fix: CVE-2026-25645 - bump requests to 2.33.0+

[lfarrel6]

Linear Issue: COM-151

Security Patch: CVE-2026-25645

CVE Summary

CVE-2026-25645 (GHSA-gc5v-m9x4-r6x2) affects the requests Python library before version 2.33.0. The requests.utils.extract_zipped_paths() function writes extracted zip archive contents to the system temp directory using a predictable filename. A local attacker with write access to that temp directory can pre-create a malicious file at the expected path, causing the library to load it instead of the legitimate one.

• Severity: MEDIUM
• CVSS Score: 4.4
• SLA Deadline: 2026-05-25T17:36:00.523Z
• Fixed in: requests >= 2.33.0
• Advisory: GHSA-gc5v-m9x4-r6x2
• Dependabot Alert: https://github.com/evervault/evervault-python/security/dependabot/41

Remediation

Updated requests dependency from 2.32.5 to 2.34.2 by running poetry update requests.

Risk Assessment

Negligible in practice. The vulnerability only impacts applications that call extract_zipped_paths() directly. Audit of this codebase confirms this function is never called — requests is only used for standard HTTP operations (Session, HTTPAdapter, Retry, get()).

Changes

• Updated poetry.lock to pin requests 2.34.2
• All existing tests pass (unrelated pre-existing failures in attestation tests remain)

[changeset-bot]

⚠️ No Changeset found

Latest commit: 7158482

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR