Bump requests to 2.33.0#70
Merged
Merged
Conversation
|
LGTM. Tested locally with local backend build. Working as expected. Used pinterest/granulate-utils#6 alongside this one to validate. Once this is on review mode I'll approve it. |
Pins requests==2.33.0 (was ==2.32.4) to pick up the upstream fix for CVE-2024-47081 (.netrc credential leak via crafted URLs). This PR is self-contained: a fresh `pip install -r requirements.txt` resolves cleanly after merge. Changes: - requirements.txt: requests==2.32.4 -> 2.33.0 - granulate-utils submodule pointer: d57bcd0 -> 094d4116 Advances to pinterest/granulate-utils@master following pinterest/granulate-utils#6, which bumped granulate-utils to `requests~=2.33.0`. Without this advance the submodule would continue to pin `~=2.32.4` and pip would report a resolver conflict against the new top-level pin. - .gitmodules: corrects the URL to pinterest/granulate-utils. The pinned commit (and every Pinterest-only commit since this fork diverged from intel) lives on pinterest/granulate-utils, not intel. Before this fix, a fresh `git clone --recurse-submodules` of master could not check out the submodule, since the pinned commit isn't reachable from intel's master. Co-authored-by: Cursor <cursoragent@cursor.com>
marc-queiroz
force-pushed
the
marc-queiroz/cve/gprofiler-requests-2.33.0
branch
from
dd2f02b to
2867301
Compare
artursarlo
approved these changes
May 13, 2026
artursarlo
left a comment
artursarlo
left a comment
There was a problem hiding this comment.
LGTM. As mentioned here: #70 (comment)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Pins top-level
requests==2.33.0(was==2.32.4) to pick up the upstreamfix for CVE-2024-47081 (.netrc credential leak via crafted URLs).
Why this is narrow
The
granulate-utilssubmodule pinned at the current commit shipsrequests~=2.32.4, so it specifies an incompatible range with==2.33.0.Aligning that submodule requires a coordinated bump on the
granulate-utilsside first.This PR keeps scope tight — top-level
requirements.txtonly — to make theintent reviewable in isolation.
Test plan
requirements.txtpatched to
requests~=2.33.0(the exact patch will land via thefollow-up).
pip install -r requirements.txtresolves cleanly underthat combination.
requestsare API-compatible with 2.33.x (noremoved/renamed symbols on the surfaces we use).
scripts/build_x86_64_executable.sh)succeeds against this combination.
CVE
requests<2.32.5 may leak.netrccredentials through trusted-hostURL parsing.