Update dependency requests to v2.33.0 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
requests (changelog)	2.32.5 → 2.33.0

---

Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function

CVE-2026-25645 / GHSA-gc5v-m9x4-r6x2

More information

Details

Impact

The requests.utils.extract_zipped_paths() utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one.

Affected usages

Standard usage of the Requests library is not affected by this vulnerability. Only applications that call extract_zipped_paths() directly are impacted.

Remediation

Upgrade to at least Requests 2.33.0, where the library now extracts files to a non-deterministic location.

If developers are unable to upgrade, they can set TMPDIR in their environment to a directory with restricted write access.

Severity

• CVSS Score: 4.4 / 10 (Medium)
• Vector String: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N

References

• https://github.com/psf/requests/security/advisories/GHSA-gc5v-m9x4-r6x2
• https://github.com/psf/requests/commit/66d21cb07bd6255b1280291c4fafb71803cdb3b7
• https://github.com/psf/requests/releases/tag/v2.33.0
• https://nvd.nist.gov/vuln/detail/CVE-2026-25645
• https://github.com/advisories/GHSA-gc5v-m9x4-r6x2

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

psf/requests (requests)

v2.33.0

Compare Source

Announcements

• 📣 Requests is adding inline types. If you have a typed code base that
  uses Requests, please take a look at #​7271. Give it a try, and report
  any gaps or feedback you may have in the issue. 📣

Security

• CVE-2026-25645 requests.utils.extract_zipped_paths now extracts
  contents to a non-deterministic location to prevent malicious file
  replacement. This does not affect default usage of Requests, only
  applications calling the utility function directly.

Improvements

• Migrated to a PEP 517 build system using setuptools. (#​7012)

Bugfixes

• Fixed an issue where an empty netrc entry could cause
  malformed authentication to be applied to Requests on
  Python 3.11+. (#​7205)

Deprecations

• Dropped support for Python 3.9 following its end of support. (#​7196)

Documentation

• Various typo fixes and doc improvements.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

I've returned from the depths of the test suite with news. 🤿

I've aggregated the results of the automated checks for this PR below.

📋 Repo Health

Giving the repo a clean bill of health! 🛁

✅ All required files present.

Latest Version: 2.4.0a1

✅ ovos_plugin_manager/version.py — Version file
✅ README.md — README
✅ LICENSE — License file
✅ pyproject.toml — pyproject.toml
⚠️ setup.py — setup.py
✅ CHANGELOG.md — Changelog
✅ ovos_plugin_manager/version.py has valid version block markers

🏷️ Release Preview

Ensuring the 'Contributors' list is sorted and complete. 👥

Current: 2.4.0a1 → Next: 2.4.0a2

Signal	Value
Label	ignore-for-release
PR title	Update dependency requests to v2.33.0 [SECURITY]
Bump	alpha

⚠️ No conventional commit prefix — alpha-only bump.
Suggested: fix: update the thing or feat: update the thing

---

🚀 Release Channel Compatibility

Predicted next version: 2.4.0a2

Channel	Status	Note	Current Constraint
Stable	❌	Too new (must be <0.10.0)	ovos-plugin-manager>=0.9.0,<0.10.0
Testing	✅	Compatible	ovos-plugin-manager>=1.0.3,<3.0.0
Alpha	✅	Compatible	ovos-plugin-manager>=2.4.0a1

🔒 Security (pip-audit)

Looking for any Trojan horses in the dependencies. 🐎

✅ No known vulnerabilities found (59 packages scanned).

🔍 Lint

Another piece of the puzzle! 🧩

❌ ruff: issues found — see job log

📊 Coverage

A deep dive into the sea of test results. 🌊

✅ 84.9% total coverage

Files below 80% coverage (22 files)

File	Coverage	Missing lines
ovos_plugin_manager/utils/audio.py	22.5%	69
ovos_plugin_manager/hardware/__init__.py	31.6%	13
ovos_plugin_manager/templates/gui.py	39.0%	25
ovos_plugin_manager/audio.py	40.5%	22
ovos_plugin_manager/templates/language.py	58.0%	21
ovos_plugin_manager/audio2ipa.py	58.1%	13
ovos_plugin_manager/gui.py	62.5%	15
ovos_plugin_manager/postag.py	63.0%	17
ovos_plugin_manager/segmentation.py	63.0%	17
ovos_plugin_manager/tokenization.py	63.0%	17
ovos_plugin_manager/templates/solvers.py	68.5%	82
ovos_plugin_manager/plugin_entry.py	69.1%	46
ovos_plugin_manager/coreference.py	69.2%	16
ovos_plugin_manager/templates/hotwords.py	71.0%	9
ovos_plugin_manager/templates/ocp.py	72.2%	5
ovos_plugin_manager/dialog_transformers.py	72.7%	3
ovos_plugin_manager/templates/segmentation.py	73.7%	5
ovos_plugin_manager/templates/audio2ipa.py	75.0%	3
ovos_plugin_manager/templates/postag.py	75.0%	5
ovos_plugin_manager/persona.py	77.8%	2
ovos_plugin_manager/templates/keywords.py	78.9%	4
ovos_plugin_manager/wakewords.py	79.3%	19

Full report: download the coverage-report artifact.

🔨 Build Tests

I've poured the digital concrete for this build. 🏗️

✅ All versions pass

Python	Build	Install	Tests
3.9	✅	✅	✅
3.10	✅	✅	✅
3.11	✅	✅	✅
3.12	✅	✅	✅
3.13	✅	✅	✅
3.14	✅	✅	✅

⚖️ License Check

I've checked for any conflicting terms of service. 📜

✅ No license violations found (40 packages).

License distribution: 10× MIT License, 6× MIT, 5× Apache Software License, 5× Apache-2.0, 2× BSD-3-Clause, 2× ISC License (ISCL), 2× PSF-2.0, 2× Python Software Foundation License, +6 more

Full breakdown — 40 packages

Package	Version	License	URL
audioop-lts	0.2.2	PSF-2.0	link
build	1.4.4	MIT	link
certifi	2026.4.22	Mozilla Public License 2.0 (MPL 2.0)	link
charset-normalizer	3.4.7	MIT	link
click	8.3.3	BSD-3-Clause	link
combo_lock	0.3.1	Apache-2.0	link
filelock	3.29.0	MIT	link
idna	3.13	BSD-3-Clause	link
importlib_metadata	9.0.0	Apache-2.0	link
json-database	0.10.1	MIT	link
kthread	0.2.3	MIT License	link
langcodes	3.5.1	MIT License	link
markdown-it-py	4.0.0	MIT License	link
mdurl	0.1.2	MIT License	link
memory-tempfile	2.2.3	MIT License	link
ovos-config	2.1.1	Apache-2.0	link
ovos-plugin-manager	2.4.0a1	Apache-2.0	link
ovos-utils	0.8.5	Apache-2.0	link
ovos_bus_client	1.5.0	Apache Software License	link
packaging	26.2	Apache-2.0 OR BSD-2-Clause	link
pexpect	4.9.0	ISC License (ISCL)	link
ptyprocess	0.7.0	ISC License (ISCL)	link
pyee	12.1.1	MIT License	link
Pygments	2.20.0	BSD-2-Clause	link
pyproject_hooks	1.2.0	MIT License	link
python-dateutil	2.9.0.post0	Apache Software License; BSD License	link
PyYAML	6.0.3	MIT License	link
quebra-frases	0.3.7	Apache Software License	link
regex	2026.4.4	Apache-2.0 AND CNRI-Python	link
requests	2.33.1	Apache Software License	link
rich	13.9.4	MIT License	link
rich-click	1.9.7	MIT License

Copyright (c) 2022 Phil Ewels

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
| link |
| six | 1.17.0 | MIT License | link |
| standard-aifc | 3.13.0 | Python Software Foundation License | link |
| standard-chunk | 3.13.0 | Python Software Foundation License | link |
| typing_extensions | 4.15.0 | PSF-2.0 | link |
| urllib3 | 2.6.3 | MIT | link |
| watchdog | 6.0.0 | Apache Software License | link |
| websocket-client | 1.9.0 | Apache Software License | link |
| zipp | 3.23.1 | MIT | link |

Policy: Apache 2.0 (universal donor). StrongCopyleft / NetworkCopyleft / WeakCopyleft / Other / Error categories fail. MPL allowed.

---

Your friendly neighborhood bot 🕷️