Bump requests from 2.31.0 to 2.32.2 in /.requirements

[dependabot]

Bumps requests from 2.31.0 to 2.32.2.

Release notes

Sourced from requests's releases.

v2.32.2

2.32.2 (2024-05-21)

Deprecations

• To provide a more stable migration for custom HTTPAdapters impacted by the CVE changes in 2.32.0, we've renamed _get_connection to a new public API, get_connection_with_tls_context. Existing custom HTTPAdapters will need to migrate their code to use this new API. get_connection is considered deprecated in all versions of Requests>=2.32.0.

  A minimal (2-line) example has been provided in the linked PR to ease migration, but we strongly urge users to evaluate if their custom adapter is subject to the same issue described in CVE-2024-35195. (#6710)

v2.32.1

2.32.1 (2024-05-20)

Bugfixes

• Add missing test certs to the sdist distributed on PyPI.

v2.32.0

2.32.0 (2024-05-20)

🐍 PYCON US 2024 EDITION 🐍

Security

• Fixed an issue where setting verify=False on the first request from a Session will cause subsequent requests to the same origin to also ignore cert verification, regardless of the value of verify. (GHSA-9wx4-h78v-vm56)

Improvements

• verify=True now reuses a global SSLContext which should improve request time variance between first and subsequent requests. It should also minimize certificate load time on Windows systems when using a Python version built with OpenSSL 3.x. (#6667)
• Requests now supports optional use of character detection (chardet or charset_normalizer) when repackaged or vendored. This enables pip and other projects to minimize their vendoring surface area. The Response.text() and apparent_encoding APIs will default to utf-8 if neither library is present. (#6702)

Bugfixes

• Fixed bug in length detection where emoji length was incorrectly calculated in the request content-length. (#6589)
• Fixed deserialization bug in JSONDecodeError. (#6629)
• Fixed bug where an extra leading / (path separator) could lead urllib3 to unnecessarily reparse the request URI. (#6644)

... (truncated)

Changelog

Sourced from requests's changelog.

2.32.2 (2024-05-21)

Deprecations

• To provide a more stable migration for custom HTTPAdapters impacted by the CVE changes in 2.32.0, we've renamed _get_connection to a new public API, get_connection_with_tls_context. Existing custom HTTPAdapters will need to migrate their code to use this new API. get_connection is considered deprecated in all versions of Requests>=2.32.0.

  A minimal (2-line) example has been provided in the linked PR to ease migration, but we strongly urge users to evaluate if their custom adapter is subject to the same issue described in CVE-2024-35195. (#6710)

2.32.1 (2024-05-20)

Bugfixes

• Add missing test certs to the sdist distributed on PyPI.

2.32.0 (2024-05-20)

Security

• Fixed an issue where setting verify=False on the first request from a Session will cause subsequent requests to the same origin to also ignore cert verification, regardless of the value of verify. (GHSA-9wx4-h78v-vm56)

Improvements

• verify=True now reuses a global SSLContext which should improve request time variance between first and subsequent requests. It should also minimize certificate load time on Windows systems when using a Python version built with OpenSSL 3.x. (#6667)
• Requests now supports optional use of character detection (chardet or charset_normalizer) when repackaged or vendored. This enables pip and other projects to minimize their vendoring surface area. The Response.text() and apparent_encoding APIs will default to utf-8 if neither library is present. (#6702)

Bugfixes

• Fixed bug in length detection where emoji length was incorrectly calculated in the request content-length. (#6589)
• Fixed deserialization bug in JSONDecodeError. (#6629)
• Fixed bug where an extra leading / (path separator) could lead urllib3 to unnecessarily reparse the request URI. (#6644)

Deprecations

... (truncated)

Commits

• 88dce9d v2.32.2
• c98e4d1 Merge pull request #6710 from nateprewitt/api_rename
• 92075b3 Add deprecation warning
• aa1461b Move _get_connection to get_connection_with_tls_context
• 970e8ce v2.32.1
• d6ebc4a v2.32.0
• 9a40d12 Avoid reloading root certificates to improve concurrent performance (#6667)
• 0c030f7 Merge pull request #6702 from nateprewitt/no_char_detection
• 555b870 Allow character detection dependencies to be optional in post-packaging steps
• d6dded3 Merge pull request #6700 from franekmagiera/update-redirect-to-invalid-uri-test
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

Summary by Sourcery

Update requests to 2.32.2.

