Skip to content

Bump requests from 2.24.0 to 2.33.0 in /apps/securetrails-vulnerable#6

Closed
dependabot[bot] wants to merge 64 commits into
mainfrom
dependabot/pip/apps/securetrails-vulnerable/requests-2.33.0
Closed

Bump requests from 2.24.0 to 2.33.0 in /apps/securetrails-vulnerable#6
dependabot[bot] wants to merge 64 commits into
mainfrom
dependabot/pip/apps/securetrails-vulnerable/requests-2.33.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Mar 25, 2026

Copy link
Copy Markdown

Bumps requests from 2.24.0 to 2.33.0.

Release notes

Sourced from requests's releases.

v2.33.0

2.33.0 (2026-03-25)

Announcements

  • 📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at #7271. Give it a try, and report any gaps or feedback you may have in the issue. 📣

Security

  • CVE-2026-25645 requests.utils.extract_zipped_paths now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly.

Improvements

  • Migrated to a PEP 517 build system using setuptools. (#7012)

Bugfixes

  • Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+. (#7205)

Deprecations

  • Dropped support for Python 3.9 following its end of support. (#7196)

Documentation

  • Various typo fixes and doc improvements.

New Contributors

Full Changelog: https://github.com/psf/requests/blob/main/HISTORY.md#2330-2026-03-25

v2.32.5

2.32.5 (2025-08-18)

Bugfixes

  • The SSLContext caching feature originally introduced in 2.32.0 has created a new class of issues in Requests that have had negative impact across a number of use cases. The Requests team has decided to revert this feature as long term maintenance of it is proving to be unsustainable in its current iteration.

Deprecations

  • Added support for Python 3.14.
  • Dropped support for Python 3.8 following its end of support.

v2.32.4

2.32.4 (2025-06-10)

... (truncated)

Changelog

Sourced from requests's changelog.

2.33.0 (2026-03-25)

Announcements

  • 📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at #7271. Give it a try, and report any gaps or feedback you may have in the issue. 📣

Security

  • CVE-2026-25645 requests.utils.extract_zipped_paths now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly.

Improvements

  • Migrated to a PEP 517 build system using setuptools. (#7012)

Bugfixes

  • Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+. (#7205)

Deprecations

  • Dropped support for Python 3.9 following its end of support. (#7196)

Documentation

  • Various typo fixes and doc improvements.

2.32.5 (2025-08-18)

Bugfixes

  • The SSLContext caching feature originally introduced in 2.32.0 has created a new class of issues in Requests that have had negative impact across a number of use cases. The Requests team has decided to revert this feature as long term maintenance of it is proving to be unsustainable in its current iteration.

Deprecations

  • Added support for Python 3.14.
  • Dropped support for Python 3.8 following its end of support.

2.32.4 (2025-06-10)

Security

  • CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted environment will retrieve credentials for the wrong hostname/machine from a netrc file.

... (truncated)

Commits
  • bc04dfd v2.33.0
  • 66d21cb Merge commit from fork
  • 8b9bc8f Move badges to top of README (#7293)
  • e331a28 Remove unused extraction call (#7292)
  • 753fd08 docs: fix FAQ grammar in httplib2 example
  • 774a0b8 docs(socks): same block as other sections
  • 9c72a41 Bump github/codeql-action from 4.33.0 to 4.34.1
  • ebf7190 Bump github/codeql-action from 4.32.0 to 4.33.0
  • 0e4ae38 docs: exclude Response.is_permanent_redirect from API docs (#7244)
  • d568f47 docs: clarify Quickstart POST example (#6960)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

…ards

✨ Repository Reorganization:
- Moved all exercises from .github/skills/ to top-level docs/ folder
- Reorganized vulnerable apps into apps/ directory
- Created professional root-level README with comprehensive guide
- Added docker-compose.yml for local reproducibility
- Added CONTRIBUTING.md for collaboration guidelines
- Added LICENSE (MIT) for open-source clarity

📁 New Structure:
  docs/                          (All workshop exercises)
    ├── 0-prereqs.md
    ├── 1-agent-security-review.md
    ├── 2-mcp-supply-chain.md
    ├── 3-secret-scanner-agent.md
    ├── 4-sdlc-policy-agents.md
    ├── resources/               (Reference materials)
    └── images/                  (Screenshots & diagrams)

  apps/                          (Sample vulnerable applications)
    └── securetrails-vulnerable/

  .github/agents/                (Custom security agents)
  .github/workflows/             (CI/CD pipelines)

  Root files:
    ├── README.md                (Professional main documentation)
    ├── docker-compose.yml       (Local environment)
    ├── CONTRIBUTING.md          (Contribution guidelines)
    └── LICENSE                  (MIT License)

📖 Improvements:
- Enhanced README with story, objectives, prerequisites table
- Added exercise difficulty ratings and time estimates
- Included repository structure documentation
- Added multiple learning paths (beginner/intermediate/advanced)
- Comprehensive resource links and quick-start guide
- Professional styling matching industry workshop standards

🎯 Maintained:
- All exercise content and technical accuracy
- Agent implementations and workflows
- Vulnerable application setup
- Learning progression and flow

Follows best practices from:
- CanarysAutomations/app-modernization-workshop
- GitHub Copilot workshop standards
- Professional open-source conventions
…oach

❌ REMOVED (theoretical/non-existent):
- gh copilot agent register command
- Fake SDK-based agent chaining
- Aspirational multi-agent framework

✅ REPLACED WITH (real working patterns):
- Direct Python script execution shows actual vulnerability detection
- File-based JSON data passing between agents
- Real orchestration via shell scripts
- GitHub Actions workflow integration
- Pre-commit hook configuration

Changes:
- Agents now shown as standalone Python executables
- Context passing via findings.json files instead of abstract SDK calls
- Run orchestration with shell scripts (Unix pipeline approach)
- Pre-commit hook setup for local blocking
- More honest about current (2026) Copilot capabilities

Impact: Exercise 3 now demonstrates what actually works today while showing
how multi-agent orchestration COULD work with file/JSON-based coordination.
…s workflow

❌ REMOVED (theoretical):
- Complex YAML policy file definitions
- Aspirational multi-agent SDKframework
- Fictional policy enforcement engine

✅ REPLACED WITH (real working patterns):
- GitHub Actions workflow orchestration
- JSON file-based data passing between agents
- Real exit code decision logic (block, warn, pass)
- Actual PR commenting and issue creation
- Enterprise workflow architecture diagram

Changes:
- Agents now shown running via GitHub Actions jobs
- Real conditional logic based on findings.json
- Policy decisions implemented as exit codes (0=pass, 1=block)
- Practical enterprise patterns that work today
- Test script showing local workflow simulation

Impact: Exercise 4 now demonstrates production-ready automation
using only GitHub-native features + coordinated Python agents
Replace hardcoded issue template with 3 flexible options:

❌ REMOVED:
- Hardcoded 7 vulnerabilities in issue template
- Assumes all candidates find same issues
- Non-realistic for actual CLI interactions

✅ ADDED (3 approaches):

1. AUTO-GENERATE (Recommended):
   - Python script parses agent output dynamically
   - Creates issue with actual findings
   - Works for any number of vulnerabilities
   - Groups by severity automatically

2. MANUAL FALLBACK:
   - Simple approach if script fails
   - References actual agent output

3. REFERENCE OPTION:
   - Understand what agent found first
   - Manual issue creation with real data

Key improvements:
- Acknowledges findings vary per candidate
- No false expectations about exact results
- Each candidate gets honest assessment of THEIR findings
- Works whether they find 3, 5, 7, or different vulnerabilities
- Better reflects real CLI interaction patterns

This addresses the feedback that hardcoded templates don't match
actual agent output which varies between runs and environments.
…eal agent execution

❌ REMOVED (theoretical/non-existent):
- MCP server configuration setup (.copilot/mcp-config.json)
- gh copilot agent register with agent-path
- gh copilot agent run commands
- Fake MCP tool discovery (search_code, search_issues, etc.)
- Aspirational agent chaining via SDK
- SBOM generation via MCP queries

