Skip to content

chore(deps): bump requests from 2.32.5 to 2.33.0#1624

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/uv/requests-2.33.0
Open

chore(deps): bump requests from 2.32.5 to 2.33.0#1624
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/uv/requests-2.33.0

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Apr 14, 2026
edited
Loading

Bumps requests from 2.32.5 to 2.33.0.

Release notes

Sourced from requests's releases.

v2.33.0

2.33.0 (2026-03-25)

Announcements

  • 📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at #7271. Give it a try, and report any gaps or feedback you may have in the issue. 📣

Security

  • CVE-2026-25645 requests.utils.extract_zipped_paths now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly.

Improvements

  • Migrated to a PEP 517 build system using setuptools. (#7012)

Bugfixes

  • Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+. (#7205)

Deprecations

  • Dropped support for Python 3.9 following its end of support. (#7196)

Documentation

  • Various typo fixes and doc improvements.

New Contributors

Full Changelog: https://github.com/psf/requests/blob/main/HISTORY.md#2330-2026-03-25

Changelog

Sourced from requests's changelog.

2.33.0 (2026-03-25)

Announcements

  • 📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at #7271. Give it a try, and report any gaps or feedback you may have in the issue. 📣

Security

  • CVE-2026-25645 requests.utils.extract_zipped_paths now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly.

Improvements

  • Migrated to a PEP 517 build system using setuptools. (#7012)

Bugfixes

  • Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+. (#7205)

Deprecations

  • Dropped support for Python 3.9 following its end of support. (#7196)

Documentation

  • Various typo fixes and doc improvements.
Commits
  • bc04dfd v2.33.0
  • 66d21cb Merge commit from fork
  • 8b9bc8f Move badges to top of README (#7293)
  • e331a28 Remove unused extraction call (#7292)
  • 753fd08 docs: fix FAQ grammar in httplib2 example
  • 774a0b8 docs(socks): same block as other sections
  • 9c72a41 Bump github/codeql-action from 4.33.0 to 4.34.1
  • ebf7190 Bump github/codeql-action from 4.32.0 to 4.33.0
  • 0e4ae38 docs: exclude Response.is_permanent_redirect from API docs (#7244)
  • d568f47 docs: clarify Quickstart POST example (#6960)
  • Additional commits viewable in compare view

@dependabot dependabot bot added dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code labels Apr 14, 2026
claude[bot]
claude bot reviewed Apr 14, 2026
View reviewed changes
Copy link
Copy Markdown

@claude claude bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM — routine dependency bump with a security fix (CVE-2026-25645) and no breaking changes for this project.

Extended reasoning...

Overview

This PR updates the requests library from 2.32.5 to 2.33.0 in uv.lock. The only file changed is the lock file, with updated version, URL, and hash entries for the requests package.

Security risks

The upstream release includes a fix for CVE-2026-25645, which affects requests.utils.extract_zipped_paths. The fix is beneficial and the CVE only affects direct callers of that utility function — not standard HTTP usage. There are no new security risks introduced by this bump.

Level of scrutiny

This is a low-risk, automated Dependabot dependency bump. The change is mechanical (lock file only), the version bump is minor (2.32.5 → 2.33.0), and no application code is modified. The requests library's dropped Python 3.9 support does not affect this project, which requires Python >=3.10.

Other factors

No bugs were found by the bug hunting system. No prior reviews on this PR. The change is fully self-contained and follows standard dependency update patterns.

@dependabot dependabot bot force-pushed the dependabot/uv/requests-2.33.0 branch from f07a003 to 5ef75b0 Compare April 16, 2026 05:56
@dependabot
chore(deps): bump requests from 2.32.5 to 2.33.0
1aa8b5a 
Bumps [requests](https://github.com/psf/requests) from 2.32.5 to 2.33.0.
- [Release notes](https://github.com/psf/requests/releases)
- [Changelog](https://github.com/psf/requests/blob/main/HISTORY.md)
- [Commits](psf/requests@v2.32.5...v2.33.0)

---
updated-dependencies:
- dependency-name: requests
  dependency-version: 2.33.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot force-pushed the dependabot/uv/requests-2.33.0 branch from 5ef75b0 to 1aa8b5a Compare April 17, 2026 05:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@claude claude[bot] claude[bot] left review comments

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants