chore(deps): update dependency requests to v2.32.4 [security]#24
Merged
renovate[bot] merged 1 commit intodevelopfrom Mar 15, 2026
Merged
Conversation
renovate
bot
force-pushed
the
renovate/pypi-requests-vulnerability
branch
from
b42ca88 to
2ef9a2f
Compare
4 tasks
NiklasRosenstein
added a commit
that referenced
this pull request
Mar 15, 2026
## Summary This PR wires up fully-automatic maintenance for the repo so that open security PRs merge themselves and a new PyPI release follows automatically. ### 1. `renovate.json` — automerge for Renovate PRs - **Security updates** (`matchCategories: ["security"]`): automerged immediately with highest priority. This will finally close the 4 long-standing security PRs (#21, #24, #25, #27). - **Minor/patch updates**: automerged after a 3-day stabilisation period (grouped). - `platformAutomerge: true` — uses GitHub's native auto-merge so it respects branch protection rules. - Adds a `dependencies` label to all Renovate PRs for easy filtering. ### 2. `pyproject.toml` — loosen overly tight dependency pins The previous constraints had patch-level upper bounds that directly blocked the open Renovate PRs: | Dep | Before | After | |---|---|---| | `cryptography` | `>=44.0.0,<44.0.1` | `>=44.0.0` | | `urllib3` | `>=2.6.3,<2.6.4` | `>=2.6.3` | `PyJWT<3.0.0` and `requests<3.0.0` are intentional major-version guards and are left as-is. ### 3. `.github/workflows/auto-release.yml` — automatic version tagging After the existing **Python CI** workflow passes on `develop`, this workflow: **Path A — unreleased commits exist (e.g. after Renovate PRs merge):** 1. Auto-bumps the patch version in `pyproject.toml` and `__init__.py` 2. Generates a `.changelog/<new_version>.toml` entry summarising the merged commits 3. Pushes the commit + tag → triggers `release.yml` → publishes to PyPI **Path B — version was manually bumped in a PR:** 1. Checks that a `.changelog/<version>.toml` entry exists 2. If so, tags the version → triggers `release.yml` > **Note:** The auto-release commit is pushed with a `RELEASE_TOKEN` secret (falls back to `GITHUB_TOKEN`). For the tag push to trigger `release.yml`, a PAT stored as `RELEASE_TOKEN` is needed (pushes via `GITHUB_TOKEN` do not trigger further workflows). If you don't have one set up, you can add a fine-grained PAT with `contents: write` scope. ## Test plan - [ ] Merge this PR - [ ] Verify Renovate re-evaluates the open security PRs and enables auto-merge on them - [ ] Confirm that once a security PR merges and CI passes, `auto-release.yml` runs and a new patch tag appears - [ ] Confirm `release.yml` picks up the tag and publishes to PyPI Co-authored-by: Claude Sonnet 4.6 <[email protected]>
renovate
bot
force-pushed
the
renovate/pypi-requests-vulnerability
branch
from
2ef9a2f to
d384c1f
Compare
renovate
bot
force-pushed
the
renovate/pypi-requests-vulnerability
branch
from
d384c1f to
6864c98
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
2.32.3→2.32.4GitHub Vulnerability Alerts
CVE-2024-47081
Impact
Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs.
Workarounds
For older versions of Requests, use of the .netrc file can be disabled with
trust_env=Falseon your Requests Session (docs).References
https://github.com/psf/requests/pull/6965
https://seclists.org/fulldisclosure/2025/Jun/2
Release Notes
psf/requests (requests)
v2.32.4Compare Source
Security
environment will retrieve credentials for the wrong hostname/machine from a
netrc file.
Improvements
Deprecations
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.