Bump requests from 2.32.5 to 2.33.0

[dependabot]

Bumps requests from 2.32.5 to 2.33.0.

Release notes

Sourced from requests's releases.

v2.33.0

2.33.0 (2026-03-25)

Announcements

• 📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at #7271. Give it a try, and report any gaps or feedback you may have in the issue. 📣

Security

• CVE-2026-25645 requests.utils.extract_zipped_paths now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly.

Improvements

• Migrated to a PEP 517 build system using setuptools. (#7012)

Bugfixes

• Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+. (#7205)

Deprecations

• Dropped support for Python 3.9 following its end of support. (#7196)

Documentation

• Various typo fixes and doc improvements.

New Contributors

• @​M0d3v1 made their first contribution in psf/requests#6865
• @​aminvakil made their first contribution in psf/requests#7220
• @​E8Price made their first contribution in psf/requests#6960
• @​mitre88 made their first contribution in psf/requests#7244
• @​magsen made their first contribution in psf/requests#6553
• @​Rohan5commit made their first contribution in psf/requests#7227

Full Changelog: https://github.com/psf/requests/blob/main/HISTORY.md#2330-2026-03-25

Changelog

Sourced from requests's changelog.

2.33.0 (2026-03-25)

Announcements

• 📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at #7271. Give it a try, and report any gaps or feedback you may have in the issue. 📣

Security

• CVE-2026-25645 requests.utils.extract_zipped_paths now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly.

Improvements

• Migrated to a PEP 517 build system using setuptools. (#7012)

Bugfixes

• Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+. (#7205)

Deprecations

• Dropped support for Python 3.9 following its end of support. (#7196)

Documentation

• Various typo fixes and doc improvements.

Commits

• bc04dfd v2.33.0
• 66d21cb Merge commit from fork
• 8b9bc8f Move badges to top of README (#7293)
• e331a28 Remove unused extraction call (#7292)
• 753fd08 docs: fix FAQ grammar in httplib2 example
• 774a0b8 docs(socks): same block as other sections
• 9c72a41 Bump github/codeql-action from 4.33.0 to 4.34.1
• ebf7190 Bump github/codeql-action from 4.32.0 to 4.33.0
• 0e4ae38 docs: exclude Response.is_permanent_redirect from API docs (#7244)
• d568f47 docs: clarify Quickstart POST example (#6960)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[amrit110]

Security Vulnerability — No Patch Available Yet

aieng-bot found the following security vulnerability reported by pip-audit, but cannot fix it automatically because no patched version has been released to PyPI yet:

Package	Version	Vulnerability	Status
pygments	2.19.2	CVE-2026-4539	No fix available on PyPI

Why this cannot be auto-fixed

The vulnerability exists in pygments (inefficient regular expression complexity in pygments/lexers/archetype.py). The upstream project has been informed but has not yet released a patched version. The latest version on PyPI (2.19.2) is still affected.

Note: This failure is unrelated to the requests bump this PR introduces — the requests update itself is clean.

Recommended next steps

1. Monitor the vulnerability advisory (CVE-2026-4539) for a patch release from the pygments project
2. Consider whether a pip-audit ignore/exception can be added temporarily with justification (requires human review)
3. Once a patched pygments release is published to PyPI, aieng-bot can re-run and apply the update automatically

This PR will not be auto-merged until the vulnerability is resolved.

[amrit110]

Security Vulnerability — No Patch Available Yet

aieng-bot found the following security vulnerabilities reported by pip-audit, but cannot fix them automatically because no patched version has been released to PyPI yet:

Package	Version	Vulnerability	Status
pygments	2.19.2	CVE-2026-4539	No fix available on PyPI

Why this cannot be auto-fixed

The vulnerability exists in pygments itself (inefficient regular expression complexity in AdlLexer within pygments/lexers/archetype.py). According to the advisory, the project was informed of the problem early through an issue report but has not yet released a fix. A fix requires the upstream maintainers to release a new version. Once a patched release is published to PyPI, aieng-bot can re-run and apply the update automatically.

Recommended next steps

1. Monitor the CVE-2026-4539 advisory and the pygments project for a patch release
2. Check if a pip-audit ignore/exception can be added temporarily with justification (requires human review)
3. Consider whether this dependency can be replaced with an alternative

This PR will not be auto-merged until the vulnerability is resolved.

[amrit110]

Security Vulnerability — No Patch Available Yet

aieng-bot found the following security vulnerabilities reported by pip-audit, but cannot fix them automatically because no patched version has been released to PyPI yet:

Package	Version	Vulnerability	Status
pygments	2.19.2	CVE-2026-4539	No fix available on PyPI

Why this cannot be auto-fixed

The vulnerability exists in pygments (inefficient regular expression complexity in AdlLexer in pygments/lexers/archetype.py). A fix requires the upstream maintainers to release a new version. The latest available version on PyPI (2.19.2) is still affected. Once a patched release is published to PyPI, aieng-bot can re-run and apply the update automatically.

Recommended next steps

1. Monitor the vulnerability advisory (CVE-2026-4539) for a patch release from the pygments project
2. Check if a pip-audit ignore/exception can be added temporarily with justification (requires human review)
3. Consider whether this dependency can be replaced with an alternative

This PR will not be auto-merged until the vulnerability is resolved.

[amrit110]

Security Vulnerability — No Patch Available Yet

aieng-bot found the following security vulnerability reported by pip-audit, but cannot fix it automatically because no patched version has been released to PyPI yet:

Package	Version	Vulnerability	Status
pygments	2.19.2	CVE-2026-4539	No fix available on PyPI

Details

The vulnerability is in pygments (AdlLexer in pygments/lexers/archetype.py) — inefficient regular expression complexity. The project maintainers have been notified via an issue report but have not yet released a patched version. The current latest release on PyPI is still 2.19.2.

Why this cannot be auto-fixed

A fix requires the upstream pygments maintainers to release a new version to PyPI. Once a patched release is published, aieng-bot can re-run and apply the update automatically.

Recommended next steps

1. Monitor the pygments project for a patch release addressing CVE-2026-4539
2. Once a fix is released, re-trigger aieng-bot to bump pygments and merge
3. If the risk is deemed acceptable, a human reviewer can add CVE-2026-4539 to the ignore-vulns list in the CI workflow (requires explicit human approval)

This PR will not be auto-merged until the vulnerability is resolved.