Update dependency requests to v2.32.4 [SECURITY] - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
requests (source, changelog)	2.31.0 -> 2.32.4

GitHub Vulnerability Alerts

CVE-2024-35195

When making requests through a Requests Session, if the first request is made with verify=False to disable cert verification, all subsequent requests to the same origin will continue to ignore cert verification regardless of changes to the value of verify. This behavior will continue for the lifecycle of the connection in the connection pool.

Remediation

Any of these options can be used to remediate the current issue, we highly recommend upgrading as the preferred mitigation.

• Upgrade to requests>=2.32.0.
• For requests<2.32.0, avoid setting verify=False for the first request to a host while using a Requests Session.
• For requests<2.32.0, call close() on Session objects to clear existing connections if verify=False is used.

Related Links

• https://github.com/psf/requests/pull/6655

CVE-2024-47081

Impact

Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs.

Workarounds

For older versions of Requests, use of the .netrc file can be disabled with trust_env=False on your Requests Session (docs).

References

https://github.com/psf/requests/pull/6965
https://seclists.org/fulldisclosure/2025/Jun/2

---

Release Notes

psf/requests (requests)

v2.32.4

Compare Source

Security

• CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted
  environment will retrieve credentials for the wrong hostname/machine from a
  netrc file.

Improvements

• Numerous documentation improvements

Deprecations

• Added support for pypy 3.11 for Linux and macOS.
• Dropped support for pypy 3.9 following its end of support.

v2.32.3

Compare Source

Bugfixes

• Fixed bug breaking the ability to specify custom SSLContexts in sub-classes of
  HTTPAdapter. (#​6716)
• Fixed issue where Requests started failing to run on Python versions compiled
  without the ssl module. (#​6724)

v2.32.2

Compare Source

Deprecations

• To provide a more stable migration for custom HTTPAdapters impacted
  by the CVE changes in 2.32.0, we've renamed _get_connection to
  a new public API, get_connection_with_tls_context. Existing custom
  HTTPAdapters will need to migrate their code to use this new API.
  get_connection is considered deprecated in all versions of Requests>=2.32.0.

  A minimal (2-line) example has been provided in the linked PR to ease
  migration, but we strongly urge users to evaluate if their custom adapter
  is subject to the same issue described in CVE-2024-35195. (#​6710)

v2.32.1

Compare Source

Bugfixes

• Add missing test certs to the sdist distributed on PyPI.

v2.32.0

Compare Source

Security

• Fixed an issue where setting verify=False on the first request from a
  Session will cause subsequent requests to the same origin to also ignore
  cert verification, regardless of the value of verify.
  (GHSA-9wx4-h78v-vm56)

Improvements

• verify=True now reuses a global SSLContext which should improve
  request time variance between first and subsequent requests. It should
  also minimize certificate load time on Windows systems when using a Python
  version built with OpenSSL 3.x. (#​6667)
• Requests now supports optional use of character detection
  (chardet or charset_normalizer) when repackaged or vendored.
  This enables pip and other projects to minimize their vendoring
  surface area. The Response.text() and apparent_encoding APIs
  will default to utf-8 if neither library is present. (#​6702)

Bugfixes

• Fixed bug in length detection where emoji length was incorrectly
  calculated in the request content-length. (#​6589)
• Fixed deserialization bug in JSONDecodeError. (#​6629)
• Fixed bug where an extra leading / (path separator) could lead
  urllib3 to unnecessarily reparse the request URI. (#​6644)

Deprecations

• Requests has officially added support for CPython 3.12 (#​6503)
• Requests has officially added support for PyPy 3.9 and 3.10 (#​6641)
• Requests has officially dropped support for CPython 3.7 (#​6642)
• Requests has officially dropped support for PyPy 3.7 and 3.8 (#​6641)

Documentation

• Various typo fixes and doc improvements.

Packaging

• Requests has started adopting some modern packaging practices.
  The source files for the projects (formerly requests) is now located
  in src/requests in the Requests sdist. (#​6506)
• Starting in Requests 2.33.0, Requests will migrate to a PEP 517 build system
  using hatchling. This should not impact the average user, but extremely old
  versions of packaging utilities may have issues with the new packaging format.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

❌MegaLinter analysis: Error

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
⚠️ ACTION	actionlint	4		3	0	0.32s
✅ COPYPASTE	jscpd	yes		no	no	2.17s
⚠️ DOCKERFILE	hadolint	2		1	0	0.4s
✅ JSON	jsonlint	3		0	0	0.15s
✅ JSON	prettier	3	0	0	0	0.54s
✅ JSON	v8r	3		0	0	3.52s
⚠️ MARKDOWN	markdownlint	12	0	18	0	1.18s
✅ MARKDOWN	markdown-table-formatter	12	1	0	0	0.29s
✅ PYTHON	bandit	6		0	0	1.03s
✅ PYTHON	black	6	0	0	0	1.05s
✅ PYTHON	flake8	6		0	0	0.54s
✅ PYTHON	isort	6	0	0	0	0.21s
⚠️ PYTHON	mypy	6		4	0	5.7s
✅ PYTHON	pylint	6		0	0	4.3s
⚠️ PYTHON	pyright	6		7	0	2.03s
✅ PYTHON	ruff	6	0	0	0	0.02s
✅ REPOSITORY	checkov	yes		no	no	13.2s
✅ REPOSITORY	gitleaks	yes		no	no	5.86s
✅ REPOSITORY	git_diff	yes		no	no	0.01s
⚠️ REPOSITORY	grype	yes		16	no	24.06s
✅ REPOSITORY	secretlint	yes		no	no	0.51s
✅ REPOSITORY	syft	yes		no	no	1.11s
❌ REPOSITORY	trivy	yes		1	no	4.78s
✅ REPOSITORY	trivy-sbom	yes		no	no	0.51s
✅ REPOSITORY	trufflehog	yes		no	no	2.28s
✅ SPELL	cspell	47		0	0	4.22s
✅ SPELL	lychee	29		0	0	1.08s
✅ YAML	prettier	14	0	0	0	0.91s
✅ YAML	v8r	14		0	0	8.78s
✅ YAML	yamllint	14		0	0	0.63s

Detailed Issues

❌ REPOSITORY / trivy - 1 error

2025-08-19T13:32:07Z	INFO	[vulndb] Need to update DB
2025-08-19T13:32:07Z	INFO	[vulndb] Downloading vulnerability DB...
2025-08-19T13:32:07Z	INFO	[vulndb] Downloading artifact...	repo="mirror.gcr.io/aquasec/trivy-db:2"
31.53 MiB / 68.66 MiB [---------------------------->________________________________] 45.92% ? p/s ?64.89 MiB / 68.66 MiB [--------------------------------------------------------->___] 94.51% ? p/s ?68.66 MiB / 68.66 MiB [----------------------------------------------------------->] 100.00% ? p/s ?68.66 MiB / 68.66 MiB [---------------------------------------------->] 100.00% 61.81 MiB p/s ETA 0s68.66 MiB / 68.66 MiB [---------------------------------------------->] 100.00% 61.81 MiB p/s ETA 0s68.66 MiB / 68.66 MiB [---------------------------------------------->] 100.00% 61.81 MiB p/s ETA 0s68.66 MiB / 68.66 MiB [---------------------------------------------->] 100.00% 57.82 MiB p/s ETA 0s68.66 MiB / 68.66 MiB [---------------------------------------------->] 100.00% 57.82 MiB p/s ETA 0s68.66 MiB / 68.66 MiB [---------------------------------------------->] 100.00% 57.82 MiB p/s ETA 0s68.66 MiB / 68.66 MiB [---------------------------------------------->] 100.00% 54.09 MiB p/s ETA 0s68.66 MiB / 68.66 MiB [---------------------------------------------->] 100.00% 54.09 MiB p/s ETA 0s68.66 MiB / 68.66 MiB [-------------------------------------------------] 100.00% 31.51 MiB p/s 2.4s2025-08-19T13:32:10Z	INFO	[vulndb] Artifact successfully downloaded	repo="mirror.gcr.io/aquasec/trivy-db:2"
2025-08-19T13:32:10Z	INFO	[vuln] Vulnerability scanning is enabled
2025-08-19T13:32:10Z	INFO	[misconfig] Misconfiguration scanning is enabled
2025-08-19T13:32:10Z	INFO	[misconfig] Need to update the checks bundle
2025-08-19T13:32:10Z	INFO	[misconfig] Downloading the checks bundle...
165.20 KiB / 165.20 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2025-08-19T13:32:12Z	INFO	Suppressing dependencies for development and testing. To display them, try the '--include-dev-deps' flag.
2025-08-19T13:32:12Z	INFO	Number of language-specific files	num=2
2025-08-19T13:32:12Z	INFO	[pip] Detecting vulnerabilities...
2025-08-19T13:32:12Z	INFO	[poetry] Detecting vulnerabilities...
2025-08-19T13:32:12Z	INFO	Detected config files	num=2

Report Summary

┌───────────────────┬────────────┬─────────────────┬───────────────────┐
│      Target       │    Type    │ Vulnerabilities │ Misconfigurations │
├───────────────────┼────────────┼─────────────────┼───────────────────┤
│ poetry.lock       │   poetry   │        5        │         -         │
├───────────────────┼────────────┼─────────────────┼───────────────────┤
│ requirements.txt  │    pip     │        0        │         -         │
├───────────────────┼────────────┼─────────────────┼───────────────────┤
│ Dockerfile        │ dockerfile │        -        │         1         │
├───────────────────┼────────────┼─────────────────┼───────────────────┤
│ docker/Dockerfile │ dockerfile │        -        │         0         │
└───────────────────┴────────────┴─────────────────┴───────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


For OSS Maintainers: VEX Notice
--------------------------------
If you're an OSS maintainer and Trivy has detected vulnerabilities in your project that you believe are not actually exploitable, consider issuing a VEX (Vulnerability Exploitability eXchange) statement.
VEX allows you to communicate the actual status of vulnerabilities in your project, improving security transparency and reducing false positives for your users.
Learn more and start using VEX: https://trivy.dev/v0.65/docs/supply-chain/vex/repo#publishing-vex-documents

To disable this notice, set the TRIVY_DISABLE_VEX_NOTICE environment variable.


poetry.lock (poetry)
====================
Total: 5 (UNKNOWN: 0, LOW: 1, MEDIUM: 4, HIGH: 0, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                            Title                             │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼──────────────────────────────────────────────────────────────┤
│ certifi │ CVE-2024-39689 │ LOW      │ fixed  │ 2024.2.2          │ 2024.7.4       │ python-certifi: Remove root certificates from `GLOBALTRUST`  │
│         │                │          │        │                   │                │ from the root store                                          │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-39689                   │
├─────────┼────────────────┼──────────┤        ├───────────────────┼────────────────┼──────────────────────────────────────────────────────────────┤
│ idna    │ CVE-2024-3651  │ MEDIUM   │        │ 3.6               │ 3.7            │ python-idna: potential DoS via resource consumption via      │
│         │                │          │        │                   │                │ specially crafted inputs to idna.encode()...                 │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-3651                    │
├─────────┼────────────────┤          │        ├───────────────────┼────────────────┼──────────────────────────────────────────────────────────────┤
│ urllib3 │ CVE-2024-37891 │          │        │ 2.2.1             │ 1.26.19, 2.2.2 │ urllib3: proxy-authorization request header is not stripped  │
│         │       

(Truncated to 5714 characters out of 7897)

⚠️ ACTION / actionlint - 3 errors

.github/workflows/github-dependents-info.yml:52:9: shellcheck reported issue in this script: SC2086:info:1:15: Double quote to prevent globbing and word splitting [shellcheck]
   |
52 |         run: sudo chown -R $USER:$USER .
   |         ^~~~
.github/workflows/github-dependents-info.yml:52:9: shellcheck reported issue in this script: SC2086:info:1:21: Double quote to prevent globbing and word splitting [shellcheck]
   |
52 |         run: sudo chown -R $USER:$USER .
   |         ^~~~
.github/workflows/release.yml:63:9: shellcheck reported issue in this script: SC2086:info:1:55: Double quote to prevent globbing and word splitting [shellcheck]
   |
63 |         run: echo "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> ${GITHUB_ENV}
   |         ^~~~

