Update dependency requests to v2.33.0 [SECURITY] - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
requests (changelog)	==2.32.5 → ==2.33.0

---

Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function

CVE-2026-25645 / GHSA-gc5v-m9x4-r6x2

More information

Details

Impact

The requests.utils.extract_zipped_paths() utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one.

Affected usages

Standard usage of the Requests library is not affected by this vulnerability. Only applications that call extract_zipped_paths() directly are impacted.

Remediation

Upgrade to at least Requests 2.33.0, where the library now extracts files to a non-deterministic location.

If developers are unable to upgrade, they can set TMPDIR in their environment to a directory with restricted write access.

Severity

• CVSS Score: 4.4 / 10 (Medium)
• Vector String: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N

References

• https://github.com/psf/requests/security/advisories/GHSA-gc5v-m9x4-r6x2
• https://github.com/psf/requests/commit/66d21cb07bd6255b1280291c4fafb71803cdb3b7
• https://github.com/psf/requests/releases/tag/v2.33.0
• https://nvd.nist.gov/vuln/detail/CVE-2026-25645
• https://github.com/advisories/GHSA-gc5v-m9x4-r6x2

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

psf/requests (requests)

v2.33.0

Compare Source

Announcements

• 📣 Requests is adding inline types. If you have a typed code base that
  uses Requests, please take a look at #​7271. Give it a try, and report
  any gaps or feedback you may have in the issue. 📣

Security

• CVE-2026-25645 requests.utils.extract_zipped_paths now extracts
  contents to a non-deterministic location to prevent malicious file
  replacement. This does not affect default usage of Requests, only
  applications calling the utility function directly.

Improvements

• Migrated to a PEP 517 build system using setuptools. (#​7012)

Bugfixes

• Fixed an issue where an empty netrc entry could cause
  malformed authentication to be applied to Requests on
  Python 3.11+. (#​7205)

Deprecations

• Dropped support for Python 3.9 following its end of support. (#​7196)

Documentation

• Various typo fixes and doc improvements.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Test results for commit b4c8eef

Test coverage for b4c8eef

Name           Stmts   Miss Branch BrPart  Cover   Missing
----------------------------------------------------------
src/charm.py      54      9      2      1    82%   72-78, 99-101, 114-116
src/state.py      85      1     16      1    98%   204
----------------------------------------------------------
TOTAL            139     10     18      2    92%

Static code analysis report

Run started:2026-04-03 09:35:20.305815+00:00

Test results:
  No issues identified.

Code scanned:
  Total lines of code: 975
  Total lines skipped (#nosec): 0
  Total potential issues skipped due to specifically being disabled (e.g., #nosec BXXX): 0

Run metrics:
  Total issues (by severity):
  	Undefined: 0
  	Low: 0
  	Medium: 0
  	High: 0
  Total issues (by confidence):
  	Undefined: 0
  	Low: 0
  	Medium: 0
  	High: 0
Files skipped (0):

[github-actions]

Test results for commit b4c8eef

Test coverage for b4c8eef

Name            Stmts   Miss Branch BrPart  Cover   Missing
-----------------------------------------------------------
src/charm.py      140     31     36     14    73%   103-106, 111-112, 116, 123-125, 130->136, 135, 138, 149-150, 152, 154->160, 159, 165-166, 173-176, 209-210, 231, 237, 240, 255-278
src/policy.py      98     68     20      0    25%   24-26, 31, 40-44, 55, 72-76, 89-103, 133-134, 142, 175-196, 219-238, 249-257, 265-271, 279-284, 295-298
src/relay.py      142      8     46      2    95%   155->178, 252-268, 398-401
src/timer.py       11      4      0      0    64%   48-61
-----------------------------------------------------------
TOTAL             391    111    102     16    70%

Static code analysis report

Run started:2026-04-03 09:35:26.118929+00:00

Test results:
  No issues identified.

Code scanned:
  Total lines of code: 1810
  Total lines skipped (#nosec): 6
  Total potential issues skipped due to specifically being disabled (e.g., #nosec BXXX): 1

Run metrics:
  Total issues (by severity):
  	Undefined: 0
  	Low: 0
  	Medium: 0
  	High: 0
  Total issues (by confidence):
  	Undefined: 0
  	Low: 0
  	Medium: 0
  	High: 0
Files skipped (0):

[github-actions]

Test results for commit b4c8eef

Test coverage for b4c8eef

Name           Stmts   Miss Branch BrPart  Cover   Missing
----------------------------------------------------------
src/charm.py     176     36     38      8    78%   67-69, 76-77, 81, 94, 97-98, 128, 170-200, 213->228, 221-227, 353-367
src/squid.py     110      6     34      5    92%   65, 75, 175, 264, 313, 322, 344->351, 346->348
----------------------------------------------------------
TOTAL            286     42     72     13    84%

Static code analysis report

Run started:2026-04-03 09:35:27.754498+00:00

Test results:
  No issues identified.

Code scanned:
  Total lines of code: 2243
  Total lines skipped (#nosec): 1
  Total potential issues skipped due to specifically being disabled (e.g., #nosec BXXX): 1

Run metrics:
  Total issues (by severity):
  	Undefined: 0
  	Low: 0
  	Medium: 0
  	High: 0
  Total issues (by confidence):
  	Undefined: 0
  	Low: 0
  	Medium: 0
  	High: 0
Files skipped (0):