This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [requests](https://redirect.github.com/psf/requests) ([changelog](https://redirect.github.com/psf/requests/blob/master/HISTORY.md)) | `2.32.5` → `2.33.0` | ![age](https://developer.mend.io/api/mc/badges/age/pypi/requests/2.33.0?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/requests/2.32.5/2.33.0?slim=true) | ### GitHub Vulnerability Alerts #### [CVE-2026-25645](https://redirect.github.com/psf/requests/security/advisories/GHSA-gc5v-m9x4-r6x2) ### Impact The `requests.utils.extract_zipped_paths()` utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one. ### Affected usages **Standard usage of the Requests library is not affected by this vulnerability.** Only applications that call `extract_zipped_paths()` directly are impacted. ### Remediation Upgrade to at least Requests 2.33.0, where the library now extracts files to a non-deterministic location. If developers are unable to upgrade, they can set `TMPDIR` in their environment to a directory with restricted write access. --- ### Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function [CVE-2026-25645](https://nvd.nist.gov/vuln/detail/CVE-2026-25645) / [GHSA-gc5v-m9x4-r6x2](https://redirect.github.com/advisories/GHSA-gc5v-m9x4-r6x2) <details> <summary>More information</summary> #### Details ##### Impact The `requests.utils.extract_zipped_paths()` utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one. ##### Affected usages **Standard usage of the Requests library is not affected by this vulnerability.** Only applications that call `extract_zipped_paths()` directly are impacted. ##### Remediation Upgrade to at least Requests 2.33.0, where the library now extracts files to a non-deterministic location. If developers are unable to upgrade, they can set `TMPDIR` in their environment to a directory with restricted write access. #### Severity - CVSS Score: 4.4 / 10 (Medium) - Vector String: `CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N` #### References - [https://github.com/psf/requests/security/advisories/GHSA-gc5v-m9x4-r6x2](https://redirect.github.com/psf/requests/security/advisories/GHSA-gc5v-m9x4-r6x2) - [https://nvd.nist.gov/vuln/detail/CVE-2026-25645](https://nvd.nist.gov/vuln/detail/CVE-2026-25645) - [https://github.com/psf/requests/commit/66d21cb07bd6255b1280291c4fafb71803cdb3b7](https://redirect.github.com/psf/requests/commit/66d21cb07bd6255b1280291c4fafb71803cdb3b7) - [https://github.com/psf/requests](https://redirect.github.com/psf/requests) - [https://github.com/psf/requests/releases/tag/v2.33.0](https://redirect.github.com/psf/requests/releases/tag/v2.33.0) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-gc5v-m9x4-r6x2) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>psf/requests (requests)</summary> ### [`v2.33.0`](https://redirect.github.com/psf/requests/blob/HEAD/HISTORY.md#2330-2026-03-25) [Compare Source](https://redirect.github.com/psf/requests/compare/v2.32.5...v2.33.0) **Announcements** - 📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at [#7271](https://redirect.github.com/psf/requests/issues/7271). Give it a try, and report any gaps or feedback you may have in the issue. 📣 **Security** - CVE-2026-25645 `requests.utils.extract_zipped_paths` now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly. **Improvements** - Migrated to a PEP 517 build system using setuptools. ([#7012](https://redirect.github.com/psf/requests/issues/7012)) **Bugfixes** - Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+. ([#7205](https://redirect.github.com/psf/requests/issues/7205)) **Deprecations** - Dropped support for Python 3.9 following its end of support. ([#7196](https://redirect.github.com/psf/requests/issues/7196)) **Documentation** - Various typo fixes and doc improvements. </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 4am" in timezone UTC, Automerge - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) in timezone UTC. 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/ansible/molecule).  --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Rakesh S <rakesh.s552004@gmail.com>
-Original file line number
+Diff line change
 prepender
 prerun
 profisioner
 -psql
 pycolors
 reget
 resetall