-
Notifications
You must be signed in to change notification settings - Fork 64
Commit c2ea6cc
authored
deps: update dependency requests to v2.32.0 [security] (#2791)
[](https://renovatebot.com)
This PR contains the following updates:
| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [requests](https://requests.readthedocs.io)
([source](https://github.com/psf/requests),
[changelog](https://github.com/psf/requests/blob/master/HISTORY.md)) |
`==2.31.0` -> `==2.32.0` |
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
---
> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.
### GitHub Vulnerability Alerts
####
[CVE-2024-35195](https://github.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56)
When making requests through a Requests `Session`, if the first request
is made with `verify=False` to disable cert verification, all subsequent
requests to the same origin will continue to ignore cert verification
regardless of changes to the value of `verify`. This behavior will
continue for the lifecycle of the connection in the connection pool.
### Remediation
Any of these options can be used to remediate the current issue, we
highly recommend upgrading as the preferred mitigation.
* Upgrade to `requests>=2.32.0`.
* For `requests<2.32.0`, avoid setting `verify=False` for the first
request to a host while using a Requests Session.
* For `requests<2.32.0`, call `close()` on `Session` objects to clear
existing connections if `verify=False` is used.
### Related Links
*
[https://github.com/psf/requests/pull/6655](https://github.com/psf/requests/pull/6655)
---
### Release Notes
<details>
<summary>psf/requests (requests)</summary>
###
[`v2.32.0`](https://github.com/psf/requests/blob/HEAD/HISTORY.md#2320-2024-05-20)
[Compare
Source](https://github.com/psf/requests/compare/v2.31.0...v2.32.0)
**Security**
- Fixed an issue where setting `verify=False` on the first request from
a
Session will cause subsequent requests to the *same origin* to also
ignore
cert verification, regardless of the value of `verify`.
(GHSA-9wx4-h78v-vm56)
**Improvements**
- `verify=True` now reuses a global SSLContext which should improve
request time variance between first and subsequent requests. It should
also minimize certificate load time on Windows systems when using a
Python
version built with OpenSSL 3.x.
([#​6667](https://github.com/psf/requests/issues/6667))
- Requests now supports optional use of character detection
(`chardet` or `charset_normalizer`) when repackaged or vendored.
This enables `pip` and other projects to minimize their vendoring
surface area. The `Response.text()` and `apparent_encoding` APIs
will default to `utf-8` if neither library is present.
([#​6702](https://github.com/psf/requests/issues/6702))
**Bugfixes**
- Fixed bug in length detection where emoji length was incorrectly
calculated in the request content-length.
([#​6589](https://github.com/psf/requests/issues/6589))
- Fixed deserialization bug in JSONDecodeError.
([#​6629](https://github.com/psf/requests/issues/6629))
- Fixed bug where an extra leading `/` (path separator) could lead
urllib3 to unnecessarily reparse the request URI.
([#​6644](https://github.com/psf/requests/issues/6644))
**Deprecations**
- Requests has officially added support for CPython 3.12
([#​6503](https://github.com/psf/requests/issues/6503))
- Requests has officially added support for PyPy 3.9 and 3.10
([#​6641](https://github.com/psf/requests/issues/6641))
- Requests has officially dropped support for CPython 3.7
([#​6642](https://github.com/psf/requests/issues/6642))
- Requests has officially dropped support for PyPy 3.7 and 3.8
([#​6641](https://github.com/psf/requests/issues/6641))
**Documentation**
- Various typo fixes and doc improvements.
**Packaging**
- Requests has started adopting some modern packaging practices.
The source files for the projects (formerly `requests`) is now located
in `src/requests` in the Requests sdist.
([#​6506](https://github.com/psf/requests/issues/6506))
- Starting in Requests 2.33.0, Requests will migrate to a PEP 517 build
system
using `hatchling`. This should not impact the average user, but
extremely old
versions of packaging utilities may have issues with the new packaging
format.
</details>
---
### Configuration
📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/googleapis/sdk-platform-java).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4zNjguMTAiLCJ1cGRhdGVkSW5WZXIiOiIzNy4zNjguMTAiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbXX0=-->](https://renovatebot.com){kind=link}
1 parent 5799827 commit c2ea6ccCopy full SHA for c2ea6cc
1 file changed
+1
-1
lines changedlibrary_generation/requirements.txt
Copy file name to clipboardExpand all lines: library_generation/requirements.txt+1-1
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
17 | 17 | | |
18 | 18 | | |
19 | 19 | | |
20 | | - | |
| 20 | + | |
0 commit comments