Skip to content

Bump requests from 2.32.0 to 2.32.4#14

Closed
dependabot[bot] wants to merge 1 commit intodevelopfrom
dependabot/pip/requests-2.32.4
Closed

Bump requests from 2.32.0 to 2.32.4#14
dependabot[bot] wants to merge 1 commit intodevelopfrom
dependabot/pip/requests-2.32.4

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Feb 24, 2026

Bumps requests from 2.32.0 to 2.32.4.

Release notes

Sourced from requests's releases.

v2.32.4

2.32.4 (2025-06-10)

Security

  • CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted environment will retrieve credentials for the wrong hostname/machine from a netrc file. (#6965)

Improvements

  • Numerous documentation improvements

Deprecations

  • Added support for pypy 3.11 for Linux and macOS. (#6926)
  • Dropped support for pypy 3.9 following its end of support. (#6926)

v2.32.3

2.32.3 (2024-05-29)

Bugfixes

  • Fixed bug breaking the ability to specify custom SSLContexts in sub-classes of HTTPAdapter. (#6716)
  • Fixed issue where Requests started failing to run on Python versions compiled without the ssl module. (#6724)

v2.32.2

2.32.2 (2024-05-21)

Deprecations

  • To provide a more stable migration for custom HTTPAdapters impacted by the CVE changes in 2.32.0, we've renamed _get_connection to a new public API, get_connection_with_tls_context. Existing custom HTTPAdapters will need to migrate their code to use this new API. get_connection is considered deprecated in all versions of Requests>=2.32.0.

    A minimal (2-line) example has been provided in the linked PR to ease migration, but we strongly urge users to evaluate if their custom adapter is subject to the same issue described in CVE-2024-35195. (#6710)

v2.32.1

2.32.1 (2024-05-20)

Bugfixes

  • Add missing test certs to the sdist distributed on PyPI.
Changelog

Sourced from requests's changelog.

2.32.4 (2025-06-10)

Security

  • CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted environment will retrieve credentials for the wrong hostname/machine from a netrc file.

Improvements

  • Numerous documentation improvements

Deprecations

  • Added support for pypy 3.11 for Linux and macOS.
  • Dropped support for pypy 3.9 following its end of support.

2.32.3 (2024-05-29)

Bugfixes

  • Fixed bug breaking the ability to specify custom SSLContexts in sub-classes of HTTPAdapter. (#6716)
  • Fixed issue where Requests started failing to run on Python versions compiled without the ssl module. (#6724)

2.32.2 (2024-05-21)

Deprecations

  • To provide a more stable migration for custom HTTPAdapters impacted by the CVE changes in 2.32.0, we've renamed _get_connection to a new public API, get_connection_with_tls_context. Existing custom HTTPAdapters will need to migrate their code to use this new API. get_connection is considered deprecated in all versions of Requests>=2.32.0.

    A minimal (2-line) example has been provided in the linked PR to ease migration, but we strongly urge users to evaluate if their custom adapter is subject to the same issue described in CVE-2024-35195. (#6710)

2.32.1 (2024-05-20)

Bugfixes

  • Add missing test certs to the sdist distributed on PyPI.
Commits
  • 021dc72 Polish up release tooling for last manual release
  • 821770e Bump version and add release notes for v2.32.4
  • 59f8aa2 Add netrc file search information to authentication documentation (#6876)
  • 5b4b64c Add more tests to prevent regression of CVE 2024 47081
  • 7bc4587 Add new test to check netrc auth leak (#6962)
  • 96ba401 Only use hostname to do netrc lookup instead of netloc
  • 7341690 Merge pull request #6951 from tswast/patch-1
  • 6716d7c remove links
  • a7e1c74 Update docs/conf.py
  • c799b81 docs: fix dead links to kenreitz.org
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump requests from 2.32.0 to 2.32.4
b381347 
Bumps [requests](https://github.com/psf/requests) from 2.32.0 to 2.32.4.
- [Release notes](https://github.com/psf/requests/releases)
- [Changelog](https://github.com/psf/requests/blob/main/HISTORY.md)
- [Commits](psf/requests@v2.32.0...v2.32.4)

---
updated-dependencies:
- dependency-name: requests
  dependency-version: 2.32.4
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file python Pull requests that update python code labels Feb 24, 2026
bakerboy448 added a commit that referenced this pull request Mar 1, 2026
@bakerboy448
fix: bump all pinned dependencies to resolve 11 Dependabot alerts
5de0b3e 
- Flask 2.2.5 → 3.1.3 (session Vary header, low)
- Werkzeug 3.0.2 → 3.1.6 (safe_join device names, debugger RCE, resource exhaustion)
- Jinja2 3.1.4 → 3.1.6 (sandbox breakout via filenames/format/attr)
- requests 2.32.0 → 2.32.4 (.netrc credential leak)
- itsdangerous 2.1.2 → 2.2.0 (Flask 3.x requirement)
- click 8.1.7 → 8.1.8
- MarkupSafe 2.1.5 → 3.0.2
- Add blinker 1.9.0 (Flask 3.x requirement)

Resolves: #4, #7, #8, #10, #11, #12, #13, #14, #15, #16, #17
@bakerboy448 bakerboy448 mentioned this pull request Mar 1, 2026
Merged
3 tasks
bakerboy448 added a commit that referenced this pull request Mar 1, 2026
@bakerboy448
fix: resolve all 11 Dependabot security alerts (#27)
cade377 
## Summary

- Bumps all pinned dependencies to resolve all 11 open Dependabot alerts
- Flask 2.2.5 → 3.1.3 (major bump — app uses only basic routing/jsonify,
no breaking changes)
- Werkzeug 3.0.2 → 3.1.6 (5 CVEs: safe_join, debugger RCE, resource
exhaustion)
- Jinja2 3.1.4 → 3.1.6 (3 CVEs: sandbox breakout via
filenames/format/attr)
- requests 2.32.0 → 2.32.4 (.netrc credential leak)
- Adds blinker 1.9.0 (new Flask 3.x requirement)
- Bumps itsdangerous, click, MarkupSafe to Flask 3.x compatible versions

Resolves #4, #7, #8, #10, #11, #12, #13, #14, #15, #16, #17

## Test plan

- [ ] Docker image builds successfully
- [ ] `/update-dns?guid=<test>` endpoint responds correctly
- [ ] All 11 Dependabot alerts auto-close after merge

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

## Release Notes

* **Chores**
* Updated core framework and library dependencies to latest stable
versions to improve application stability, security, and compatibility.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
@bakerboy448
Copy link
Collaborator

bakerboy448 commented Mar 1, 2026

Superseded by #27 which bumps all dependencies together.

@bakerboy448 bakerboy448 closed this Mar 1, 2026
@dependabot @github
Copy link
Contributor Author

dependabot bot commented on behalf of github Mar 1, 2026

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@bakerboy448 bakerboy448 deleted the dependabot/pip/requests-2.32.4 branch March 1, 2026 23:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python Pull requests that update python code

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bakerboy448