Update dependency requests to v2.33.0 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
requests (changelog)	==2.32.5 → ==2.33.0

GitHub Vulnerability Alerts

CVE-2026-25645

Impact

The requests.utils.extract_zipped_paths() utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one.

Affected usages

Standard usage of the Requests library is not affected by this vulnerability. Only applications that call extract_zipped_paths() directly are impacted.

Remediation

Upgrade to at least Requests 2.33.0, where the library now extracts files to a non-deterministic location.

If developers are unable to upgrade, they can set TMPDIR in their environment to a directory with restricted write access.

---

Release Notes

psf/requests (requests)

v2.33.0

Compare Source

Announcements

• 📣 Requests is adding inline types. If you have a typed code base that
  uses Requests, please take a look at #​7271. Give it a try, and report
  any gaps or feedback you may have in the issue. 📣

Security

• CVE-2026-25645 requests.utils.extract_zipped_paths now extracts
  contents to a non-deterministic location to prevent malicious file
  replacement. This does not affect default usage of Requests, only
  applications calling the utility function directly.

Improvements

• Migrated to a PEP 517 build system using setuptools. (#​7012)

Bugfixes

• Fixed an issue where an empty netrc entry could cause
  malformed authentication to be applied to Requests on
  Python 3.11+. (#​7205)

Deprecations

• Dropped support for Python 3.9 following its end of support. (#​7196)

Documentation

• Various typo fixes and doc improvements.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: uv.lock

Command failed: uv lock --upgrade-package requests
Using CPython 3.14.3 interpreter at: /opt/containerbase/tools/python/3.14.3/bin/python3
  × No solution found when resolving dependencies for split (markers:
  │ python_full_version == '3.9.*'):
  ╰─▶ Because the requested Python version (>=3.9) does not satisfy
      Python>=3.10 and requests==2.33.0 depends on Python>=3.10, we can
      conclude that requests==2.33.0 cannot be used.
      And because your project depends on requests==2.33.0, we can conclude
      that your project's requirements are unsatisfiable.

      hint: While the active Python version is 3.14, the resolution failed for
      other Python versions supported by your project. Consider limiting your
      project's supported Python versions using `requires-python`.

      hint: The `requires-python` value (>=3.9) includes Python versions that
      are not supported by your dependencies (e.g., requests==2.33.0 only
      supports >=3.10). Consider using a more restrictive `requires-python`
      value (like >=3.10).