Sourced from requests's releases.
\n\n\nv2.31.0
\n2.31.0 (2023-05-22)
\nSecurity
\n\n
\n- \n
\nVersions of Requests between v2.3.0 and v2.30.0 are vulnerable to potential\nforwarding of
\nProxy-Authorization
headers to destination servers when\nfollowing HTTPS redirects.When proxies are defined with user info (https://user:pass@proxy:8080), Requests\nwill construct a
\nProxy-Authorization
header that is attached to the request to\nauthenticate with the proxy.In cases where Requests receives a redirect response, it previously reattached\nthe
\nProxy-Authorization
header incorrectly, resulting in the value being\nsent through the tunneled connection to the destination server. Users who rely on\ndefining their proxy credentials in the URL are strongly encouraged to upgrade\nto Requests 2.31.0+ to prevent unintentional leakage and rotate their proxy\ncredentials once the change has been fully deployed.Users who do not use a proxy or do not supply their proxy credentials through\nthe user information portion of their proxy URL are not subject to this\nvulnerability.
\nFull details can be read in our Github Security Advisory\nand CVE-2023-32681.
\nv2.30.0
\n2.30.0 (2023-05-03)
\nDependencies
\n\n
\n- \n
\n⚠️ Added support for urllib3 2.0. ⚠️
\nThis may contain minor breaking changes so we advise careful testing and\nreviewing https://urllib3.readthedocs.io/en/latest/v2-migration-guide.html\nprior to upgrading.
\nUsers who wish to stay on urllib3 1.x can pin to
\nurllib3<2
.v2.29.0
\n2.29.0 (2023-04-26)
\nImprovements
\n\n\n
... (truncated)
\nSourced from requests's changelog.
\n\n\n2.31.0 (2023-05-22)
\nSecurity
\n\n
\n- \n
\nVersions of Requests between v2.3.0 and v2.30.0 are vulnerable to potential\nforwarding of
\nProxy-Authorization
headers to destination servers when\nfollowing HTTPS redirects.When proxies are defined with user info (https://user:pass@proxy:8080), Requests\nwill construct a
\nProxy-Authorization
header that is attached to the request to\nauthenticate with the proxy.In cases where Requests receives a redirect response, it previously reattached\nthe
\nProxy-Authorization
header incorrectly, resulting in the value being\nsent through the tunneled connection to the destination server. Users who rely on\ndefining their proxy credentials in the URL are strongly encouraged to upgrade\nto Requests 2.31.0+ to prevent unintentional leakage and rotate their proxy\ncredentials once the change has been fully deployed.Users who do not use a proxy or do not supply their proxy credentials through\nthe user information portion of their proxy URL are not subject to this\nvulnerability.
\nFull details can be read in our Github Security Advisory\nand CVE-2023-32681.
\n2.30.0 (2023-05-03)
\nDependencies
\n\n
\n- \n
\n⚠️ Added support for urllib3 2.0. ⚠️
\nThis may contain minor breaking changes so we advise careful testing and\nreviewing https://urllib3.readthedocs.io/en/latest/v2-migration-guide.html\nprior to upgrading.
\nUsers who wish to stay on urllib3 1.x can pin to
\nurllib3<2
.2.29.0 (2023-04-26)
\nImprovements
\n\n
\n- Requests now defers chunked requests to the urllib3 implementation to improve\nstandardization. (#6226)
\n- Requests relaxes header component requirements to support bytes/str subclasses. (#6356)
\n2.28.2 (2023-01-12)
\n\n
... (truncated)
\n147c851
v2.31.074ea7cf
Merge pull request from GHSA-j8r2-6x86-q33q3022253
test on pypy 3.8 and pypy 3.9 on windows and macos (#6424)b639e66
test on py3.12 (#6448)d3d5044
Fixed a small typo (#6452)2ad18e0
v2.30.0f2629e9
Remove strict parameter (#6434)87d63de
v2.29.051716c4
enable the warnings plugin (#6416)a7da1ab
try on ubuntu 22.04 (#6418)