fix(deps): update dependency requests to ~=2.33.1 [security] - abandoned

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
requests (changelog)	~=2.32.5 → ~=2.33.1

---

Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function

CVE-2026-25645 / GHSA-gc5v-m9x4-r6x2

More information

Details

Impact

The requests.utils.extract_zipped_paths() utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one.

Affected usages

Standard usage of the Requests library is not affected by this vulnerability. Only applications that call extract_zipped_paths() directly are impacted.

Remediation

Upgrade to at least Requests 2.33.0, where the library now extracts files to a non-deterministic location.

If developers are unable to upgrade, they can set TMPDIR in their environment to a directory with restricted write access.

Severity

• CVSS Score: 4.4 / 10 (Medium)
• Vector String: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N

References

• https://github.com/psf/requests/security/advisories/GHSA-gc5v-m9x4-r6x2
• https://github.com/psf/requests/commit/66d21cb07bd6255b1280291c4fafb71803cdb3b7
• https://github.com/psf/requests/releases/tag/v2.33.0
• https://nvd.nist.gov/vuln/detail/CVE-2026-25645
• https://github.com/advisories/GHSA-gc5v-m9x4-r6x2

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

psf/requests (requests)

v2.33.1

Compare Source

Bugfixes

• Fixed test cleanup for CVE-2026-25645 to avoid leaving unnecessary
  files in the tmp directory. (#​7305)
• Fixed Content-Type header parsing for malformed values. (#​7309)
• Improved error consistency for malformed header values. (#​7308)

v2.33.0

Compare Source

Announcements

• 📣 Requests is adding inline types. If you have a typed code base that
  uses Requests, please take a look at #​7271. Give it a try, and report
  any gaps or feedback you may have in the issue. 📣

Security

• CVE-2026-25645 requests.utils.extract_zipped_paths now extracts
  contents to a non-deterministic location to prevent malicious file
  replacement. This does not affect default usage of Requests, only
  applications calling the utility function directly.

Improvements

• Migrated to a PEP 517 build system using setuptools. (#​7012)

Bugfixes

• Fixed an issue where an empty netrc entry could cause
  malformed authentication to be applied to Requests on
  Python 3.11+. (#​7205)

Deprecations

• Dropped support for Python 3.9 following its end of support. (#​7196)

Documentation

• Various typo fixes and doc improvements.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[dtoxvanilla1991]

@renovate rebase

[dtoxvanilla1991]

@renovate rebase

[dtoxvanilla1991]

@copilot CI unittest workflow failed. Please fix and make sure build passes.

[Copilot]

@copilot CI unittest workflow failed. Please fix and make sure build passes.

Fixed in commit a9bf3f1. The CI failed because requests 2.33.x requires Python >= 3.10, but the version markers were inverted — ~=2.33.1 was being applied to python_version < "3.10" environments where it can't install.

The fix uses requests~=2.32.5 for Python < 3.10 and requests~=2.33.1 for Python >= 3.10 in both requirements.txt and pyproject.toml.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• app.kinde.com
  • Triggering command: /home/REDACTED/.local/bin/pytest pytest --cov=kinde_sdk --cov-branch --cov-report=term-missing -q (dns block)
• example.com
  • Triggering command: /home/REDACTED/.local/bin/pytest pytest --cov=kinde_sdk --cov-branch --cov-report=term-missing -q (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[renovate]

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[dtoxvanilla1991]

@copilot rebase this PR on the latest master branch.

[Copilot]

@copilot rebase this PR on the latest master branch.

The branch is already up to date with the latest main — origin/main (commit 78dc820) is the direct parent of the two commits on this branch. No rebase was needed.