Skip to content

fix: upgrade requests to >=2.33.0 to remediate CVE-2026-25645#52

Merged
jeanscherf merged 2 commits intomainfrom
fix/upgrade-requests-cve-2026-25645
Apr 14, 2026
Merged

fix: upgrade requests to >=2.33.0 to remediate CVE-2026-25645#52
jeanscherf merged 2 commits intomainfrom
fix/upgrade-requests-cve-2026-25645

Conversation

@jeanscherf
Copy link
Copy Markdown
Member

@jeanscherf jeanscherf commented Apr 14, 2026
edited
Loading

Description

Relaxes the requests pin from ~=2.31.0 to >=2.33.0.

The previous pin was vulnerable to CVE-2026-25645 and also created a hard dependency conflict for downstream projects requiring requests>=2.33.0.

Related Issue

Resolves #49 and #53

Type of Change

  • Bug fix (non-breaking change that fixes an issue)
  • New feature (non-breaking change that adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update
  • Code refactoring
  • Dependency update

How to Test

  1. pip install sap-cloud-sdk — verify requests>=2.33.0 is resolved
  2. Run unit tests: uv run pytest -m "not integration"
  3. Expected result: all 982 tests pass, no dependency conflicts

Checklist

  • I have read the Contributing Guidelines
  • I have verified that my changes solve the issue
  • All tests pass locally
  • I have verified that my code follows the Code Guidelines
  • My code does not contain sensitive information (credentials, tokens, etc.)
  • I have followed Conventional Commits for commit messages

Additional Notes

Field Detail
CVE CVE-2026-25645
Severity Medium (CVSS 5.5)
Affected requests < 2.33.0
Fixed in requests >= 2.33.0
CWE CWE-377 — Insecure Temporary File

@jeanscherf
fix: upgrade opentelemetry-exporter-otlp to 1.41.0
26b35d8 
Bumps opentelemetry-exporter-otlp-proto-grpc and opentelemetry-exporter-otlp-proto-http
from ~=1.38.0 to ~=1.41.0 to resolve dependency conflict with sap-ai-agent-evaluation
which requires >=1.40.0.

Closes #44
@jeanscherf
fix: upgrade requests to >=2.33.0 to remediate CVE-2026-25645
749d6bd 
Relaxes the requests pin from ~=2.31.0 to >=2.33.0. The previous pin was
affected by CVE-2026-25645 (insecure temp file in extract_zipped_paths,
CVSS 5.5) and also blocked downstream projects requiring requests>=2.33.0.

Closes #49
@jeanscherf jeanscherf requested a review from a team as a code owner April 14, 2026 12:50
LucasAlvesSoares
LucasAlvesSoares approved these changes Apr 14, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@LucasAlvesSoares LucasAlvesSoares left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

img

@jeanscherf jeanscherf merged commit 8cacf23 into main Apr 14, 2026
9 of 10 checks passed
@jeanscherf jeanscherf deleted the fix/upgrade-requests-cve-2026-25645 branch April 14, 2026 14:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ArthurTonial ArthurTonial ArthurTonial approved these changes

@LucasAlvesSoares LucasAlvesSoares LucasAlvesSoares approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Security: upgrade requests dependency to >=2.33.0 (CVE-2026-25645)

3 participants

@jeanscherf @ArthurTonial @LucasAlvesSoares