fix(deps): Update security updates [SECURITY] (#4303)

This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [pypdf](https://redirect.github.com/py-pdf/pypdf)
([changelog](https://pypdf.readthedocs.io/en/latest/meta/CHANGELOG.html))
| `6.9.1` → `6.9.2` |
![age](https://developer.mend.io/api/mc/badges/age/pypi/pypdf/6.9.2?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/pypdf/6.9.1/6.9.2?slim=true)
|
| [requests](https://redirect.github.com/psf/requests)
([changelog](https://redirect.github.com/psf/requests/blob/master/HISTORY.md))
| `2.32.5` → `2.33.0` |
![age](https://developer.mend.io/api/mc/badges/age/pypi/requests/2.33.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/requests/2.32.5/2.33.0?slim=true)
|

### GitHub Vulnerability Alerts

####
[CVE-2026-33699](https://redirect.github.com/py-pdf/pypdf/security/advisories/GHSA-87mj-5ggw-8qc3)

### Impact

An attacker who uses this vulnerability can craft a PDF which leads to
an infinite loop. This requires reading a file in non-strict mode.

### Patches

This has been fixed in
[pypdf==6.9.2](https://redirect.github.com/py-pdf/pypdf/releases/tag/6.9.2).

### Workarounds

If users cannot upgrade yet, consider applying the changes from PR
[#​3693](https://redirect.github.com/py-pdf/pypdf/pull/3693).

####
[CVE-2026-25645](https://redirect.github.com/psf/requests/security/advisories/GHSA-gc5v-m9x4-r6x2)

### Impact
The `requests.utils.extract_zipped_paths()` utility function uses a
predictable filename when extracting files from zip archives into the
system temporary directory. If the target file already exists, it is
reused without validation. A local attacker with write access to the
temp directory could pre-create a malicious file that would be loaded in
place of the legitimate one.

### Affected usages
**Standard usage of the Requests library is not affected by this
vulnerability.** Only applications that call `extract_zipped_paths()`
directly are impacted.

### Remediation
Upgrade to at least Requests 2.33.0, where the library now extracts
files to a non-deterministic location.

If developers are unable to upgrade, they can set `TMPDIR` in their
environment to a directory with restricted write access.

---

### Release Notes

<details>
<summary>py-pdf/pypdf (pypdf)</summary>

###
[`v6.9.2`](https://redirect.github.com/py-pdf/pypdf/blob/HEAD/CHANGELOG.md#Version-692-2026-03-23)

[Compare
Source](https://redirect.github.com/py-pdf/pypdf/compare/6.9.1...6.9.2)

##### Security (SEC)

- Avoid infinite loop in read\_from\_stream for broken files
([#&#8203;3693](https://redirect.github.com/py-pdf/pypdf/issues/3693))

##### Robustness (ROB)

- Resolve UnboundLocalError for xobjs in \_get\_image
([#&#8203;3684](https://redirect.github.com/py-pdf/pypdf/issues/3684))

[Full
Changelog](https://redirect.github.com/py-pdf/pypdf/compare/6.9.1...6.9.2)

</details>

<details>
<summary>psf/requests (requests)</summary>

###
[`v2.33.0`](https://redirect.github.com/psf/requests/blob/HEAD/HISTORY.md#2330-2026-03-25)

[Compare
Source](https://redirect.github.com/psf/requests/compare/v2.32.5...v2.33.0)

**Announcements**

- 📣 Requests is adding inline types. If you have a typed code base that
uses Requests, please take a look at
[#&#8203;7271](https://redirect.github.com/psf/requests/issues/7271).
Give it a try, and report
  any gaps or feedback you may have in the issue. 📣

**Security**

- CVE-2026-25645 `requests.utils.extract_zipped_paths` now extracts
  contents to a non-deterministic location to prevent malicious file
  replacement. This does not affect default usage of Requests, only
  applications calling the utility function directly.

**Improvements**

- Migrated to a PEP 517 build system using setuptools.
([#&#8203;7012](https://redirect.github.com/psf/requests/issues/7012))

**Bugfixes**

- Fixed an issue where an empty netrc entry could cause
  malformed authentication to be applied to Requests on
Python 3.11+.
([#&#8203;7205](https://redirect.github.com/psf/requests/issues/7205))

**Deprecations**

- Dropped support for Python 3.9 following its end of support.
([#&#8203;7196](https://redirect.github.com/psf/requests/issues/7196))

**Documentation**

- Various typo fixes and doc improvements.

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config
help](https://redirect.github.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Renovate
Bot](https://redirect.github.com/renovatebot/renovate).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi45Mi4xMCIsInVwZGF0ZWRJblZlciI6IjQyLjkyLjEwIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJzZWN1cml0eSJdfQ==-->

Co-authored-by: utic-renovate[bot] <235200891+utic-renovate[bot]@users.noreply.github.com>

Author: utic-renovate[bot]

CHANGELOG.md

@@ -1,3 +1,8 @@
+## 0.22.5
+
+### Fixes
+- **Security update**: Bumped dependencies to address security vulnerabilities
+
 ## 0.22.4
 
 ### Enhancements

unstructured/__version__.py

@@ -1 +1 @@
-__version__ = "0.22.4"  # pragma: no cover
+__version__ = "0.22.5"  # pragma: no cover