Commit ab44f7e
authored
chore(deps): update dependency requests to v2.33.0 [security] (#16464)
This PR contains the following updates:
| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [requests](https://redirect.github.com/psf/requests)
([changelog](https://redirect.github.com/psf/requests/blob/master/HISTORY.md))
| `==2.32.5` → `==2.33.0` |
|
|
### GitHub Vulnerability Alerts
####
[CVE-2026-25645](https://redirect.github.com/psf/requests/security/advisories/GHSA-gc5v-m9x4-r6x2)
### Impact
The `requests.utils.extract_zipped_paths()` utility function uses a
predictable filename when extracting files from zip archives into the
system temporary directory. If the target file already exists, it is
reused without validation. A local attacker with write access to the
temp directory could pre-create a malicious file that would be loaded in
place of the legitimate one.
### Affected usages
**Standard usage of the Requests library is not affected by this
vulnerability.** Only applications that call `extract_zipped_paths()`
directly are impacted.
### Remediation
Upgrade to at least Requests 2.33.0, where the library now extracts
files to a non-deterministic location.
If developers are unable to upgrade, they can set `TMPDIR` in their
environment to a directory with restricted write access.
---
### Release Notes
<details>
<summary>psf/requests (requests)</summary>
###
[`v2.33.0`](https://redirect.github.com/psf/requests/blob/HEAD/HISTORY.md#2330-2026-03-25)
[Compare
Source](https://redirect.github.com/psf/requests/compare/v2.32.5...v2.33.0)
**Announcements**
- 📣 Requests is adding inline types. If you have a typed code base that
uses Requests, please take a look at
[#​7271](https://redirect.github.com/psf/requests/issues/7271).
Give it a try, and report
any gaps or feedback you may have in the issue. 📣
**Security**
- CVE-2026-25645 `requests.utils.extract_zipped_paths` now extracts
contents to a non-deterministic location to prevent malicious file
replacement. This does not affect default usage of Requests, only
applications calling the utility function directly.
**Improvements**
- Migrated to a PEP 517 build system using setuptools.
([#​7012](https://redirect.github.com/psf/requests/issues/7012))
**Bugfixes**
- Fixed an issue where an empty netrc entry could cause
malformed authentication to be applied to Requests on
Python 3.11+.
([#​7205](https://redirect.github.com/psf/requests/issues/7205))
**Deprecations**
- Dropped support for Python 3.9 following its end of support.
([#​7196](https://redirect.github.com/psf/requests/issues/7196))
**Documentation**
- Various typo fixes and doc improvements.
</details>
---
### Configuration
📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/googleapis/google-cloud-python).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My45MS41IiwidXBkYXRlZEluVmVyIjoiNDMuOTEuNSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->1 parent 943a979 commit ab44f7e
1 file changed
+3
-3
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1070 | 1070 | | |
1071 | 1071 | | |
1072 | 1072 | | |
1073 | | - | |
1074 | | - | |
1075 | | - | |
| 1073 | + | |
| 1074 | + | |
| 1075 | + | |
1076 | 1076 | | |
1077 | 1077 | | |
1078 | 1078 | | |
| |||
0 commit comments