Changelog
### 2.31.0
```
-------------------
**Security**
- Versions of Requests between v2.3.0 and v2.30.0 are vulnerable to potential
forwarding of `Proxy-Authorization` headers to destination servers when
following HTTPS redirects.
When proxies are defined with user info (https://user:passproxy:8080), Requests
will construct a `Proxy-Authorization` header that is attached to the request to
authenticate with the proxy.
In cases where Requests receives a redirect response, it previously reattached
the `Proxy-Authorization` header incorrectly, resulting in the value being
sent through the tunneled connection to the destination server. Users who rely on
defining their proxy credentials in the URL are *strongly* encouraged to upgrade
to Requests 2.31.0+ to prevent unintentional leakage and rotate their proxy
credentials once the change has been fully deployed.
Users who do not use a proxy or do not supply their proxy credentials through
the user information portion of their proxy URL are not subject to this
vulnerability.
Full details can be read in our [Github Security Advisory](https://github.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q)
and [CVE-2023-32681](https://nvd.nist.gov/vuln/detail/CVE-2023-32681).
```
### 2.30.0
```
-------------------
**Dependencies**
- ⚠️ Added support for urllib3 2.0. ⚠️
This may contain minor breaking changes so we advise careful testing and
reviewing https://urllib3.readthedocs.io/en/latest/v2-migration-guide.html
prior to upgrading.
Users who wish to stay on urllib3 1.x can pin to `urllib3<2`.
```
### 2.29.0
```
-------------------
**Improvements**
- Requests now defers chunked requests to the urllib3 implementation to improve
standardization. (6226)
- Requests relaxes header component requirements to support bytes/str subclasses. (6356)
```
### 2.28.2
```
-------------------
**Dependencies**
- Requests now supports charset\_normalizer 3.x. (6261)
**Bugfixes**
- Updated MissingSchema exception to suggest https scheme rather than http. (6188)
```
### 2.28.1
```
-------------------
**Improvements**
- Speed optimization in `iter_content` with transition to `yield from`. (6170)
**Dependencies**
- Added support for chardet 5.0.0 (6179)
- Added support for charset-normalizer 2.1.0 (6169)
```
### 2.28.0
```
-------------------
**Deprecations**
- ⚠️ Requests has officially dropped support for Python 2.7. ⚠️ (6091)
- Requests has officially dropped support for Python 3.6 (including pypy3.6). (6091)
**Improvements**
- Wrap JSON parsing issues in Request's JSONDecodeError for payloads without
an encoding to make `json()` API consistent. (6097)
- Parse header components consistently, raising an InvalidHeader error in
all invalid cases. (6154)
- Added provisional 3.11 support with current beta build. (6155)
- Requests got a makeover and we decided to paint it black. (6095)
**Bugfixes**
- Fixed bug where setting `CURL_CA_BUNDLE` to an empty string would disable
cert verification. All Requests 2.x versions before 2.28.0 are affected. (6074)
- Fixed urllib3 exception leak, wrapping `urllib3.exceptions.SSLError` with
`requests.exceptions.SSLError` for `content` and `iter_content`. (6057)
- Fixed issue where invalid Windows registry entries caused proxy resolution
to raise an exception rather than ignoring the entry. (6149)
- Fixed issue where entire payload could be included in the error message for
JSONDecodeError. (6036)
```
### 2.27.1
```
-------------------
**Bugfixes**
- Fixed parsing issue that resulted in the `auth` component being
dropped from proxy URLs. (6028)
```
### 2.27.0
```
-------------------
**Improvements**
- Officially added support for Python 3.10. (5928)
- Added a `requests.exceptions.JSONDecodeError` to unify JSON exceptions between
Python 2 and 3. This gets raised in the `response.json()` method, and is
backwards compatible as it inherits from previously thrown exceptions.
