Background
Requests 2.33.0 was released on March 25, 2026 with several notable changes:
- Dropped Python 3.9 support (#7196) — following Python 3.9's end of life.
- CVE-2026-25645 —
requests.utils.extract_zipped_paths now extracts to a non-deterministic location to prevent malicious file replacement. Only affects direct callers of this utility function, not default requests usage.
- Inline types — Requests is adding inline type annotations (#7271), a major modernization effort.
- PEP 517 build system — Migrated to setuptools with PEP 517.
- Netrc bugfix — Fixed empty netrc entry causing malformed auth on Python 3.11+.
Impact
- Python 3.9 drop: If Scout's Python agent still supports Python 3.9, users on that version who upgrade requests to 2.33.0 will hit import errors. Scout's minimum Python version should be reviewed for alignment.
- Inline types: If Scout patches or wraps requests functions (e.g., for HTTP client instrumentation), the addition of type annotations could affect monkey-patching if Scout inspects function signatures.
- CVE-2026-25645: Low direct impact on Scout, but worth awareness for security-conscious users.
Suggested Action
- Verify Scout's minimum supported Python version. If Scout still supports Python 3.9, document the incompatibility with requests >= 2.33.0 or consider aligning version requirements.
- If Scout instruments requests (e.g., wrapping
Session.send or Session.request), test against 2.33.0 to ensure inline types don't interfere with monkey-patching.
- Update dependency constraints if needed.
References
Background
Requests 2.33.0 was released on March 25, 2026 with several notable changes:
requests.utils.extract_zipped_pathsnow extracts to a non-deterministic location to prevent malicious file replacement. Only affects direct callers of this utility function, not default requests usage.Impact
Suggested Action
Session.sendorSession.request), test against 2.33.0 to ensure inline types don't interfere with monkey-patching.References