Skip to content

fix(deps): update dependency requests to v2.32.4 [security]#694

Merged
renovate[bot] merged 1 commit into
developfrom
renovate/pypi-requests-vulnerability
Aug 19, 2025
Merged

fix(deps): update dependency requests to v2.32.4 [security]#694
renovate[bot] merged 1 commit into
developfrom
renovate/pypi-requests-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Aug 19, 2025

This PR contains the following updates:

Package Change Age Confidence
requests (source, changelog) 2.32.0 -> 2.32.4 age confidence
requests (source, changelog) ==2.32.0 -> ==2.32.4 age confidence

GitHub Vulnerability Alerts

CVE-2024-47081

Impact

Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs.

Workarounds

For older versions of Requests, use of the .netrc file can be disabled with trust_env=False on your Requests Session (docs).

References

https://github.com/psf/requests/pull/6965
https://seclists.org/fulldisclosure/2025/Jun/2

Release Notes

psf/requests (requests)

v2.32.4

Compare Source

Security

  • CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted
    environment will retrieve credentials for the wrong hostname/machine from a
    netrc file.

Improvements

  • Numerous documentation improvements

Deprecations

  • Added support for pypy 3.11 for Linux and macOS.
  • Dropped support for pypy 3.9 following its end of support.

v2.32.3

Compare Source

Bugfixes

  • Fixed bug breaking the ability to specify custom SSLContexts in sub-classes of
    HTTPAdapter. (#​6716)
  • Fixed issue where Requests started failing to run on Python versions compiled
    without the ssl module. (#​6724)

v2.32.2

Compare Source

Deprecations

  • To provide a more stable migration for custom HTTPAdapters impacted
    by the CVE changes in 2.32.0, we've renamed _get_connection to
    a new public API, get_connection_with_tls_context. Existing custom
    HTTPAdapters will need to migrate their code to use this new API.
    get_connection is considered deprecated in all versions of Requests>=2.32.0.

    A minimal (2-line) example has been provided in the linked PR to ease
    migration, but we strongly urge users to evaluate if their custom adapter
    is subject to the same issue described in CVE-2024-35195. (#​6710)

v2.32.1

Compare Source

Bugfixes

  • Add missing test certs to the sdist distributed on PyPI.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot enabled auto-merge (squash) August 19, 2025 14:01
@renovate
Copy link
Copy Markdown
Contributor Author

renovate Bot commented Aug 19, 2025

Branch automerge failure

This PR was configured for branch automerge. However, this is not possible, so it has been raised as a PR instead.

  • Branch has one or more failed status checks

@renovate renovate Bot merged commit f2aaf18 into develop Aug 19, 2025
57 of 58 checks passed
@renovate renovate Bot deleted the renovate/pypi-requests-vulnerability branch August 19, 2025 14:14
github-actions Bot pushed a commit that referenced this pull request Sep 13, 2025
@semantic-release-bot
chore(release): 0.36.0 [skip ci]
2bdfd4e 
# [0.36.0](v0.35.0...v0.36.0) (2025-09-13)

### Bug Fixes

* **deps:** update dependency requests to v2.32.4 [security] ([#694](#694)) ([f2aaf18](f2aaf18))

### Features

* better file detection to allow more files with text plugin ([#702](#702)) ([b17e3d4](b17e3d4))
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Sep 13, 2025

🎉 This PR is included in version 0.36.0 🎉

The release is available on:

Your semantic-release bot 📦🚀

@github-actions github-actions Bot added the released Feature/fix is released label Sep 13, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

released Feature/fix is released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants