chore(deps): bump requests from 2.33.0 to 2.34.2#6020
Conversation
Bumps [requests](https://github.com/psf/requests) from 2.33.0 to 2.34.2. - [Release notes](https://github.com/psf/requests/releases) - [Changelog](https://github.com/psf/requests/blob/main/HISTORY.md) - [Commits](psf/requests@v2.33.0...v2.34.2) --- updated-dependencies: - dependency-name: requests dependency-version: 2.34.2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
rtibblesbot
left a comment
There was a problem hiding this comment.
Low-risk minor/patch bump of a production dependency, with a couple of behavioral bugfixes worth flagging.
Package: requests 2.33.0 → 2.34.2 (requirements.in: >=2.20.0 → >=2.34.2)
Semver risk: Minor + two patch releases (no major bump)
Dependency type: production (used throughout the app for HTTP calls)
Breaking changes: None.
- 2.34.x churned public typing between
dict/strandMapping/Sequence(2.34.2 revertedheadersback toMapping). - That's static-typing only, no runtime effect, and no project usage relies on the affected typing.
Notable fixes (non-breaking): Response.historyno longer self-references (prevents infinite loops when traversing history).no_proxymatching no longer greedy (ports CPython bpo-39057).- Duplicate leading slashes in URI paths no longer incorrectly stripped.
- That last fix needs urllib3 2.7.0+ per the release notes; this repo still pins
urllib3==1.26.18, so it's inert here for now.
Security fixes: none noted in this range.
Peer-dependency changes: none forrequestsitself.
CI: passing.
See inline nitpick on requirements.txt.
@rtibblesbot's comments are generated by an LLM, and should be evaluated accordingly
How was this generated?
Ran a dependency-update review pipeline over the version bump:
- Classified the bump by semver (patch / minor / major) and dependency type (production vs. development)
- Extracted the changelog and release notes across the version range
- Assessed compatibility with this project's usage and whether any code changes are required
- Treated CI as the primary safety net
- Scaled the review depth to the update's risk
- Chose the verdict from semver risk, changelog findings, and CI status
| # via celery | ||
| google-api-core[grpc]==2.30.0 | ||
| google-api-core==2.30.0 | ||
| # via |
There was a problem hiding this comment.
nitpick: [grpc] extras bracket dropped here (and on googleapis-common-protos at line 138) — versions unchanged, just a pip-compile re-resolve side effect of the requests bump. Verified benign: grpc deps are still pulled in transitively.
rtibbles
left a comment
There was a problem hiding this comment.
No concerns from changelog or diff.
Bumps requests from 2.33.0 to 2.34.2.
Release notes
Sourced from requests's releases.
... (truncated)
Changelog
Sourced from requests's changelog.
... (truncated)
Commits
6e83187v2.34.284d10f0Move Request.headers back to Mapping (#7441)b7b549bv2.34.1e511bc7Fix mutability issues with headers input types (#7431)5691f59Update JsonType containers to read-based collections (#7436)2144213Constrain Response.reason to str (#7437)6404f34Fixprepare_bodystream detection for__getattr__-based file wrappers (#7...0b401c7v2.34.086b378dAlign Session.get parameters with requests.get (#7429)a4f9a59Port bpo-39057 to Requests (#7427)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)