Bump requests from 2.32.4 to 2.33.0

[dependabot]

Bumps requests from 2.32.4 to 2.33.0.

Release notes

Sourced from requests's releases.

v2.33.0

2.33.0 (2026-03-25)

Announcements

• 📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at #7271. Give it a try, and report any gaps or feedback you may have in the issue. 📣

Security

• CVE-2026-25645 requests.utils.extract_zipped_paths now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly.

Improvements

• Migrated to a PEP 517 build system using setuptools. (#7012)

Bugfixes

• Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+. (#7205)

Deprecations

• Dropped support for Python 3.9 following its end of support. (#7196)

Documentation

• Various typo fixes and doc improvements.

New Contributors

• @​M0d3v1 made their first contribution in psf/requests#6865
• @​aminvakil made their first contribution in psf/requests#7220
• @​E8Price made their first contribution in psf/requests#6960
• @​mitre88 made their first contribution in psf/requests#7244
• @​magsen made their first contribution in psf/requests#6553
• @​Rohan5commit made their first contribution in psf/requests#7227

Full Changelog: https://github.com/psf/requests/blob/main/HISTORY.md#2330-2026-03-25

v2.32.5

2.32.5 (2025-08-18)

Bugfixes

• The SSLContext caching feature originally introduced in 2.32.0 has created a new class of issues in Requests that have had negative impact across a number of use cases. The Requests team has decided to revert this feature as long term maintenance of it is proving to be unsustainable in its current iteration.

Deprecations

• Added support for Python 3.14.
• Dropped support for Python 3.8 following its end of support.

Changelog

Sourced from requests's changelog.

2.33.0 (2026-03-25)

Announcements

• 📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at #7271. Give it a try, and report any gaps or feedback you may have in the issue. 📣

Security

• CVE-2026-25645 requests.utils.extract_zipped_paths now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly.

Improvements

• Migrated to a PEP 517 build system using setuptools. (#7012)

Bugfixes

• Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+. (#7205)

Deprecations

• Dropped support for Python 3.9 following its end of support. (#7196)

Documentation

• Various typo fixes and doc improvements.

2.32.5 (2025-08-18)

Bugfixes

• The SSLContext caching feature originally introduced in 2.32.0 has created a new class of issues in Requests that have had negative impact across a number of use cases. The Requests team has decided to revert this feature as long term maintenance of it is proving to be unsustainable in its current iteration.

Deprecations

• Added support for Python 3.14.
• Dropped support for Python 3.8 following its end of support.

Commits

• bc04dfd v2.33.0
• 66d21cb Merge commit from fork
• 8b9bc8f Move badges to top of README (#7293)
• e331a28 Remove unused extraction call (#7292)
• 753fd08 docs: fix FAQ grammar in httplib2 example
• 774a0b8 docs(socks): same block as other sections
• 9c72a41 Bump github/codeql-action from 4.33.0 to 4.34.1
• ebf7190 Bump github/codeql-action from 4.32.0 to 4.33.0
• 0e4ae38 docs: exclude Response.is_permanent_redirect from API docs (#7244)
• d568f47 docs: clarify Quickstart POST example (#6960)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[amrit110]

Security Vulnerability — No Patch Available Yet

aieng-bot found the following security vulnerability reported by pip-audit, but cannot fix it automatically because no patched version has been released to PyPI yet:

Package	Version	Vulnerability	Status
pygments	2.19.2	GHSA-5239-wwwm-4pmq	No fix available on PyPI

Why this cannot be auto-fixed

The vulnerability exists in pygments itself (inefficient regular expression complexity in AdlLexer). The advisory states: "The project was informed of the problem early through an issue report but has not responded yet." A fix requires the upstream maintainers to release a new version. Once a patched release is published to PyPI, aieng-bot can re-run and apply the update automatically.

Recommended next steps

1. Monitor the vulnerability advisory for a patch release
2. Consider adding GHSA-5239-wwwm-4pmq to the ignore-vulns list in .github/workflows/code_checks.yml temporarily (similar to the existing GHSA-4xh5-x5gv-qwph exception) with human review and justification
3. Once approved, this PR can be re-run by aieng-bot for auto-merge

This PR will not be auto-merged until the vulnerability is resolved or explicitly ignored.

