[Snyk] Security upgrade requests from 2.31.0 to 2.33.0

[revan-zhang]

Snyk has created this PR to fix 1 vulnerabilities in the pip dependencies of this project.

Snyk changed the following file(s):

• python/requirements-optional.txt

⚠️ Warning

web3 6.20.4 requires requests, which is not installed.

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.
• Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the affected dependencies could be upgraded.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Insecure Temporary File

---

---

Note

Low Risk
Low risk dependency-only change: adds a minimum requests version in an optional requirements file to address a known vulnerability, with minimal chance of breaking runtime behavior.

Overview
Updates python/requirements-optional.txt to explicitly add requests>=2.33.0, pinning it as an optional dependency to satisfy security scanning and avoid a reported requests vulnerability (even though it’s not directly required by this file).

^{Written by Cursor Bugbot for commit 9ad8d46. This will update automatically on new commits. Configure here.}

[revan-zhang]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no bugs or issues to report.

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

[cursor]

Security fix placed in wrong requirements file

Medium Severity

The requests package is a direct dependency declared in python/requirements.txt (with >=2.4.0) and used as install_requires in setup.py. Pinning requests>=2.33.0 in requirements-optional.txt — which is only consumed by the full tox environment — leaves the actual install path unprotected. Standard installations via pip install or setup.py will still resolve requests>=2.4.0, meaning the vulnerability (SNYK-PYTHON-REQUESTS-15763443) remains exploitable for most users. The comment "not directly required" is also incorrect.

 

[cursor]

Requests 2.33.0 breaks supported Python versions

Medium Severity

requests 2.33.0 dropped support for Python 3.9 and requires Python 3.10+. This project declares python_requires=">=3.6" in setup.py and tests py{36,37,38,39,310} variants in tox. When the full tox environment installs requirements-optional.txt, pip will fail to resolve dependencies on Python 3.6–3.9 because no requests version satisfies both >=2.33.0 and Python <3.10.