chore(deps): update dependency requests to ~=2.33.0 [security] by renovate[bot] · Pull Request #20 · PyFunceble/web-worker

renovate · 2026-03-26T17:20:57Z

This PR contains the following updates:

Package	Change	Age	Confidence
requests (changelog)	`~=2.32.3` → `~=2.33.0`

Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function

CVE-2026-25645 / GHSA-gc5v-m9x4-r6x2

More information

Details

Impact

The requests.utils.extract_zipped_paths() utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one.

Affected usages

Standard usage of the Requests library is not affected by this vulnerability. Only applications that call extract_zipped_paths() directly are impacted.

Remediation

Upgrade to at least Requests 2.33.0, where the library now extracts files to a non-deterministic location.

If developers are unable to upgrade, they can set TMPDIR in their environment to a directory with restricted write access.

Severity

CVSS Score: 4.4 / 10 (Medium)
Vector String: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

psf/requests (requests)

`v2.33.0`

Compare Source

Announcements

📣 Requests is adding inline types. If you have a typed code base that
uses Requests, please take a look at #7271. Give it a try, and report
any gaps or feedback you may have in the issue. 📣

Security

CVE-2026-25645 requests.utils.extract_zipped_paths now extracts
contents to a non-deterministic location to prevent malicious file
replacement. This does not affect default usage of Requests, only
applications calling the utility function directly.

Improvements

Migrated to a PEP 517 build system using setuptools. (#7012)

Bugfixes

Fixed an issue where an empty netrc entry could cause
malformed authentication to be applied to Requests on
Python 3.11+. (#7205)

Deprecations

Dropped support for Python 3.9 following its end of support. (#7196)

Documentation

Various typo fixes and doc improvements.

`v2.32.5`

Compare Source

Bugfixes

The SSLContext caching feature originally introduced in 2.32.0 has created
a new class of issues in Requests that have had negative impact across a number
of use cases. The Requests team has decided to revert this feature as long term
maintenance of it is proving to be unsustainable in its current iteration.

Deprecations

Added support for Python 3.14.
Dropped support for Python 3.8 following its end of support.

`v2.32.4`

Compare Source

Security

CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted
environment will retrieve credentials for the wrong hostname/machine from a
netrc file.

Improvements

Numerous documentation improvements

Deprecations

Added support for pypy 3.11 for Linux and macOS.
Dropped support for pypy 3.9 following its end of support.

Configuration

📅 Schedule: (UTC)

Branch creation
- At any time (no schedule defined)
Automerge
- At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate Bot assigned funilrys Mar 26, 2026

renovate Bot changed the title ~~chore(deps): update dependency requests to ~=2.33.0 [security]~~ chore(deps): update dependency requests to ~=2.33.1 [security] Apr 8, 2026

renovate Bot force-pushed the renovate/pypi-requests-vulnerability branch from 5c81dc0 to e410597 Compare April 8, 2026 16:50

renovate Bot changed the title ~~chore(deps): update dependency requests to ~=2.33.1 [security]~~ chore(deps): update dependency requests to ~=2.33.0 [security] Apr 9, 2026

renovate Bot force-pushed the renovate/pypi-requests-vulnerability branch from e410597 to c43d9f6 Compare April 9, 2026 00:15

renovate Bot changed the title ~~chore(deps): update dependency requests to ~=2.33.0 [security]~~ chore(deps): update dependency requests to ~=2.33.1 [security] Apr 15, 2026

renovate Bot force-pushed the renovate/pypi-requests-vulnerability branch from c43d9f6 to b8261df Compare April 15, 2026 13:46

renovate Bot changed the title ~~chore(deps): update dependency requests to ~=2.33.1 [security]~~ chore(deps): update dependency requests to ~=2.33.0 [security] Apr 16, 2026

renovate Bot force-pushed the renovate/pypi-requests-vulnerability branch from b8261df to 4aaae9a Compare April 16, 2026 09:52

renovate Bot changed the title ~~chore(deps): update dependency requests to ~=2.33.0 [security]~~ chore(deps): update dependency requests to ~=2.33.1 [security] Apr 16, 2026

renovate Bot force-pushed the renovate/pypi-requests-vulnerability branch from 4aaae9a to 6c8aed8 Compare April 16, 2026 14:56

renovate Bot changed the title ~~chore(deps): update dependency requests to ~=2.33.1 [security]~~ chore(deps): update dependency requests to ~=2.33.0 [security] Apr 16, 2026

renovate Bot force-pushed the renovate/pypi-requests-vulnerability branch from 6c8aed8 to a3cb6eb Compare April 16, 2026 22:47

renovate Bot changed the title ~~chore(deps): update dependency requests to ~=2.33.0 [security]~~ chore(deps): update dependency requests to ~=2.33.1 [security] Apr 21, 2026

renovate Bot force-pushed the renovate/pypi-requests-vulnerability branch 2 times, most recently from 2e5d6ca to b9ea89b Compare April 22, 2026 01:22

renovate Bot changed the title ~~chore(deps): update dependency requests to ~=2.33.1 [security]~~ chore(deps): update dependency requests to ~=2.33.0 [security] Apr 22, 2026

renovate Bot changed the title ~~chore(deps): update dependency requests to ~=2.33.0 [security]~~ chore(deps): update dependency requests to ~=2.33.1 [security] Apr 23, 2026

renovate Bot changed the title ~~chore(deps): update dependency requests to ~=2.33.1 [security]~~ chore(deps): update dependency requests to ~=2.33.0 [security] Apr 23, 2026

renovate Bot changed the title ~~chore(deps): update dependency requests to ~=2.33.0 [security]~~ chore(deps): update dependency requests to ~=2.33.0 [security] - autoclosed Apr 27, 2026

renovate Bot closed this Apr 27, 2026

renovate Bot deleted the renovate/pypi-requests-vulnerability branch April 27, 2026 17:45

renovate Bot changed the title ~~chore(deps): update dependency requests to ~=2.33.0 [security] - autoclosed~~ chore(deps): update dependency requests to ~=2.33.0 [security] Apr 27, 2026

renovate Bot reopened this Apr 27, 2026

renovate Bot force-pushed the renovate/pypi-requests-vulnerability branch 2 times, most recently from b9ea89b to aab0caa Compare April 27, 2026 22:15

renovate Bot changed the title ~~chore(deps): update dependency requests to ~=2.33.0 [security]~~ chore(deps): update dependency requests to ~=2.33.1 [security] Apr 29, 2026

renovate Bot force-pushed the renovate/pypi-requests-vulnerability branch from aab0caa to 2c5238f Compare April 29, 2026 13:14

renovate Bot changed the title ~~chore(deps): update dependency requests to ~=2.33.1 [security]~~ chore(deps): update dependency requests to ~=2.33.0 [security] Apr 29, 2026

renovate Bot force-pushed the renovate/pypi-requests-vulnerability branch from 2c5238f to f228a90 Compare April 29, 2026 21:39

renovate Bot changed the title ~~chore(deps): update dependency requests to ~=2.33.1 [security]~~ chore(deps): update dependency requests to ~=2.33.0 [security] Apr 30, 2026

renovate Bot changed the title ~~chore(deps): update dependency requests to ~=2.33.0 [security]~~ chore(deps): update dependency requests to ~=2.34.0 [security] May 12, 2026

renovate Bot force-pushed the renovate/pypi-requests-vulnerability branch from ddc4ba0 to 70bd2b7 Compare May 12, 2026 12:57

renovate Bot changed the title ~~chore(deps): update dependency requests to ~=2.34.0 [security]~~ chore(deps): update dependency requests to ~=2.33.0 [security] May 12, 2026

renovate Bot force-pushed the renovate/pypi-requests-vulnerability branch from 70bd2b7 to d2b05a8 Compare May 12, 2026 19:26

renovate Bot changed the title ~~chore(deps): update dependency requests to ~=2.33.0 [security]~~ chore(deps): update dependency requests to ~=2.34.1 [security] May 14, 2026

renovate Bot force-pushed the renovate/pypi-requests-vulnerability branch from d2b05a8 to 489f488 Compare May 14, 2026 17:07

renovate Bot changed the title ~~chore(deps): update dependency requests to ~=2.34.1 [security]~~ chore(deps): update dependency requests to ~=2.33.0 [security] May 14, 2026