✅ CLARIFIED:
- File types: .md (instructions) vs .py (agent code)
- Exercise files are .md for you to READ
- Agent files are .py - actual Python executables
- This is a MARKDOWN file with INSTRUCTIONS to follow
- The agents are Python scripts you RUN, not register

✅ REPLACED WITH (real working approach):
- Direct Python agent execution: python .github/agents/dependency-scout.py
- Real CVE detection patterns in the .py agent file
- Actual SBOM generation from agent output
- JSON-based findings
- Real GitHub issue creation from findings
- No fake CLI commands or SDK calls

Key improvements:
- Honest about what works: Python agents as standalone executables
- Clear distinction: .md exercises you read, .py agents you run
- Realistic approach: Candidates just run Python scripts
- No confusion about non-existent Copilot SDK features
- Same real vulnerability detection, different approach

This fixes the same issue as Exercise 3 had - removed aspirational
SDK features and showed what actually works in 2026.
… suggest

- Replace 3 complex options (auto-script, fallback, manual) with single workflow
- New approach: Run agent → Show Copilot findings → Copilot generates gh issue command
- Much simpler UX: No helper scripts, just conversation
- Aligns with realistic workflows: Humans + AI collaboration
- Uses actual participant findings (no templates)
…e mode (v0.0.414+)

- Replace outdated 'gh copilot suggest/explain' commands with current 'copilot' interactive CLI
- Show slash commands: /login, /model, /autopilot, /exit, /help
- Demonstrate real interactive conversation pattern (Steps 1-5)
- Update Step 6 issue creation to use Copilot to generate gh issue create command
- Update acceptance criteria and troubleshooting for new CLI
- Fix Learning Objectives to reflect current tool capabilities
- Update resources with links to current Copilot CLI repo and docs (v0.0.414)
- All commands now show ACTUAL working tools, not aspirational vaporware
- Users can follow exact workflow: copilot → ask → analyze → generate → run
Exercise 2 (Supply Chain):
- Condensed learning objectives to 3 key items
- Removed verbose file type explanations
- Simplified scenario to one sentence
- Reduced expected output examples
- Consolidated 5 steps into 3 focused steps
- Removed ~200 lines of unnecessary explanation

Exercise 3 (Secret Detection):
- Condensed from 637 lines to ~120 lines
- Removed verbose 'SDK' references (incorrect - it's Python agents)
- Cut out 10+ steps of complex workflows
- Kept only essential agent execution
- Removed pre-commit hook complexity
- Focus on core security scanning functionality

Exercise 4 (SDLC Automation):
- Completely rewritten from 1217 lines to ~180 lines
- Removed excessive workflow examples and diagrams
- Cut hundreds of lines of verbose explanations
- Kept only essential orchestration pattern
- Focus on GitHub Actions + agent coordination
- Added clear pattern visualization

RESULT: All exercises now:
✅ Precise and crisp (no fluff)
✅ Focus on hands-on execution
✅ Use current working tools (Copilot CLI, Python agents, GitHub Actions)
✅ Easy to follow for busy practitioners
✅ Complete in actual stated time (15-20 min each)
ISSUE DIAGNOSED & FIXED:
User feedback: 'You're forgetting the main idea behind this workshop'
Problem: Over-condensing exercises lost the agent creation/modification focus
Previous state: Exercises only showed how to RUN agents, not BUILD them
New state: Exercises teach USE → UNDERSTAND → MODIFY → BUILD agents

EXERCISES COMPLETELY REDESIGNED:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Exercise 1 (Security Review) - ENHANCED:
✅ Added 'Agent Deep Dive' showing baseline-checker.py internals
✅ Explained regex patterns for SQL injection, XSS, secrets
✅ Added 'Hands-On: Modify Patterns' to enhance agent detection
✅ Show participants HOW agents work (not just that they work)

Exercise 2 (Supply Chain) - ENHANCED:
✅ Added 'Agent Deep Dive' showing dependency-scout.py CVE logic
✅ Explained vulnerability database architecture
✅ Added hands-on: extend CVE database with new entries
✅ Taught participants to CUSTOMIZE agent behavior

Exercise 3 (Secrets) - ENHANCED:
✅ Added 'Agent Deep Dive' showing entropy calculation + patterns
✅ Explained two detection methods: Pattern matching + Entropy
✅ Added hands-on: add new credential patterns (GitHub token, Stripe)
✅ Participants learn credential detection techniques

Exercise 4 (SDLC Automation) - COMPLETELY REWRITTEN:
✅ Added 'Agent Orchestration Pattern' showing data flow
✅ Explained JSON data passing between agents
✅ Added hands-on: modify policy to block HIGH severity
✅ Showed real agent chaining architecture (not theory)

Exercise 5 (NEW - BONUS) - TEACHES AGENT CREATION:
✅ Complete agent template with explanations
✅ Step-by-step: build database-encryption-checker agent
✅ Teach agent anatomy: input → detect → output → exit code
✅ Teach composition: how agents call other agents
✅ Show advanced: composite agents orchestrating 3+ agents
✅ Demonstrates patterns that work in production

README & LEARNING PATHS - UPDATED:
✅ Fixed objectives to emphasize BUILDING agents (not using)
✅ Added Exercise 5 to table + clear difficulty progression
✅ Created 3 learning paths:
   - Beginner: Learn to USE agents (60 min)
   - Intermediate: Understand & MODIFY agents (100 min)
   - Advanced: BUILD YOUR OWN agents (150 min)
✅ Added 'What You'll Build' section showing agent pattern
✅ Clarified this teaches CUSTOM PYTHON AGENTS (not aspirational frameworks)

CORE VALUE PROPOSITION RESTORED:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Workshop now teaches:
1. How to USE Copilot CLI for analysis (Ex 1)
2. How agents DETECT vulnerabilities (Ex 1-3 deep dives)
3. How to MODIFY detection patterns (Ex 1-3 hands-on)
4. How to BUILD custom agents (Ex 5)
5. How to ORCHESTRATE agents in CI/CD (Ex 4-5)

This is what participants getting:
- ✅ Real working Python agents (not vaporware)
- ✅ Agent internals explained with real code
- ✅ Hands-on modification of existing agents
- ✅ Complete template for building new agents
- ✅ Production-ready patterns for agent composition

WORKSHOP QUALITY METRICS:
✅ Honest about what actually works (Copilot CLI, Python, GitHub Actions)
✅ Each exercise shows source code to participants
✅ Hands-on in every exercise (not just reading)
✅ Learn by doing + understanding internals
✅ Extensible - participants can build their own
Addressed user question: 'So far agents as .md, you created .py - does it work?'

CLARITY PROVIDED:
✅ YES - Agents ARE real Python executable scripts (.py files)
✅ YES - They DO work (tested: python baseline-checker.py works)
✅ YES - Copilot CLI CAN help create them via prompts
✅ YES - They output valid JSON for CI/CD orchestration

CLARIFIED THE PATTERN:
Not a complex 'agent framework' or SDK:
  Input → Scan (regex/logic) → JSON → Exit code → GitHub Actions

UPDATED EXERCISE 5:
- Added 'Important Clarity' section explaining what agents really are
- Changed Step 1 from 'copy-paste code' to 'Use Copilot CLI to generate'
- Show workflow: Launch copilot → prompt → get code → save → test
- This teaches participants to CREATE agents, not copy templates

PROVEN WORKING:
- Ran baseline-checker.py on SecureTrails vulnerable app
- Agent successfully detected vulnerabilities
- Output valid JSON with findings
- Ready for GitHub Actions integration

KEY INSIGHT:
This is better than aspirational SDK frameworks because:
✓ Simple Python scripts anyone can read/modify
✓ No framework/vendor lock-in
✓ Easy for Copilot to generate/improve
✓ Production-proven pattern
✓ Composable with simple piping
…ystem Approach

USER DECISION: Option 3 - Show the complete security automation ecosystem

NEW WORKSHOP FOCUS:
✅ GitHub NATIVE Security (GHAS, CodeQL, secret scanning, Dependabot)
✅ Copilot CLI Interactive Analysis (for real-time security review)
✅ Custom Detection Tools (Python-based extensions when GHAS insufficient)
✅ GitHub Actions Orchestration (bringing all three together)