Can be caught from `requests.exceptions.RequestException` as well. (5856)
- Improved error text for misnamed `InvalidSchema` and `MissingSchema`
exceptions. This is a temporary fix until exceptions can be renamed
(Schema->Scheme). (6017)
- Improved proxy parsing for proxy URLs missing a scheme. This will address
recent changes to `urlparse` in Python 3.9+. (5917)
**Bugfixes**
- Fixed defect in `extract_zipped_paths` which could result in an infinite loop
for some paths. (5851)
- Fixed handling for `AttributeError` when calculating length of files obtained
by `Tarfile.extractfile()`. (5239)
- Fixed urllib3 exception leak, wrapping `urllib3.exceptions.InvalidHeader` with
`requests.exceptions.InvalidHeader`. (5914)
- Fixed bug where two Host headers were sent for chunked requests. (5391)
- Fixed regression in Requests 2.26.0 where `Proxy-Authorization` was
incorrectly stripped from all requests sent with `Session.send`. (5924)
- Fixed performance regression in 2.26.0 for hosts with a large number of
proxies available in the environment. (5924)
- Fixed idna exception leak, wrapping `UnicodeError` with
`requests.exceptions.InvalidURL` for URLs with a leading dot (.) in the
domain. (5414)
**Deprecations**
- Requests support for Python 2.7 and 3.6 will be ending in 2022. While we
don't have exact dates, Requests 2.27.x is likely to be the last release
series providing support.
```
### 2.26.0
```
-------------------
**Improvements**
- Requests now supports Brotli compression, if either the `brotli` or
`brotlicffi` package is installed. (5783)
- `Session.send` now correctly resolves proxy configurations from both
the Session and Request. Behavior now matches `Session.request`. (5681)
**Bugfixes**
- Fixed a race condition in zip extraction when using Requests in parallel
from zip archive. (5707)
**Dependencies**
- Instead of `chardet`, use the MIT-licensed `charset_normalizer` for Python3
to remove license ambiguity for projects bundling requests. If `chardet`
is already installed on your machine it will be used instead of `charset_normalizer`
to keep backwards compatibility. (5797)
You can also install `chardet` while installing requests by
specifying `[use_chardet_on_py3]` extra as follows:
shell
pip install "requests[use_chardet_on_py3]"
Python2 still depends upon the `chardet` module.
- Requests now supports `idna` 3.x on Python 3. `idna` 2.x will continue to
be used on Python 2 installations. (5711)
**Deprecations**
- The `requests[security]` extra has been converted to a no-op install.
PyOpenSSL is no longer the recommended secure option for Requests. (5867)
- Requests has officially dropped support for Python 3.5. (5867)
```
### 2.25.1
```
-------------------
**Bugfixes**
- Requests now treats `application/json` as `utf8` by default. Resolving
inconsistencies between `r.text` and `r.json` output. (5673)
**Dependencies**
- Requests now supports chardet v4.x.
```
### 2.25.0
```
-------------------
**Improvements**
- Added support for NETRC environment variable. (5643)
**Dependencies**
- Requests now supports urllib3 v1.26.
**Deprecations**
- Requests v2.25.x will be the last release series with support for Python 3.5.
- The `requests[security]` extra is officially deprecated and will be removed
in Requests v2.26.0.
```
### 2.24.0
```
-------------------
**Improvements**
- pyOpenSSL TLS implementation is now only used if Python
either doesn't have an `ssl` module or doesn't support
SNI. Previously pyOpenSSL was unconditionally used if available.
This applies even if pyOpenSSL is installed via the
`requests[security]` extra (5443)
- Redirect resolution should now only occur when
`allow_redirects` is True. (5492)
- No longer perform unnecessary Content-Length calculation for
requests that won't use it. (5496)
```
### 2.23.0
```
-------------------
**Improvements**
- Remove defunct reference to `prefetch` in Session `__attrs__` (5110)
**Bugfixes**
- Requests no longer outputs password in basic auth usage warning. (5099)
**Dependencies**
- Pinning for `chardet` and `idna` now uses major version instead of minor.
This hopefully reduces the need for releases every time a dependency is updated.