⚠️ REPOSITORY / grype - 16 errors

[0000]  WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal)
NAME          INSTALLED  FIXED IN  TYPE    VULNERABILITY        SEVERITY  EPSS           RISK   
certifi       2024.2.2   2024.7.4  python  GHSA-248v-346w-9cwc  Low       21.2% (95th)   6.4    
virtualenv    20.25.1    20.26.6   python  GHSA-rqc4-2hc7-8c8v  High      0.9% (74th)    0.7    
idna          3.6        3.7       python  GHSA-jjg7-2v4v-x38h  Medium    0.3% (56th)    0.2    
setuptools    69.1.1     70.0.0    python  GHSA-cx63-2mw6-8hw5  High      0.2% (45th)    0.2    
jinja2        3.1.3      3.1.4     python  GHSA-h75v-3vvj-5mfj  Medium    0.3% (49th)    0.1    
setuptools    69.1.1     78.1.1    python  GHSA-5rjg-fvgr-3xxf  High      0.1% (34th)    0.1    
authlib       1.3.0      1.3.1     python  GHSA-5357-c2jx-v7qh  High      0.1% (34th)    0.1    
urllib3       2.2.1      2.2.2     python  GHSA-34jh-p97f-mpxf  Medium    0.2% (42nd)    < 0.1  
cryptography  42.0.5     44.0.1    python  GHSA-79v4-65xg-pq4g  Low       0.2% (44th)    < 0.1  
black         24.2.0     24.3.0    python  GHSA-fj7x-q9j7-g6q6  Medium    < 0.1% (18th)  < 0.1  
jinja2        3.1.3      3.1.6     python  GHSA-cpwx-vrp4-4pq7  Medium    < 0.1% (18th)  < 0.1  
jinja2        3.1.3      3.1.5     python  GHSA-q2x7-8rv6-6q7h  Medium    < 0.1% (11th)  < 0.1  
jinja2        3.1.3      3.1.5     python  GHSA-gmj6-6f8f-6699  Medium    < 0.1% (3rd)   < 0.1  
urllib3       2.2.1      2.5.0     python  GHSA-pq67-6m6q-mj2v  Medium    < 0.1% (1st)   < 0.1  
urllib3       2.2.1      2.5.0     python  GHSA-48p4-8xcf-vxj5  Medium    < 0.1% (0th)   < 0.1  
cryptography  42.0.5     43.0.1    python  GHSA-h4gh-qq45-vh27  Medium    N/A            N/A
[0024] ERROR discovered vulnerabilities at or above the severity threshold

⚠️ DOCKERFILE / hadolint - 1 error

Dockerfile:6 DL3013 warning: Pin versions in pip. Instead of `pip install <package>` use `pip install <package>==<version>` or `pip install --requirement <requirements file>`
docker/Dockerfile:7 DL3008 warning: Pin versions in apt get install. Instead of `apt-get install <package>` use `apt-get install <package>=<version>`
docker/Dockerfile:12 DL3045 warning: `COPY` to a relative destination without `WORKDIR` set.
docker/Dockerfile:15 DL3003 warning: Use WORKDIR to switch to a directory
docker/Dockerfile:15 DL4006 warning: Set the SHELL option -o pipefail before RUN with a pipe in it. If you are using /bin/sh in an alpine image or if your shell is symlinked to busybox then consider explicitly setting your SHELL to /bin/ash, or disable this check
docker/Dockerfile:15 SC2226 warning: This ln has no destination. Check the arguments, or specify '.' explicitly.
docker/Dockerfile:24 DL3025 warning: Use arguments JSON notation for CMD and ENTRYPOINT arguments

⚠️ MARKDOWN / markdownlint - 18 errors

.github/PULL_REQUEST_TEMPLATE.md:1 MD041/first-line-heading/first-line-h1 First line in a file should be a top-level heading [Context: "## Description"]
README.md:45:2 MD045/no-alt-text Images should have alternate text (alt text)
README.md:46:2 MD045/no-alt-text Images should have alternate text (alt text)
README.md:47:2 MD045/no-alt-text Images should have alternate text (alt text)
README.md:48:2 MD045/no-alt-text Images should have alternate text (alt text)
README.md:212:3 MD051/link-fragments Link fragments should be valid [Context: "[Installation](#⚙️-installation)"]
README.md:213:3 MD051/link-fragments Link fragments should be valid [Context: "[Usage](#🛠️-usage)"]
README.md:214:3 MD051/link-fragments Link fragments should be valid [Context: "[Examples](#🧪-examples)"]
README.md:240:185 MD055/table-pipe-style Table pipe style [Expected: leading_and_trailing; Actual: leading_only; Missing trailing pipe]
README.md:241:1 MD055/table-pipe-style Table pipe style [Expected: leading_and_trailing; Actual: trailing_only; Missing leading pipe]
README.md:241:271 MD056/table-column-count Table column count [Expected: 3; Actual: 1; Too few cells, row will be missing data]
README.md:256 MD046/code-block-style Code block style [Expected: fenced; Actual: indented]
README.md:260 MD046/code-block-style Code block style [Expected: fenced; Actual: indented]
README.md:265 MD046/code-block-style Code block style [Expected: fenced; Actual: indented]
README.md:269 MD046/code-block-style Code block style [Expected: fenced; Actual: indented]
README.md:273 MD046/code-block-style Code block style [Expected: fenced; Actual: indented]
README.md:277 MD046/code-block-style Code block style [Expected: fenced; Actual: indented]
README.md:281 MD046/code-block-style Code block style [Expected: fenced; Actual: indented]