WHAT THIS MEANS:
- Be HONEST about what's GitHub's built-in vs what we're building
- Stop using 'agents' terminology for custom Python scripts
- Clear 'NATIVE' vs 'CUSTOM' labeling throughout workshops
- Teach when to use each tool in real security scenarios

EXERCISES WILL BE REDESIGNED:
Ex0: Setup
Ex1: GitHub NATIVE GHAS features (CodeQL, secrets, Dependabot ONLY)
Ex2: Copilot CLI for INTERACTIVE analysis (real conversations)
Ex3: Custom detection tools (be honest these are extensions)
Ex4: GitHub Actions integration (orchestrate all components)
Ex5: Real-world ecosystem scenario (all 4 working together)

RATIONALE:
This approach:
✓ Shows what GitHub provides free (enterprise-ready)
✓ Shows how Copilot CLI adds interactive analysis dimension
✓ Teaches building extensions when native insufficient
✓ Integrates everything into production workflow
✓ Is completely honest - no aspirational frameworks
✓ Teaches real security automation that works in 2026

STATUS:
✓ Direction finalized
✓ Redesign plan saved to memory
✓ README updated with honest direction
⏳ Next: Rewrite exercises following ecosystem pattern
MAJOR CHANGE: Exercise 1 now focuses ONLY on GitHub's built-in GHAS features

SCOPE CHANGE:
❌ REMOVED: Copilot CLI interactive analysis (moved to Exercise 2)
❌ REMOVED: Custom Python agents/detection tools (moved to Exercise 3)
✅ ADDED: CodeQL automatic scanning
✅ ADDED: Secret Scanning built-in patterns
✅ ADDED: Dependabot vulnerability alerts
✅ ADDED: GitHub Security tab navigation

NEW EXERCISE STRUCTURE:
Step 1: Enable GitHub Advanced Security (GHAS)
Step 2: Run CodeQL Analysis (finds code vulnerabilities)
Step 3: Review CodeQL Results (SQL injection, XSS, weak crypto)
Step 4: Review Secret Scanning (hardcoded credentials)
Step 5: Review Dependabot Alerts (vulnerable packages)
Step 6: Create GitHub issue from all findings

FINDINGS SHOWN (Real, from SecureTrails vulnerable app):
- CodeQL: SQL injection, XSS, weak cryptography (GITHUB FINDS THESE)
- Secrets: GitHub tokens, AWS keys, DB passwords (GITHUB FINDS THESE)
- Dependabot: Flask 1.1.0 (2 CVEs), SQLAlchemy 1.3.0 (1 CVE), requests 2.24.0 (1 CVE)

KEY MESSAGE:
'GitHub provides these security features FOR FREE. Understand what's native
before building custom tools. This is Exercise 1 - GitHub capabilities alone.'

TERMINOLOGY:
✅ No 'agents' - no custom tools yet
✅ No Copilot CLI - that's Exercise 2
✅ Pure GitHub features - what comes built-in

NEXT EXERCISES:
Exercise 2: Copilot CLI interactive analysis (real-time, conversational)
Exercise 3: Custom detection tools (when GitHub GHAS isn't enough)
Exercise 4: GitHub Actions orchestration (combine all three)
Exercise 5: End-to-end ecosystem (real scenario)
Hemavathi15sg and others added 21 commits February 23, 2026 16:59
Bumps [requests](https://github.com/psf/requests) from 2.24.0 to 2.33.0.
- [Release notes](https://github.com/psf/requests/releases)
- [Changelog](https://github.com/psf/requests/blob/main/HISTORY.md)
- [Commits](psf/requests@v2.24.0...v2.33.0)

---
updated-dependencies:
- dependency-name: requests
  dependency-version: 2.33.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update python code labels Mar 25, 2026
@dependabot @github

dependabot Bot commented on behalf of github Apr 10, 2026

Copy link
Copy Markdown
Author

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@dependabot dependabot Bot deleted the dependabot/pip/apps/securetrails-vulnerable/requests-2.33.0 branch April 10, 2026 20:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file python Pull requests that update python code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant