From 934bed3315f5912327d8ea72c900444164b9d0a0 Mon Sep 17 00:00:00 2001
From: Stephen Lang <stephen.lang@grafana.com>
Date: Fri, 15 May 2026 15:29:32 +0100
Subject: [PATCH 1/4] chore(deps): bump minimum requests to 2.32
 (CVE-2018-18074)

---
 .../pyproject.toml                                     |  2 +-
 .../opentelemetry-exporter-zipkin-json/pyproject.toml  |  2 +-
 .../pyproject.toml                                     |  2 +-
 uv.lock                                                | 10 +++++-----
 4 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/exporter/opentelemetry-exporter-otlp-proto-http/pyproject.toml b/exporter/opentelemetry-exporter-otlp-proto-http/pyproject.toml
index 719a2cd84f3..43d0a6a1e84 100644
--- a/exporter/opentelemetry-exporter-otlp-proto-http/pyproject.toml
+++ b/exporter/opentelemetry-exporter-otlp-proto-http/pyproject.toml
@@ -31,7 +31,7 @@ dependencies = [
   "opentelemetry-proto == 1.42.0.dev",
   "opentelemetry-sdk ~= 1.42.0.dev",
   "opentelemetry-exporter-otlp-proto-common == 1.42.0.dev",
-  "requests ~= 2.7",
+  "requests ~= 2.32",
   "typing-extensions >= 4.5.0",
 ]
 
diff --git a/exporter/opentelemetry-exporter-zipkin-json/pyproject.toml b/exporter/opentelemetry-exporter-zipkin-json/pyproject.toml
index 339a76c7af0..baa9bc9fb5e 100644
--- a/exporter/opentelemetry-exporter-zipkin-json/pyproject.toml
+++ b/exporter/opentelemetry-exporter-zipkin-json/pyproject.toml
@@ -29,7 +29,7 @@ classifiers = [
 dependencies = [
   "opentelemetry-api ~= 1.3",
   "opentelemetry-sdk ~= 1.11",
-  "requests ~= 2.7",
+  "requests ~= 2.32",
 ]
 
 [project.entry-points.opentelemetry_traces_exporter]
diff --git a/exporter/opentelemetry-exporter-zipkin-proto-http/pyproject.toml b/exporter/opentelemetry-exporter-zipkin-proto-http/pyproject.toml
index b2061a99b6d..da41aa2061f 100644
--- a/exporter/opentelemetry-exporter-zipkin-proto-http/pyproject.toml
+++ b/exporter/opentelemetry-exporter-zipkin-proto-http/pyproject.toml
@@ -31,7 +31,7 @@ dependencies = [
   "opentelemetry-exporter-zipkin-json == 1.42.0.dev",
   "opentelemetry-sdk ~= 1.11",
   "protobuf ~= 3.12",
-  "requests ~= 2.7",
+  "requests ~= 2.32",
 ]
 
 [project.entry-points.opentelemetry_traces_exporter]
diff --git a/uv.lock b/uv.lock
index c7eb242e8dc..970fcd25a2f 100644
--- a/uv.lock
+++ b/uv.lock
@@ -937,7 +937,7 @@ requires-dist = [
     { name = "opentelemetry-exporter-otlp-proto-common", editable = "exporter/opentelemetry-exporter-otlp-proto-common" },
     { name = "opentelemetry-proto", editable = "opentelemetry-proto" },
     { name = "opentelemetry-sdk", editable = "opentelemetry-sdk" },
-    { name = "requests", specifier = "~=2.7" },
+    { name = "requests", specifier = "~=2.32" },
     { name = "typing-extensions", specifier = ">=4.5.0" },
 ]
 provides-extras = ["gcp-auth"]
@@ -971,7 +971,7 @@ dependencies = [
 requires-dist = [
     { name = "opentelemetry-api", editable = "opentelemetry-api" },
     { name = "opentelemetry-sdk", editable = "opentelemetry-sdk" },
-    { name = "requests", specifier = "~=2.7" },
+    { name = "requests", specifier = "~=2.32" },
 ]
 