```
Links
- PyPI: https://pypi.org/project/requests
- Changelog: https://pyup.io/changelogs/requests/
- Docs: https://requests.readthedocs.io
This PR updates requests from 2.22.0 to 2.31.0.
Changelog
### 2.31.0 ``` ------------------- **Security** - Versions of Requests between v2.3.0 and v2.30.0 are vulnerable to potential forwarding of `Proxy-Authorization` headers to destination servers when following HTTPS redirects. When proxies are defined with user info (https://user:passproxy:8080), Requests will construct a `Proxy-Authorization` header that is attached to the request to authenticate with the proxy. In cases where Requests receives a redirect response, it previously reattached the `Proxy-Authorization` header incorrectly, resulting in the value being sent through the tunneled connection to the destination server. Users who rely on defining their proxy credentials in the URL are *strongly* encouraged to upgrade to Requests 2.31.0+ to prevent unintentional leakage and rotate their proxy credentials once the change has been fully deployed. Users who do not use a proxy or do not supply their proxy credentials through the user information portion of their proxy URL are not subject to this vulnerability. Full details can be read in our [Github Security Advisory](https://github.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q) and [CVE-2023-32681](https://nvd.nist.gov/vuln/detail/CVE-2023-32681). ``` ### 2.30.0 ``` ------------------- **Dependencies** - ⚠️ Added support for urllib3 2.0. ⚠️ This may contain minor breaking changes so we advise careful testing and reviewing https://urllib3.readthedocs.io/en/latest/v2-migration-guide.html prior to upgrading. Users who wish to stay on urllib3 1.x can pin to `urllib3<2`. ``` ### 2.29.0 ``` ------------------- **Improvements** - Requests now defers chunked requests to the urllib3 implementation to improve standardization. (6226) - Requests relaxes header component requirements to support bytes/str subclasses. (6356) ``` ### 2.28.2 ``` ------------------- **Dependencies** - Requests now supports charset\_normalizer 3.x. (6261) **Bugfixes** - Updated MissingSchema exception to suggest https scheme rather than http. (6188) ``` ### 2.28.1 ``` ------------------- **Improvements** - Speed optimization in `iter_content` with transition to `yield from`. (6170) **Dependencies** - Added support for chardet 5.0.0 (6179) - Added support for charset-normalizer 2.1.0 (6169) ``` ### 2.28.0 ``` ------------------- **Deprecations** - ⚠️ Requests has officially dropped support for Python 2.7. ⚠️ (6091) - Requests has officially dropped support for Python 3.6 (including pypy3.6). (6091) **Improvements** - Wrap JSON parsing issues in Request's JSONDecodeError for payloads without an encoding to make `json()` API consistent. (6097) - Parse header components consistently, raising an InvalidHeader error in all invalid cases. (6154) - Added provisional 3.11 support with current beta build. (6155) - Requests got a makeover and we decided to paint it black. (6095) **Bugfixes** - Fixed bug where setting `CURL_CA_BUNDLE` to an empty string would disable cert verification. All Requests 2.x versions before 2.28.0 are affected. (6074) - Fixed urllib3 exception leak, wrapping `urllib3.exceptions.SSLError` with `requests.exceptions.SSLError` for `content` and `iter_content`. (6057) - Fixed issue where invalid Windows registry entries caused proxy resolution to raise an exception rather than ignoring the entry. (6149) - Fixed issue where entire payload could be included in the error message for JSONDecodeError. (6036) ``` ### 2.27.1 ``` ------------------- **Bugfixes** - Fixed parsing issue that resulted in the `auth` component being dropped from proxy URLs. (6028) ``` ### 2.27.0 ``` ------------------- **Improvements** - Officially added support for Python 3.10. (5928) - Added a `requests.exceptions.JSONDecodeError` to unify JSON exceptions between Python 2 and 3. This gets raised in the `response.json()` method, and is backwards compatible as it inherits from previously thrown exceptions. Can be caught from `requests.exceptions.RequestException` as well. (5856) - Improved error text for misnamed `InvalidSchema` and `MissingSchema` exceptions. This is a temporary fix until exceptions can be renamed (Schema->Scheme). (6017) - Improved proxy parsing for proxy URLs missing a scheme. This will address recent changes to `urlparse` in Python 3.9+. (5917) **Bugfixes** - Fixed defect in `extract_zipped_paths` which could result in an infinite loop for some paths. (5851) - Fixed handling for `AttributeError` when calculating length of files obtained by `Tarfile.extractfile()`. (5239) - Fixed urllib3 exception leak, wrapping `urllib3.exceptions.InvalidHeader` with `requests.exceptions.InvalidHeader`. (5914) - Fixed bug where two Host headers were sent for chunked requests. (5391) - Fixed regression in Requests 2.26.0 where `Proxy-Authorization` was incorrectly stripped from all requests sent with `Session.send`. (5924) - Fixed performance regression in 2.26.0 for hosts with a large number of proxies available in the environment. (5924) - Fixed idna exception leak, wrapping `UnicodeError` with `requests.exceptions.InvalidURL` for URLs with a leading dot (.) in the domain. (5414) **Deprecations** - Requests support for Python 2.7 and 3.6 will be ending in 2022. While we don't have exact dates, Requests 2.27.x is likely to be the last release series providing support. ``` ### 2.26.0 ``` ------------------- **Improvements** - Requests now supports Brotli compression, if either the `brotli` or `brotlicffi` package is installed. (5783) - `Session.send` now correctly resolves proxy configurations from both the Session and Request. Behavior now matches `Session.request`. (5681) **Bugfixes** - Fixed a race condition in zip extraction when using Requests in parallel from zip archive. (5707) **Dependencies** - Instead of `chardet`, use the MIT-licensed `charset_normalizer` for Python3 to remove license ambiguity for projects bundling requests. If `chardet` is already installed on your machine it will be used instead of `charset_normalizer` to keep backwards compatibility. (5797) You can also install `chardet` while installing requests by specifying `[use_chardet_on_py3]` extra as follows: shell pip install "requests[use_chardet_on_py3]" Python2 still depends upon the `chardet` module. - Requests now supports `idna` 3.x on Python 3. `idna` 2.x will continue to be used on Python 2 installations. (5711) **Deprecations** - The `requests[security]` extra has been converted to a no-op install. PyOpenSSL is no longer the recommended secure option for Requests. (5867) - Requests has officially dropped support for Python 3.5. (5867) ``` ### 2.25.1 ``` ------------------- **Bugfixes** - Requests now treats `application/json` as `utf8` by default. Resolving inconsistencies between `r.text` and `r.json` output. (5673) **Dependencies** - Requests now supports chardet v4.x. ``` ### 2.25.0 ``` ------------------- **Improvements** - Added support for NETRC environment variable. (5643) **Dependencies** - Requests now supports urllib3 v1.26. **Deprecations** - Requests v2.25.x will be the last release series with support for Python 3.5. - The `requests[security]` extra is officially deprecated and will be removed in Requests v2.26.0. ``` ### 2.24.0 ``` ------------------- **Improvements** - pyOpenSSL TLS implementation is now only used if Python either doesn't have an `ssl` module or doesn't support SNI. Previously pyOpenSSL was unconditionally used if available. This applies even if pyOpenSSL is installed via the `requests[security]` extra (5443) - Redirect resolution should now only occur when `allow_redirects` is True. (5492) - No longer perform unnecessary Content-Length calculation for requests that won't use it. (5496) ``` ### 2.23.0 ``` ------------------- **Improvements** - Remove defunct reference to `prefetch` in Session `__attrs__` (5110) **Bugfixes** - Requests no longer outputs password in basic auth usage warning. (5099) **Dependencies** - Pinning for `chardet` and `idna` now uses major version instead of minor. This hopefully reduces the need for releases every time a dependency is updated. ```Links
- PyPI: https://pypi.org/project/requests - Changelog: https://pyup.io/changelogs/requests/ - Docs: https://requests.readthedocs.io