Skip to content

fix(deps): bump requests to >=2.33.0 for CVE-2026-25645#480

Open
sergioestebance wants to merge 1 commit into
mainfrom
fix/deps-requests-2.33.0
Open

fix(deps): bump requests to >=2.33.0 for CVE-2026-25645#480
sergioestebance wants to merge 1 commit into
mainfrom
fix/deps-requests-2.33.0

Conversation

@sergioestebance
Copy link
Copy Markdown
Contributor

@sergioestebance sergioestebance commented May 18, 2026

Summary

  • Add uv constraint to pin requests to >=2.33.0 to fix CVE-2026-25645 (insecure temp file reuse in extract_zipped_paths)

Production impact

Low. requests is a transitive dependency. The vulnerability involves insecure temporary file reuse which requires specific conditions to exploit.

Fixes #227

@sergioestebance sergioestebance force-pushed the fix/deps-requests-2.33.0 branch from 85648d3 to e39d95f Compare May 18, 2026 12:22
@sergioestebance sergioestebance force-pushed the fix/deps-requests-2.33.0 branch from e39d95f to abfcfb3 Compare May 18, 2026 12:52
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 18, 2026

Automated low-risk assessment

This PR was evaluated against the repository's Low-Risk Pull Requests procedure and does not qualify as low risk.

The PR changes a transitive third-party dependency (requests) and updates the lockfile to bump requests to 2.34.2 to remediate CVE-2026-25645. Dependency/version changes can affect runtime behavior or integrations and are not within the allowed low-risk categories (UI/docs/test config), so this requires a normal review.

This PR requires a manual review before merging.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sergioestebance