Bug Fixes:

• Fix a security issue where setting verify=False on the first request from a Session will cause subsequent requests to the same origin to also ignore cert verification, regardless of the value of verify.
• Fix bug in length detection where emoji length was incorrectly calculated in the request content-length.
• Fix deserialization bug in JSONDecodeError.
• Fix bug where an extra leading / (path separator) could lead urllib3 to unnecessarily reparse the request URI.
• Add missing test certs to the sdist distributed on PyPI

Enhancements:

• Improve request time variance between first and subsequent requests by reusing a global SSLContext.
• Minimize certificate load time on Windows systems when using a Python version built with OpenSSL 3.x.
• Support optional use of character detection (chardet or charset_normalizer) when repackaged or vendored. The Response.text() and apparent_encoding APIs will default to utf-8 if neither library is present.

[sourcery-ai]

Reviewer's Guide by Sourcery

This pull request bumps the version of the requests library from 2.31.0 to 2.32.2. This update includes security fixes, improvements, bug fixes, and deprecations.

Sequence diagram showing improved SSL context handling in Requests 2.32.2

sequenceDiagram
    participant C as Client
    participant S as Session
    participant SSL as SSLContext
    participant Server

    Note over C,Server: New behavior in 2.32.2
    C->>S: Create Session
    S->>SSL: Create global SSLContext
    C->>S: First request (verify=True)
    S->>SSL: Reuse existing SSLContext
    S->>Server: Make HTTPS request
    Server-->>S: Response
    S-->>C: Return response
    C->>S: Subsequent request (verify=True)
    S->>SSL: Reuse same SSLContext
    S->>Server: Make HTTPS request
    Server-->>S: Response
    S-->>C: Return response

Loading

Class diagram showing HTTPAdapter changes in Requests 2.32.2

classDiagram
    class HTTPAdapter {
        +get_connection_with_tls_context()
        +get_connection() [Deprecated]
    }
    note for HTTPAdapter "get_connection() is deprecated.
Use get_connection_with_tls_context() instead"

Loading

File-Level Changes

Change	Details	Files
Security fix to prevent verify=False on one request affecting subsequent requests to the same origin.	Updated requests to 2.32.2 or later to address CVE-2024-35195	.requirements/requirements.txt
Improved request time variance and certificate load time on Windows with OpenSSL 3.x.	Updated requests to 2.32.0 or later to leverage global SSLContext reuse.	.requirements/requirements.txt
Optional character detection support when repackaged or vendored.	Updated requests to 2.32.0 or later to enable optional character detection using chardet or charset_normalizer, defaulting to utf-8 if neither is present.	.requirements/requirements.txt
Bug fixes for emoji length calculation, JSONDecodeError deserialization, and unnecessary request URI reparsing.	Updated requests to 2.32.0 or later to fix emoji length calculation bug. Updated requests to 2.32.0 or later to fix JSONDecodeError deserialization bug. Updated requests to 2.32.0 or later to fix unnecessary request URI reparsing bug.	.requirements/requirements.txt
Deprecation of _get_connection and introduction of get_connection_with_tls_context.	Updated requests to 2.32.2 or later to account for the deprecation of _get_connection and the introduction of get_connection_with_tls_context for custom HTTPAdapters.	.requirements/requirements.txt

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time. You can also use
  this command to specify where the summary should be inserted.

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

We have skipped reviewing this pull request. Here's why:

• It seems to have been created by a bot (hey, dependabot[bot]!). We assume it knows what it's doing!
• We don't review packaging changes - Let us know if you'd like us to change this.

[llamapreview]

Auto Pull Request Review from LlamaPReview

Review Status: Automated Review Skipped

Dear contributor,

Thank you for your Pull Request. LlamaPReview has analyzed your changes and determined that this PR does not require an automated code review.

Analysis Result:

PR only contains documentation changes (1 files)

Technical Context:

Documentation changes typically include:

• Markdown/RST file updates
• API documentation
• Code comments
• README updates
• Documentation in /docs directory
• License and contribution files

We're continuously improving our PR analysis capabilities. Have thoughts on when and how LlamaPReview should perform automated reviews? Share your insights in our GitHub Discussions.

Best regards,
LlamaPReview Team

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.