 [[package]]
@@ -1513,7 +1513,7 @@ wheels = [
 
 [[package]]
 name = "requests"
-version = "2.33.1"
+version = "2.34.2"
 source = { registry = "https://pypi.org/simple/" }
 dependencies = [
     { name = "certifi" },
@@ -1521,9 +1521,9 @@ dependencies = [
     { name = "idna" },
     { name = "urllib3" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/5f/a4/98b9c7c6428a668bf7e42ebb7c79d576a1c3c1e3ae2d47e674b468388871/requests-2.33.1.tar.gz", hash = "sha256:18817f8c57c6263968bc123d237e3b8b08ac046f5456bd1e307ee8f4250d3517", size = 134120, upload-time = "2026-03-30T16:09:15.531Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/ac/c3/e2a2b89f2d3e2179abd6d00ebd70bff6273f37fb3e0cc209f48b39d00cbf/requests-2.34.2.tar.gz", hash = "sha256:f288924cae4e29463698d6d60bc6a4da69c89185ad1e0bcc4104f584e960b9ed", size = 142856, upload-time = "2026-05-14T19:25:27.735Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/d7/8e/7540e8a2036f79a125c1d2ebadf69ed7901608859186c856fa0388ef4197/requests-2.33.1-py3-none-any.whl", hash = "sha256:4e6d1ef462f3626a1f0a0a9c42dd93c63bad33f9f1c1937509b8c5c8718ab56a", size = 64947, upload-time = "2026-03-30T16:09:13.83Z" },
+    { url = "https://files.pythonhosted.org/packages/a0/f4/c67b0b3f1b9245e8d266f0f112c500d50e5b4e83cb6f3b71b6528104182a/requests-2.34.2-py3-none-any.whl", hash = "sha256:2a0d60c172f83ac6ab31e4554906c0f3b3588d37b5cb939b1c061f4907e278e0", size = 73075, upload-time = "2026-05-14T19:25:26.443Z" },
 ]
 
 [[package]]

From 6abdf3f2171f072e5e350c84e6f82b62dfc52ef9 Mon Sep 17 00:00:00 2001
From: Stephen Lang <stephen.lang@grafana.com>
Date: Fri, 15 May 2026 15:38:42 +0100
Subject: [PATCH 2/4] docs: changelog entry

---
 .changelog/5218.fixed | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 .changelog/5218.fixed

diff --git a/.changelog/5218.fixed b/.changelog/5218.fixed
new file mode 100644
index 00000000000..305fa392dcd
--- /dev/null
+++ b/.changelog/5218.fixed
@@ -0,0 +1 @@
+Bump minimum `requests` to 2.32 in HTTP/Zipkin exporters to mitigate CVE-2018-18074

From 0e17e3d5539f677b23ddbc904db1714d8cd925f7 Mon Sep 17 00:00:00 2001
From: Stephen Lang <stephen.lang@grafana.com>
Date: Fri, 15 May 2026 15:42:44 +0100
Subject: [PATCH 3/4] fix: bump requests in tox.ini to 2.32.3

---
 tox.ini | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tox.ini b/tox.ini
index 5ebf34c3f37..af0273818c8 100644
--- a/tox.ini
+++ b/tox.ini
@@ -327,7 +327,7 @@ deps =
   # Pinning docker for issue: https://github.com/docker/compose/issues/11309
   docker<7
   docker-compose==1.29.2
-  requests==2.28.2
+  requests==2.32.3
   ; core packages
   -e {toxinidir}/opentelemetry-api
   -e {toxinidir}/opentelemetry-semantic-conventions

From 7b264ea97dc66b312c0ff077299f9225d63e2a46 Mon Sep 17 00:00:00 2001
From: Stephen Lang <stephen.lang@grafana.com>
Date: Fri, 15 May 2026 15:56:05 +0100
Subject: [PATCH 4/4] fix: pin to 2.31 for compat

---
 .changelog/5218.fixed                                         | 2 +-
 .../opentelemetry-exporter-otlp-proto-http/pyproject.toml     | 2 +-
 exporter/opentelemetry-exporter-zipkin-json/pyproject.toml    | 2 +-
 .../opentelemetry-exporter-zipkin-proto-http/pyproject.toml   | 2 +-
 tox.ini                                                       | 4 +++-
 uv.lock                                                       | 4 ++--
 6 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/.changelog/5218.fixed b/.changelog/5218.fixed
index 305fa392dcd..189defe6ac9 100644
--- a/.changelog/5218.fixed
+++ b/.changelog/5218.fixed
@@ -1 +1 @@
-Bump minimum `requests` to 2.32 in HTTP/Zipkin exporters to mitigate CVE-2018-18074
+Bump minimum `requests` to 2.31 in HTTP/Zipkin exporters to mitigate CVE-2018-18074
diff --git a/exporter/opentelemetry-exporter-otlp-proto-http/pyproject.toml b/exporter/opentelemetry-exporter-otlp-proto-http/pyproject.toml
index 43d0a6a1e84..dee0e8f7b6c 100644
--- a/exporter/opentelemetry-exporter-otlp-proto-http/pyproject.toml
+++ b/exporter/opentelemetry-exporter-otlp-proto-http/pyproject.toml
@@ -31,7 +31,7 @@ dependencies = [
   "opentelemetry-proto == 1.42.0.dev",
   "opentelemetry-sdk ~= 1.42.0.dev",
   "opentelemetry-exporter-otlp-proto-common == 1.42.0.dev",
-  "requests ~= 2.32",
+  "requests ~= 2.31",
   "typing-extensions >= 4.5.0",
 ]
 
diff --git a/exporter/opentelemetry-exporter-zipkin-json/pyproject.toml b/exporter/opentelemetry-exporter-zipkin-json/pyproject.toml
index baa9bc9fb5e..ebdee18a7d0 100644
--- a/exporter/opentelemetry-exporter-zipkin-json/pyproject.toml
+++ b/exporter/opentelemetry-exporter-zipkin-json/pyproject.toml
@@ -29,7 +29,7 @@ classifiers = [
 dependencies = [
   "opentelemetry-api ~= 1.3",
   "opentelemetry-sdk ~= 1.11",
-  "requests ~= 2.32",
+  "requests ~= 2.31",
 ]
 
 [project.entry-points.opentelemetry_traces_exporter]
diff --git a/exporter/opentelemetry-exporter-zipkin-proto-http/pyproject.toml b/exporter/opentelemetry-exporter-zipkin-proto-http/pyproject.toml
index da41aa2061f..494b011cdb8 100644
--- a/exporter/opentelemetry-exporter-zipkin-proto-http/pyproject.toml
+++ b/exporter/opentelemetry-exporter-zipkin-proto-http/pyproject.toml
@@ -31,7 +31,7 @@ dependencies = [
   "opentelemetry-exporter-zipkin-json == 1.42.0.dev",
   "opentelemetry-sdk ~= 1.11",
   "protobuf ~= 3.12",
-  "requests ~= 2.32",
+  "requests ~= 2.31",
 ]
 
 [project.entry-points.opentelemetry_traces_exporter]
diff --git a/tox.ini b/tox.ini
index af0273818c8..4885334ae09 100644
--- a/tox.ini
+++ b/tox.ini
@@ -327,7 +327,9 @@ deps =
   # Pinning docker for issue: https://github.com/docker/compose/issues/11309
   docker<7
   docker-compose==1.29.2
-  requests==2.32.3
+  # docker-py < 7's UnixHTTPAdapter overrides only get_connection, which
+  # requests >= 2.32 no longer calls; pin requests below 2.32 here.
+  requests==2.31.0
   ; core packages
   -e {toxinidir}/opentelemetry-api
   -e {toxinidir}/opentelemetry-semantic-conventions
diff --git a/uv.lock b/uv.lock
index 970fcd25a2f..6b82d260d87 100644
--- a/uv.lock
+++ b/uv.lock
@@ -937,7 +937,7 @@ requires-dist = [
     { name = "opentelemetry-exporter-otlp-proto-common", editable = "exporter/opentelemetry-exporter-otlp-proto-common" },
     { name = "opentelemetry-proto", editable = "opentelemetry-proto" },
     { name = "opentelemetry-sdk", editable = "opentelemetry-sdk" },
-    { name = "requests", specifier = "~=2.32" },
+    { name = "requests", specifier = "~=2.31" },
     { name = "typing-extensions", specifier = ">=4.5.0" },
 ]
 provides-extras = ["gcp-auth"]
@@ -971,7 +971,7 @@ dependencies = [
 requires-dist = [
     { name = "opentelemetry-api", editable = "opentelemetry-api" },
     { name = "opentelemetry-sdk", editable = "opentelemetry-sdk" },
-    { name = "requests", specifier = "~=2.32" },
+    { name = "requests", specifier = "~=2.31" },
 ]
 
 [[package]]