⚠️ PYTHON / mypy - 4 errors

Collecting types-requests
  Downloading types_requests-2.32.4.20250809-py3-none-any.whl.metadata (2.0 kB)
Collecting urllib3>=2 (from types-requests)
  Downloading urllib3-2.5.0-py3-none-any.whl.metadata (6.5 kB)
Downloading types_requests-2.32.4.20250809-py3-none-any.whl (20 kB)
Downloading urllib3-2.5.0-py3-none-any.whl (129 kB)
Installing collected packages: urllib3, types-requests

   ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 2/2 [types-requests]

Successfully installed types-requests-2.32.4.20250809 urllib3-2.5.0
github_dependents_info/gh_dependents_info.py:43: error: Need type annotation for "packages" (hint: "packages: list[<type>] = ...")  [var-annotated]
github_dependents_info/gh_dependents_info.py:44: error: Need type annotation for "all_public_dependent_repos" (hint: "all_public_dependent_repos: list[<type>] = ...")  [var-annotated]
github_dependents_info/gh_dependents_info.py:45: error: Need type annotation for "badges" (hint: "badges: dict[<type>, <type>] = ...")  [var-annotated]
github_dependents_info/gh_dependents_info.py:46: error: Need type annotation for "result" (hint: "result: dict[<type>, <type>] = ...")  [var-annotated]
Installing missing stub packages:
/venvs/mypy/bin/python3 -m pip install types-requests


Found 4 errors in 1 file (checked 6 source files)

⚠️ PYTHON / pyright - 7 errors

github_dependents_info/__main__.py
  github_dependents_info/__main__.py:3:8 - error: Import "typer" could not be resolved (reportMissingImports)
  github_dependents_info/__main__.py:6:6 - error: Import "rich.console" could not be resolved (reportMissingImports)
github_dependents_info/gh_dependents_info.py
  github_dependents_info/gh_dependents_info.py:8:8 - error: Import "pandas" could not be resolved (reportMissingImports)
  github_dependents_info/gh_dependents_info.py:10:6 - warning: Import "bs4" could not be resolved from source (reportMissingModuleSource)
  github_dependents_info/gh_dependents_info.py:12:6 - error: Import "requests.packages.urllib3.util.retry" could not be resolved (reportMissingImports)
  github_dependents_info/gh_dependents_info.py:82:34 - error: "text" is not a known attribute of "None" (reportOptionalMemberAccess)
  github_dependents_info/gh_dependents_info.py:123:49 - error: Cannot access attribute "findAll" for class "NavigableString"
    Attribute "findAll" is unknown (reportAttributeAccessIssue)
  github_dependents_info/gh_dependents_info.py:144:49 - error: "total_public_stars" is possibly unbound (reportPossiblyUnboundVariable)
7 errors, 1 warning, 0 informations

See detailed reports in MegaLinter artifacts

Your project could benefit from a custom flavor, which would allow you to run only the linters you need, and thus improve runtime performances. (Skip this info by defining FLAVOR_SUGGESTIONS: false)

• Documentation: Custom Flavors
• Command: npx mega-linter-runner@beta --custom-flavor-setup --custom-flavor-linters PYTHON_PYLINT,PYTHON_BLACK,PYTHON_FLAKE8,PYTHON_ISORT,PYTHON_BANDIT,PYTHON_MYPY,PYTHON_PYRIGHT,PYTHON_RUFF,ACTION_ACTIONLINT,COPYPASTE_JSCPD,DOCKERFILE_HADOLINT,JSON_JSONLINT,JSON_V8R,JSON_PRETTIER,MARKDOWN_MARKDOWNLINT,MARKDOWN_MARKDOWN_TABLE_FORMATTER,REPOSITORY_CHECKOV,REPOSITORY_GIT_DIFF,REPOSITORY_GITLEAKS,REPOSITORY_GRYPE,REPOSITORY_SECRETLINT,REPOSITORY_SYFT,REPOSITORY_TRIVY,REPOSITORY_TRIVY_SBOM,REPOSITORY_TRUFFLEHOG,SPELL_CSPELL,SPELL_LYCHEE,YAML_PRETTIER,YAML_YAMLLINT,YAML_V8R