[amrit110]

Security Vulnerability — No Patch Available Yet

aieng-bot found the following security vulnerability reported by pip-audit, but cannot fix it automatically because no patched version has been released to PyPI yet:

Package	Version	Vulnerability	Fix Versions	Status
pygments	2.19.2	GHSA-5239-wwwm-4pmq	None	No fix available on PyPI

Vulnerability Details

GHSA-5239-wwwm-4pmq: A security flaw has been discovered in pygments up to 2.19.2. The impacted element is the function AdlLexer of the file pygments/lexers/archetype.py. The manipulation results in inefficient regular expression complexity (ReDoS). The attack is only possible with local access.

Why this cannot be auto-fixed

pygments 2.19.2 is already the latest version on PyPI. No patched release has been published yet. A fix requires the upstream pygments maintainers to release a new version. Once a patched release is published to PyPI, aieng-bot can re-run and apply the update automatically.

Recommended next steps

1. Monitor the GHSA-5239-wwwm-4pmq advisory for a patch release
2. Consider whether to add a temporary ignore-vulns exception in the CI workflow with documented justification (requires human review)
3. Note: The vulnerability requires local access to exploit, so risk may be acceptable to ignore temporarily

This PR will not be auto-merged until the vulnerability is resolved.

[amrit110]

Security Vulnerability — No Patch Available Yet

aieng-bot found the following security vulnerability reported by pip-audit, but cannot fix it automatically because no patched version has been released to PyPI yet:

Package	Version	Vulnerability	Status
pygments	2.19.2	GHSA-5239-wwwm-4pmq	No fix available on PyPI

Details

The vulnerability is an inefficient regular expression complexity flaw in pygments/lexers/archetype.py (the AdlLexer function). The attack requires local access.

Why this cannot be auto-fixed

The latest published version of pygments on PyPI is 2.19.2, which is the vulnerable version. No newer release exists yet. A fix requires the upstream pygments maintainers to release a patched version. Once a patched release is published to PyPI, aieng-bot can re-run and apply the update automatically.

Recommended next steps

1. Monitor the pygments GitHub issue tracker for a patch release addressing GHSA-5239-wwwm-4pmq
2. Consider adding GHSA-5239-wwwm-4pmq to the ignore-vulns list in .github/workflows/code_checks.yml temporarily with a justification comment (requires human review and approval)
3. Once a patched pygments version is released, update the dependency constraint and re-run aieng-bot

This PR will not be auto-merged until the vulnerability is resolved.

[amrit110]

Security Vulnerability — No Patch Available Yet

aieng-bot found the following security vulnerabilities reported by pip-audit, but cannot fix them automatically because no patched version has been released to PyPI yet:

Package	Version	Vulnerability	Status
pygments	2.19.2	GHSA-5239-wwwm-4pmq	No fix available on PyPI

Why this cannot be auto-fixed

The vulnerability exists in pygments itself (inefficient regular expression complexity in pygments/lexers/archetype.py — AdlLexer). A fix requires the upstream maintainers to release a new version. The latest published version on PyPI (2.19.2) is still the affected version. Once a patched release is published to PyPI, aieng-bot can re-run and apply the update automatically.

Recommended next steps

1. Monitor the GHSA-5239-wwwm-4pmq advisory for a patch release
2. Check if a pip-audit ignore/exception can be added temporarily with justification (requires human review)
3. Consider whether this dependency can be replaced with an alternative

This PR will not be auto-merged until the vulnerability is resolved.

[amrit110]

Security Vulnerability — No Patch Available Yet

aieng-bot found the following security vulnerability reported by pip-audit that is blocking this PR, but cannot fix it automatically because no patched version has been released to PyPI yet:

Package	Version	Vulnerability	Status
pygments	2.19.2	GHSA-5239-wwwm-4pmq (CVE-2026-4539)	No fix available on PyPI

Why this cannot be auto-fixed

The vulnerability is a ReDoS (Regular Expression Denial of Service) in pygments via the AdlLexer in pygments/lexers/archetype.py. The GitHub advisory confirms first_patched_version: null — the upstream project has been informed but has not yet released a patched version. The latest release on PyPI is 2.20.0, but the advisory still lists all versions <= 2.19.2 as vulnerable with no confirmed fix.

This vulnerability is unrelated to the requests bump in this PR — it is a pre-existing issue in the dev/docs dependency tree.

Recommended next steps

1. Monitor the GHSA-5239-wwwm-4pmq advisory and the upstream issue for a patch release
2. Consider whether this vulnerability warrants a temporary ignore-vulns exception in the pip-audit workflow (requires human review and justification — severity is low, CVSS 3.3, local access only)
3. Once a patched version is published to PyPI, aieng-bot can re-run and apply the update automatically

This PR will not be auto-merged until the vulnerability is resolved.