.com/psf/requests/releases/tag/v2.33.0](https://github.com/psf/requests/releases/tag/v2.33.0)

This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-gc5v-m9x4-r6x2) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Release Notes

<details>
<summary>psf/requests (requests)</summary>

### [`v2.33.0`](https://github.com/psf/requests/blob/HEAD/HISTORY.md#2330-2026-03-25)

[Compare Source](https://github.com/psf/requests/compare/v2.32.5...v2.33.0)

**Announcements**

- 📣 Requests is adding inline types. If you have a typed code base that
  uses Requests, please take a look at [#&#8203;7271](https://github.com/psf/requests/issues/7271). Give it a try, and report
  any gaps or feedback you may have in the issue. 📣

**Security**

- CVE-2026-25645 `requests.utils.extract_zipped_paths` now extracts
  contents to a non-deterministic location to prevent malicious file
  replacement. This does not affect default usage of Requests, only
  applications calling the utility function directly.

**Improvements**

- Migrated to a PEP 517 build system using setuptools. ([#&#8203;7012](https://github.com/psf/requests/issues/7012))

**Bugfixes**

- Fixed an issue where an empty netrc entry could cause
  malformed authentication to be applied to Requests on
  Python 3.11+. ([#&#8203;7205](https://github.com/psf/requests/issues/7205))

**Deprecations**

- Dropped support for Python 3.9 following its end of support. ([#&#8203;7196](https://github.com/psf/requests/issues/7196))

**Documentation**

- Various typo fixes and doc improvements.

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My45MS4xIiwidXBkYXRlZEluVmVyIjoiNDMuOTEuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsic2VjdXJpdHkiXX0=-->

Reviewed-on: https://git.tainton.uk/repos/roboluke/pulls/436
Reviewed-by: Luke Tainton <luke@tainton.uk>
Co-authored-by: renovate[bot] <renovate-bot@git.tainton.uk>
Co-committed-by: renovate[bot] <renovate-bot@git.tainton.uk>

2026-03-27 18:06:12 +00:00

1 changed files with 3 additions and 3 deletions

									
										6

uv.lock
									
										generated
									
												View File
												
					@@ -358,7 +358,7 @@ wheels = [

					[[package]]

					[[package]]

					name = "requests"

					name = "requests"

					version = "2.32.5"

					version = "2.33.0"

					source = { registry = "https://pypi.org/simple" }

					source = { registry = "https://pypi.org/simple" }

					dependencies = [

					dependencies = [

					    { name = "certifi" },

					    { name = "certifi" },

					@@ -366,9 +366,9 @@ dependencies = [

					    { name = "idna" },

					    { name = "idna" },

					    { name = "urllib3" },

					    { name = "urllib3" },

					]

					]

					sdist = { url = "https://files.pythonhosted.org/packages/c9/74/b3ff8e6c8446842c3f5c837e9c3dfcfe2018ea6ecef224c710c85ef728f4/requests-2.32.5.tar.gz", hash = "sha256:dbba0bac56e100853db0ea71b82b4dfd5fe2bf6d3754a8893c3af500cec7d7cf", size = 134517, upload-time = "2025-08-18T20:46:02.573Z" }

					sdist = { url = "https://files.pythonhosted.org/packages/34/64/8860370b167a9721e8956ae116825caff829224fbca0ca6e7bf8ddef8430/requests-2.33.0.tar.gz", hash = "sha256:c7ebc5e8b0f21837386ad0e1c8fe8b829fa5f544d8df3b2253bff14ef29d7652", size = 134232, upload-time = "2026-03-25T15:10:41.586Z" }

					wheels = [

					wheels = [

					    { url = "https://files.pythonhosted.org/packages/1e/db/4254e3eabe8020b458f1a747140d32277ec7a271daf1d235b70dc0b4e6e3/requests-2.32.5-py3-none-any.whl", hash = "sha256:2462f94637a34fd532264295e186976db0f5d453d1cdd31473c85a6a161affb6", size = 64738, upload-time = "2025-08-18T20:46:00.542Z" },

					    { url = "https://files.pythonhosted.org/packages/56/5d/c814546c2333ceea4ba42262d8c4d55763003e767fa169adc693bd524478/requests-2.33.0-py3-none-any.whl", hash = "sha256:3324635456fa185245e24865e810cecec7b4caf933d7eb133dcde67d48cee69b", size = 65017, upload-time = "2026-03-25T15:10:40.382Z" },

					]

					]

					[[package]]

					[[package]]

Compare commits

1 Commits

v1.50.0 ... v1.51.0

6

uv.lock generated

View File

Compare commits

1 Commits v1.50.0 ... v1.51.0

6 uv.lock generated Unescape Escape View File

1 Commits

v1.50.0 ... v1.51.0

6

uv.lock generated

View File