renovate Bot force-pushed the renovate/pypi-requests-vulnerability branch from 489f488 to c6323b1 Compare May 14, 2026 21:29

renovate Bot changed the title ~~chore(deps): update dependency requests to ~=2.33.0 [security]~~ chore(deps): update dependency requests to ~=2.34.2 [security] May 18, 2026

renovate Bot force-pushed the renovate/pypi-requests-vulnerability branch from c6323b1 to 695e4e8 Compare May 18, 2026 18:53

renovate Bot changed the title ~~chore(deps): update dependency requests to ~=2.34.2 [security]~~ chore(deps): update dependency requests to ~=2.33.0 [security] May 18, 2026

renovate Bot force-pushed the renovate/pypi-requests-vulnerability branch from 695e4e8 to b95006a Compare May 18, 2026 23:28

renovate Bot changed the title ~~chore(deps): update dependency requests to ~=2.33.0 [security]~~ chore(deps): update dependency requests to ~=2.34.2 [security] May 23, 2026

renovate Bot force-pushed the renovate/pypi-requests-vulnerability branch from b95006a to d092412 Compare May 23, 2026 14:45

renovate Bot changed the title ~~chore(deps): update dependency requests to ~=2.34.2 [security]~~ chore(deps): update dependency requests to ~=2.33.0 [security] May 23, 2026

renovate Bot force-pushed the renovate/pypi-requests-vulnerability branch from d092412 to 96c266d Compare May 23, 2026 16:27

renovate Bot changed the title ~~chore(deps): update dependency requests to ~=2.33.0 [security]~~ chore(deps): update dependency requests to ~=2.34.2 [security] May 30, 2026

renovate Bot force-pushed the renovate/pypi-requests-vulnerability branch from 96c266d to 8bb7156 Compare May 30, 2026 20:11

renovate Bot changed the title ~~chore(deps): update dependency requests to ~=2.34.2 [security]~~ chore(deps): update dependency requests to ~=2.33.0 [security] May 30, 2026

renovate Bot force-pushed the renovate/pypi-requests-vulnerability branch from 8bb7156 to c6abffd Compare May 30, 2026 20:27

renovate Bot changed the title ~~chore(deps): update dependency requests to ~=2.33.0 [security]~~ chore(deps): update dependency requests to ~=2.34.2 [security] Jun 1, 2026

renovate Bot force-pushed the renovate/pypi-requests-vulnerability branch from c6abffd to 4444cfc Compare June 1, 2026 20:57

renovate Bot changed the title ~~chore(deps): update dependency requests to ~=2.34.2 [security]~~ chore(deps): update dependency requests to ~=2.33.0 [security] Jun 2, 2026

renovate Bot force-pushed the renovate/pypi-requests-vulnerability branch from 4444cfc to 161ae7e Compare June 2, 2026 03:41

renovate Bot changed the title ~~chore(deps): update dependency requests to ~=2.33.0 [security]~~ chore(deps): update dependency requests to ~=2.34.2 [security] Jun 11, 2026

renovate Bot force-pushed the renovate/pypi-requests-vulnerability branch from 161ae7e to 9f584d3 Compare June 11, 2026 18:49

chore(deps): update dependency requests to ~=2.33.0 [security]

0ab1eb5

renovate Bot changed the title ~~chore(deps): update dependency requests to ~=2.34.2 [security]~~ chore(deps): update dependency requests to ~=2.33.0 [security] Jun 12, 2026

renovate Bot force-pushed the renovate/pypi-requests-vulnerability branch from 9f584d3 to 0ab1eb5 Compare June 12, 2026 01:12

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): update dependency requests to ~=2.33.0 [security]#20

chore(deps): update dependency requests to ~=2.33.0 [security]#20
renovate[bot] wants to merge 1 commit into
devfrom
renovate/pypi-requests-vulnerability

renovate Bot commented Mar 26, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

renovate Bot commented Mar 26, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function

Details

Impact

Affected usages

Remediation

Severity

References

Release Notes

v2.33.0

v2.32.5

v2.32.4

Configuration

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

renovate Bot commented Mar 26, 2026 •

edited

Loading

`v2.33.0`

`v2.32.5`

`v2.32.4`