Update dependency requests to v2.32.4 [SECURITY] (#405)

lettuce-bot[bot] · web-flow · commit de53be915cd9 · 2025-06-10T13:43:41.000Z
This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [requests](https://requests.readthedocs.io) ([source](https://redirect.github.com/psf/requests), [changelog](https://redirect.github.com/psf/requests/blob/master/HISTORY.md)) | `==2.32.3` -> `==2.32.4` | [![age](https://developer.mend.io/api/mc/badges/age/pypi/requests/2.32.4?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/pypi/requests/2.32.4?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/pypi/requests/2.32.3/2.32.4?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/requests/2.32.3/2.32.4?slim=true)](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2024-47081](https://redirect.github.com/psf/requests/security/advisories/GHSA-9hjg-9r4m-mvj7) ### Impact Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. ### Workarounds For older versions of Requests, use of the .netrc file can be disabled with `trust_env=False` on your Requests Session ([docs](https://requests.readthedocs.io/en/latest/api/#requests.Session.trust_env)). ### References [https://github.com/psf/requests/pull/6965](https://redirect.github.com/psf/requests/pull/6965) https://seclists.org/fulldisclosure/2025/Jun/2 --- ### Release Notes <details> <summary>psf/requests (requests)</summary> ### [`v2.32.4`](https://redirect.github.com/psf/requests/blob/HEAD/HISTORY.md#2324-2025-06-10) [Compare Source](https://redirect.github.com/psf/requests/compare/v2.32.3...v2.32.4) **Security** - CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted environment will retrieve credentials for the wrong hostname/machine from a netrc file. **Improvements** - Numerous documentation improvements **Deprecations** - Added support for pypy 3.11 for Linux and macOS. - Dropped support for pypy 3.9 following its end of support. </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/lettuce-financial/github-bot-signed-commit).
diff --git a/requirements.txt b/requirements.txt
@@ -12,7 +12,7 @@ PyGithub==2.6.1
 PyJWT==2.10.1
 PyNaCl==1.5.0
 python-dateutil==2.9.0.post0
-requests==2.32.3
+requests==2.32.4
 six==1.17.0
 smmap==5.0.2
 typing_extensions==4.14.0
