Bump requests from 2.32.5 to 2.33.0

[dependabot]

Bumps requests from 2.32.5 to 2.33.0.

Release notes

Sourced from requests's releases.

v2.33.0

2.33.0 (2026-03-25)

Announcements

• 📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at #7271. Give it a try, and report any gaps or feedback you may have in the issue. 📣

Security

• CVE-2026-25645 requests.utils.extract_zipped_paths now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly.

Improvements

• Migrated to a PEP 517 build system using setuptools. (#7012)

Bugfixes

• Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+. (#7205)

Deprecations

• Dropped support for Python 3.9 following its end of support. (#7196)

Documentation

• Various typo fixes and doc improvements.

New Contributors

• @​M0d3v1 made their first contribution in psf/requests#6865
• @​aminvakil made their first contribution in psf/requests#7220
• @​E8Price made their first contribution in psf/requests#6960
• @​mitre88 made their first contribution in psf/requests#7244
• @​magsen made their first contribution in psf/requests#6553
• @​Rohan5commit made their first contribution in psf/requests#7227

Full Changelog: https://github.com/psf/requests/blob/main/HISTORY.md#2330-2026-03-25

Changelog

Sourced from requests's changelog.

2.33.0 (2026-03-25)

Announcements

• 📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at #7271. Give it a try, and report any gaps or feedback you may have in the issue. 📣

Security

• CVE-2026-25645 requests.utils.extract_zipped_paths now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly.

Improvements

• Migrated to a PEP 517 build system using setuptools. (#7012)

Bugfixes

• Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+. (#7205)

Deprecations

• Dropped support for Python 3.9 following its end of support. (#7196)

Documentation

• Various typo fixes and doc improvements.

Commits

• bc04dfd v2.33.0
• 66d21cb Merge commit from fork
• 8b9bc8f Move badges to top of README (#7293)
• e331a28 Remove unused extraction call (#7292)
• 753fd08 docs: fix FAQ grammar in httplib2 example
• 774a0b8 docs(socks): same block as other sections
• 9c72a41 Bump github/codeql-action from 4.33.0 to 4.34.1
• ebf7190 Bump github/codeql-action from 4.32.0 to 4.33.0
• 0e4ae38 docs: exclude Response.is_permanent_redirect from API docs (#7244)
• d568f47 docs: clarify Quickstart POST example (#6960)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[amrit110]

Security Vulnerability — No Patch Available Yet

aieng-bot found the following security vulnerability reported by pip-audit, but cannot fix it automatically because no patched version has been released to PyPI yet:

Package	Version	Vulnerability	Status
pygments	2.19.2	CVE-2026-4539	No fix available on PyPI — already at latest version

Why this cannot be auto-fixed

The vulnerability exists in pygments itself (inefficient regular expression complexity in AdlLexer in pygments/lexers/archetype.py). The upstream project has been informed but has not yet released a patched version. Since 2.19.2 is already the latest release on PyPI, there is no version to upgrade to.

What was fixed in this PR

• ✅ pypdf bumped from 6.9.1 → 6.9.2 to fix CVE-2026-33699 (infinite loop via crafted PDF)

Recommended next steps for pygments

1. Monitor CVE-2026-4539 for a patch release from the pygments maintainers
2. Once a patched release is published to PyPI, aieng-bot can re-run and apply the update automatically
3. Consider whether pygments can be temporarily added to the pip-audit ignore list with justification (requires human review)

This PR will not be auto-merged until the vulnerability is resolved.

[amrit110]

Security Vulnerability — No Patch Available Yet

aieng-bot found the following security vulnerability reported by pip-audit, but cannot fix it automatically because no patched version has been released to PyPI yet:

Package	Version	Vulnerability	Status
pygments	2.19.2	CVE-2026-4539	No fix available on PyPI

Why this cannot be auto-fixed

The vulnerability exists in pygments itself (specifically in the AdlLexer function in pygments/lexers/archetype.py — an inefficient regular expression complexity issue). The upstream pygments project has been notified but has not yet released a fix. The latest version on PyPI (2.19.2) is the vulnerable version.

Note: CVE-2026-4539 requires local access to exploit (it is not a remote code execution or network-exploitable vulnerability).

Recommended next steps

1. Monitor the pygments PyPI releases for a patched version > 2.19.2
2. Consider whether a temporary pip-audit ignore/exception (CVE-2026-4539) can be added with justification (requires human review)
3. Once a patched release is published to PyPI, aieng-bot can re-run and apply the update automatically

This PR will not be auto-merged until the vulnerability is resolved.

[amrit110]

Security Vulnerability — No Patch Available Yet

aieng-bot found the following security vulnerabilities reported by pip-audit, but cannot fix them automatically because no patched version has been released to PyPI yet:

Package	Version	Vulnerability	Status
pygments	2.19.2	CVE-2026-4539	No fix available on PyPI

Why this cannot be auto-fixed

The vulnerability exists in pygments (v2.19.2). A ReDoS flaw was discovered in the AdlLexer function in pygments/lexers/archetype.py. The current latest version on PyPI is 2.19.2 — there is no newer release with a fix.

A fix requires the upstream maintainers to release a new version. Once a patched release is published to PyPI, aieng-bot can re-run and apply the update automatically.

Recommended next steps

1. Monitor the vulnerability advisory for a patch release
2. Check if a pip-audit ignore/exception can be added temporarily with justification (requires human review)
3. Consider whether this dependency can be replaced with an alternative

This PR will not be auto-merged until the vulnerability is resolved.