Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Bump requests from 2.32.5 to 2.33.1

Open
Number: #581
Type: Pull Request
State: Open
Author: dependabot[bot] dependabot[bot]
Association: Unknown
Comments: 2
Created: March 31, 2026 at 04:52 AM UTC
(2 months ago)
Updated: April 08, 2026 at 04:56 AM UTC
(about 2 months ago)
Labels:
dependencies python
Description:

Bumps requests from 2.32.5 to 2.33.1.

Release notes

Sourced from requests's releases.

v2.33.1

2.33.1 (2026-03-30)

Bugfixes

  • Fixed test cleanup for CVE-2026-25645 to avoid leaving unnecessary files in the tmp directory. (#7305)
  • Fixed Content-Type header parsing for malformed values. (#7309)
  • Improved error consistency for malformed header values. (#7308)

New Contributors

Full Changelog: https://github.com/psf/requests/blob/main/HISTORY.md#2331-2026-03-30

v2.33.0

2.33.0 (2026-03-25)

Announcements

  • 📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at #7271. Give it a try, and report any gaps or feedback you may have in the issue. 📣

Security

  • CVE-2026-25645 requests.utils.extract_zipped_paths now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly.

Improvements

  • Migrated to a PEP 517 build system using setuptools. (#7012)

Bugfixes

  • Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+. (#7205)

Deprecations

  • Dropped support for Python 3.9 following its end of support. (#7196)

Documentation

  • Various typo fixes and doc improvements.

New Contributors

Full Changelog: https://github.com/psf/requests/blob/main/HISTORY.md#2330-2026-03-25

Changelog

Sourced from requests's changelog.

2.33.1 (2026-03-30)

Bugfixes

  • Fixed test cleanup for CVE-2026-25645 to avoid leaving unnecessary files in the tmp directory. (#7305)
  • Fixed Content-Type header parsing for malformed values. (#7309)
  • Improved error consistency for malformed header values. (#7308)

2.33.0 (2026-03-25)

Announcements

  • 📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at #7271. Give it a try, and report any gaps or feedback you may have in the issue. 📣

Security

  • CVE-2026-25645 requests.utils.extract_zipped_paths now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly.

Improvements

  • Migrated to a PEP 517 build system using setuptools. (#7012)

Bugfixes

  • Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+. (#7205)

Deprecations

  • Dropped support for Python 3.9 following its end of support. (#7196)

Documentation

  • Various typo fixes and doc improvements.
Commits

Package Dependencies
Package:
requests
Ecosystem:
pip
Version Change:
2.32.5 → 2.33.1
Update Type:
Minor
Security Advisories
Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function
GHSA-gc5v-m9x4-r6x2 CVE-2026-25645 MODERATE
### Impact The `requests.utils.extract_zipped_paths()` utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file a...
Actions
View on GitHub View Repository All Dependabot PRs
Technical Details
ID: 15125323
UUID: 4175765598
Node ID: PR_kwDODxBb0s7O079M
Host: GitHub
Repository: NHSDigital/api-management-utils