New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency requests to v2.20.0 [SECURITY] #2

Open

renovate wants to merge 1 commit into master from renovate/pypi-requests-vulnerability

renovate bot commented May 30, 2023 •

edited

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
requests (source, changelog)	`==2.12.4` -> `==2.20.0`

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2018-18074

The Requests package through 2.19.1 before 2018-09-14 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network.

Release Notes

psf/requests (requests)

`v2.20.0`

Bugfixes

Content-Type header parsing is now case-insensitive (e.g.
charset=utf8 v Charset=utf8).
Fixed exception leak where certain redirect urls would raise
uncaught urllib3 exceptions.
Requests removes Authorization header from requests redirected
from https to http on the same hostname. (CVE-2018-18074)
should_bypass_proxies now handles URIs without hostnames (e.g.
files).

Dependencies

Requests now supports urllib3 v1.24.

Deprecations

Requests has officially stopped support for Python 2.6.

`v2.19.1`

Bugfixes

Fixed issue where status_codes.py's init function failed trying
to append to a __doc__ value of None.

`v2.19.0`

Improvements

Warn user about possible slowdown when using cryptography version
< 1.3.4
Check for invalid host in proxy URL, before forwarding request to
adapter.
Fragments are now properly maintained across redirects. (RFC7231
7.1.2)
Removed use of cgi module to expedite library load time.
Added support for SHA-256 and SHA-512 digest auth algorithms.
Minor performance improvement to Request.content.
Migrate to using collections.abc for 3.7 compatibility.

Bugfixes

Parsing empty Link headers with parse_header_links() no longer
return one bogus entry.
Fixed issue where loading the default certificate bundle from a zip
archive would raise an IOError.
Fixed issue with unexpected ImportError on windows system which do
not support winreg module.
DNS resolution in proxy bypass no longer includes the username and
password in the request. This also fixes the issue of DNS queries
failing on macOS.
Properly normalize adapter prefixes for url comparison.
Passing None as a file pointer to the files param no longer
raises an exception.
Calling copy on a RequestsCookieJar will now preserve the cookie
policy correctly.

Dependencies

We now support idna v2.7.
We now support urllib3 v1.23.

`v2.18.4`

Improvements

Error messages for invalid headers now include the header name for
easier debugging

Dependencies

We now support idna v2.6.

`v2.18.3`

Improvements

Running $ python -m requests.help now includes the installed
version of idna.

Bugfixes

Fixed issue where Requests would raise ConnectionError instead of
SSLError when encountering SSL problems when using urllib3 v1.22.

`v2.18.2`

Bugfixes

requests.help no longer fails on Python 2.6 due to the absence of
ssl.OPENSSL_VERSION_NUMBER.

Dependencies

We now support urllib3 v1.22.

`v2.18.1`

Bugfixes

Fix an error in the packaging whereby the *.whl contained
incorrect data that regressed the fix in v2.17.3.

`v2.18.0`

Improvements

Response is now a context manager, so can be used directly in a
with statement without first having to be wrapped by
contextlib.closing().

Bugfixes

Resolve installation failure if multiprocessing is not available
Resolve tests crash if multiprocessing is not able to determine the
number of CPU cores
Resolve error swallowing in utils set_environ generator

`v2.17.3`

Improvements

Improved packages namespace identity support, for monkeypatching
libraries.

`v2.17.2`

Improvements

Improved packages namespace identity support, for monkeypatching
libraries.

`v2.17.1`

Improvements

Improved packages namespace identity support, for monkeypatching
libraries.

`v2.17.0`

Improvements

Removal of the 301 redirect cache. This improves thread-safety.

`v2.16.5`

Improvements to $ python -m requests.help.

`v2.16.4`

Introduction of the $ python -m requests.help command, for
debugging with maintainers!

`v2.16.3`

Further restored the requests.packages namespace for compatibility
reasons.

`v2.16.2`

Further restored the requests.packages namespace for compatibility
reasons.

No code modification (noted below) should be necessary any longer.

`v2.16.1`

Restored the requests.packages namespace for compatibility
reasons.
Bugfix for urllib3 version parsing.

Note: code that was written to import against the
requests.packages namespace previously will have to import code that
rests at this module-level now.

For example:

from requests.packages.urllib3.poolmanager import PoolManager

Will need to be re-written to be:

from requests.packages import urllib3
urllib3.poolmanager.PoolManager

Or, even better:

from urllib3.poolmanager import PoolManager

`v2.16.0`

Unvendor ALL the things!

`v2.15.1`

Everyone makes mistakes.

`v2.15.0`

Improvements

Introduction of the Response.next property, for getting the next
PreparedResponse from a redirect chain (when
allow_redirects=False).
Internal refactoring of __version__ module.

Bugfixes

Restored once-optional parameter for
requests.utils.get_environ_proxies().

`v2.14.2`

Bugfixes

Changed a less-than to an equal-to and an or in the dependency
markers to widen compatibility with older setuptools releases.

`v2.14.1`

Bugfixes

Changed the dependency markers to widen compatibility with older pip
releases.

`v2.14.0`

Improvements

It is now possible to pass no_proxy as a key to the proxies
dictionary to provide handling similar to the NO_PROXY environment
variable.
When users provide invalid paths to certificate bundle files or
directories Requests now raises IOError, rather than failing at
the time of the HTTPS request with a fairly inscrutable certificate
validation error.
The behavior of SessionRedirectMixin was slightly altered.
resolve_redirects will now detect a redirect by calling
get_redirect_target(response) instead of directly querying
Response.is_redirect and Response.headers['location']. Advanced
users will be able to process malformed redirects more easily.
Changed the internal calculation of elapsed request time to have
higher resolution on Windows.
Added win_inet_pton as conditional dependency for the [socks]
extra on Windows with Python 2.7.
Changed the proxy bypass implementation on Windows: the proxy bypass
check doesn't use forward and reverse DNS requests anymore
URLs with schemes that begin with http but are not http or
https no longer have their host parts forced to lowercase.

Bugfixes

Much improved handling of non-ASCII Location header values in
redirects. Fewer UnicodeDecodeErrors are encountered on Python 2,
and Python 3 now correctly understands that Latin-1 is unlikely to
be the correct encoding.
If an attempt to seek file to find out its length fails, we now
appropriately handle that by aborting our content-length
calculations.
Restricted HTTPDigestAuth to only respond to auth challenges made
on 4XX responses, rather than to all auth challenges.
Fixed some code that was firing DeprecationWarning on Python 3.6.
The dismayed person emoticon (/o\\) no longer has a big head. I'm
sure this is what you were all worrying about most.

Miscellaneous

Updated bundled urllib3 to v1.21.1.
Updated bundled chardet to v3.0.2.
Updated bundled idna to v2.5.
Updated bundled certifi to 2017.4.17.

`v2.13.0`

Features

Only load the idna library when we've determined we need it. This
will save some memory for users.

Miscellaneous

Updated bundled urllib3 to 1.20.
Updated bundled idna to 2.2.

`v2.12.5`

Bugfixes

Fixed an issue with JSON encoding detection, specifically detecting
big-endian UTF-32 with BOM.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.


          Update dependency requests to v2.20.0 [SECURITY]

9a9a090

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment