Update dependency requests to v2.31.0 #3
This PR contains the following updates:
|requests (source, changelog)||minor||
Versions of Requests between v2.3.0 and v2.30.0 are vulnerable to potential
Proxy-Authorizationheaders to destination servers when
following HTTPS redirects.
When proxies are defined with user info (https://user:pass@proxy:8080), Requests
will construct a
Proxy-Authorizationheader that is attached to the request to
authenticate with the proxy.
In cases where Requests receives a redirect response, it previously reattached
Proxy-Authorizationheader incorrectly, resulting in the value being
sent through the tunneled connection to the destination server. Users who rely on
defining their proxy credentials in the URL are strongly encouraged to upgrade
to Requests 2.31.0+ to prevent unintentional leakage and rotate their proxy
credentials once the change has been fully deployed.
Users who do not use a proxy or do not supply their proxy credentials through
the user information portion of their proxy URL are not subject to this
⚠️ Added support for urllib3 2.0. ⚠️
This may contain minor breaking changes so we advise careful testing and
prior to upgrading.
Users who wish to stay on urllib3 1.x can pin to
- Requests now defers chunked requests to the urllib3 implementation to improve
- Requests relaxes header component requirements to support bytes/str subclasses. (#6356)
- Requests now supports charset_normalizer 3.x. (#6261)
- Updated MissingSchema exception to suggest https scheme rather than http. (#6188)
- Speed optimization in
iter_contentwith transition to
yield from. (#6170)
- ⚠️ Requests has officially dropped support for Python 2.7. ⚠️ (#6091)
- Requests has officially dropped support for Python 3.6 (including pypy3.6). (#6091)
- Wrap JSON parsing issues in Request's JSONDecodeError for payloads without
an encoding to make
json()API consistent. (#6097)
- Parse header components consistently, raising an InvalidHeader error in
all invalid cases. (#6154)
- Added provisional 3.11 support with current beta build. (#6155)
- Requests got a makeover and we decided to paint it black. (#6095)
- Fixed bug where setting
CURL_CA_BUNDLEto an empty string would disable
cert verification. All Requests 2.x versions before 2.28.0 are affected. (#6074)
- Fixed urllib3 exception leak, wrapping
- Fixed issue where invalid Windows registry entries caused proxy resolution
to raise an exception rather than ignoring the entry. (#6149)
- Fixed issue where entire payload could be included in the error message for
- Fixed parsing issue that resulted in the
dropped from proxy URLs. (#6028)
Officially added support for Python 3.10. (#5928)
requests.exceptions.JSONDecodeErrorto unify JSON exceptions between
Python 2 and 3. This gets raised in the
response.json()method, and is
backwards compatible as it inherits from previously thrown exceptions.
Can be caught from
requests.exceptions.RequestExceptionas well. (#5856)
Improved error text for misnamed
exceptions. This is a temporary fix until exceptions can be renamed
Improved proxy parsing for proxy URLs missing a scheme. This will address
recent changes to
urlparsein Python 3.9+. (#5917)
Fixed defect in
extract_zipped_pathswhich could result in an infinite loop
for some paths. (#5851)
Fixed handling for
AttributeErrorwhen calculating length of files obtained
Fixed urllib3 exception leak, wrapping
Fixed bug where two Host headers were sent for chunked requests. (#5391)
Fixed regression in Requests 2.26.0 where
incorrectly stripped from all requests sent with
Fixed performance regression in 2.26.0 for hosts with a large number of
proxies available in the environment. (#5924)
Fixed idna exception leak, wrapping
requests.exceptions.InvalidURLfor URLs with a leading dot (.) in the
- Requests support for Python 2.7 and 3.6 will be ending in 2022. While we
don't have exact dates, Requests 2.27.x is likely to be the last release
series providing support.
Requests now supports Brotli compression, if either the
brotlicffipackage is installed. (#5783)
Session.sendnow correctly resolves proxy configurations from both
the Session and Request. Behavior now matches
- Fixed a race condition in zip extraction when using Requests in parallel
from zip archive. (#5707)
chardet, use the MIT-licensed
to remove license ambiguity for projects bundling requests. If
is already installed on your machine it will be used instead of
to keep backwards compatibility. (#5797)
You can also install
chardetwhile installing requests by
[use_chardet_on_py3]extra as follows:
pip install "requests[use_chardet_on_py3]"
Python2 still depends upon the
Requests now supports
idna3.x on Python 3.
idna2.x will continue to
be used on Python 2 installations. (#5711)
requests[security]extra has been converted to a no-op install.
PyOpenSSL is no longer the recommended secure option for Requests. (#5867)
Requests has officially dropped support for Python 3.5. (#5867)
- Requests now treats
utf8by default. Resolving
- Requests now supports chardet v4.x.
- Added support for NETRC environment variable. (#5643)
- Requests now supports urllib3 v1.26.
- Requests v2.25.x will be the last release series with support for Python 3.5.
requests[security]extra is officially deprecated and will be removed
in Requests v2.26.0.
pyOpenSSL TLS implementation is now only used if Python
either doesn't have an
sslmodule or doesn't support
SNI. Previously pyOpenSSL was unconditionally used if available.
This applies even if pyOpenSSL is installed via the
Redirect resolution should now only occur when
allow_redirectsis True. (#5492)
No longer perform unnecessary Content-Length calculation for
requests that won't use it. (#5496)
- Remove defunct reference to
- Requests no longer outputs password in basic auth usage warning. (#5099)
- Pinning for
idnanow uses major version instead of minor.
This hopefully reduces the need for releases every time a dependency is updated.
- Requests now supports urllib3 v1.25.2.
(note: 1.25.0 and 1.25.1 are incompatible)
- Requests has officially stopped support for Python 3.4.
- Requests now supports idna v2.8.
- Fixed bug with unintended Authorization header stripping for
redirects using default ports (http/80, https/443).
- Content-Type header parsing is now case-insensitive (e.g.
charset=utf8 v Charset=utf8).
- Fixed exception leak where certain redirect urls would raise
uncaught urllib3 exceptions.
- Requests removes Authorization header from requests redirected
from https to http on the same hostname. (CVE-2018-18074)
should_bypass_proxiesnow handles URIs without hostnames (e.g.
- Requests now supports urllib3 v1.24.
- Requests has officially stopped support for Python 2.6.
- Fixed issue where status_codes.py's
initfunction failed trying
to append to a
- Warn user about possible slowdown when using cryptography version
- Check for invalid host in proxy URL, before forwarding request to
- Fragments are now properly maintained across redirects. (RFC7231
- Removed use of cgi module to expedite library load time.
- Added support for SHA-256 and SHA-512 digest auth algorithms.
- Minor performance improvement to
- Migrate to using collections.abc for 3.7 compatibility.
- Parsing empty
return one bogus entry.
- Fixed issue where loading the default certificate bundle from a zip
archive would raise an
- Fixed issue with unexpected
ImportErroron windows system which do
- DNS resolution in proxy bypass no longer includes the username and
password in the request. This also fixes the issue of DNS queries
failing on macOS.
- Properly normalize adapter prefixes for url comparison.
Noneas a file pointer to the
filesparam no longer
raises an exception.
RequestsCookieJarwill now preserve the cookie
- We now support idna v2.7.
- We now support urllib3 v1.23.
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
- If you want to rebase/retry this PR, check this box
This PR has been generated by Renovate Bot.
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?