Merge branch 'psf:main' into fix-ipv6-parsing

Author: ani-sinha

.github/workflows/codeql-analysis.yml

@@ -45,7 +45,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@f6091c0113d1dcf9b98e269ee48e8a7e51b7bdd4 # v3.28.5
+      uses: github/codeql-action/init@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858 # v3.29.0
       with:
         languages: "python"
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -56,7 +56,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@f6091c0113d1dcf9b98e269ee48e8a7e51b7bdd4 # v3.28.5
+      uses: github/codeql-action/autobuild@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858 # v3.29.0
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -70,4 +70,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@f6091c0113d1dcf9b98e269ee48e8a7e51b7bdd4 # v3.28.5
+      uses: github/codeql-action/analyze@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858 # v3.29.0

.github/workflows/lint.yml

@@ -7,13 +7,13 @@ permissions:
 
 jobs:
   lint:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
     timeout-minutes: 10
 
     steps:
     - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
     - name: Set up Python
-      uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
+      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
       with:
         python-version: "3.x"
     - name: Run pre-commit

.github/workflows/publish.yml

@@ -0,0 +1,89 @@
+name: Publish to PyPI
+
+on:
+  push:
+    tags:
+      - "v*"
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    name: "Build dists"
+    runs-on: "ubuntu-latest"
+    environment:
+      name: "publish"
+    outputs:
+      hashes: ${{ steps.hash.outputs.hashes }}
+
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        with:
+          egress-policy: audit
+
+      - name: "Checkout repository"
+        uses: "actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683"
+
+      - name: "Setup Python"
+        uses: "actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065"
+        with:
+          python-version: "3.x"
+
+      - name: "Install dependencies"
+        run: python -m pip install build==0.8.0
+
+      - name: "Build dists"
+        run: |
+          SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct) \
+          python -m build
+
+      - name: "Generate hashes"
+        id: hash
+        run: |
+          cd dist && echo "::set-output name=hashes::$(sha256sum * | base64 -w0)"
+
+      - name: "Upload dists"
+        uses: "actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02"
+        with:
+          name: "dist"
+          path: "dist/"
+          if-no-files-found: error
+          retention-days: 5
+
+  provenance:
+    needs: [build]
+    permissions:
+      actions: read
+      contents: write
+      id-token: write # Needed to access the workflow's OIDC identity.
+    uses: "slsa-framework/slsa-github-generator/.github/workflows/[email protected]"
+    with:
+      base64-subjects: "${{ needs.build.outputs.hashes }}"
+      upload-assets: true
+      compile-generator: true # Workaround for https://github.com/slsa-framework/slsa-github-generator/issues/1163
+
+  publish:
+    name: "Publish"
+    if: startsWith(github.ref, 'refs/tags/')
+    needs: ["build", "provenance"]
+    permissions:
+      contents: write
+      id-token: write
+    runs-on: "ubuntu-latest"
+
+    steps:
+    - name: Harden the runner (Audit all outbound calls)
+      uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+      with:
+        egress-policy: audit
+
+    - name: "Download dists"
+      uses: "actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093"
+      with:
+        name: "dist"
+        path: "dist/"
+
+    - name: "Publish dists to PyPI"
+      uses: "pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc"

.github/workflows/run-tests.yml

@@ -12,13 +12,17 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        python-version: ["3.8", "3.9", "3.10", "3.11", "3.12", "3.13", "pypy-3.9", "pypy-3.10"]
+        python-version: ["3.8", "3.9", "3.10", "3.11", "3.12", "3.13", "pypy-3.10", "pypy-3.11"]
         os: [ubuntu-22.04, macOS-latest, windows-latest]
+        # Pypy-3.11 can't install openssl-sys with rust
+        # which prevents us from testing in GHA.
+        exclude:
+        - { python-version: "pypy-3.11", os: "windows-latest" }
 
     steps:
     - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
     - name: Set up Python ${{ matrix.python-version }}
-      uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
+      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
       with:
         python-version: ${{ matrix.python-version }}
         cache: 'pip'
@@ -39,7 +43,7 @@ jobs:
     steps:
       - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938
       - name: 'Set up Python 3.8'
-        uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065
         with:
           python-version: '3.8'
       - name: Install dependencies
@@ -59,7 +63,7 @@ jobs:
     steps:
       - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938
       - name: 'Set up Python 3.8'
-        uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065
         with:
           python-version: '3.8'
       - name: Install dependencies

HISTORY.md

@@ -6,6 +6,22 @@ dev
 
 - \[Short description of non-trivial change.\]
 
+2.32.4 (2025-06-10)
+-------------------
+
+**Security**
+- CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted
+  environment will retrieve credentials for the wrong hostname/machine from a
+  netrc file.
+
+**Improvements**
+- Numerous documentation improvements
+
+**Deprecations**
+- Added support for pypy 3.11 for Linux and macOS.
+- Dropped support for pypy 3.9 following its end of support.
+
+
 2.32.3 (2024-05-29)
 -------------------
 

Makefile

@@ -16,10 +16,13 @@ flake8:
 coverage:
 	python -m pytest --cov-config .coveragerc --verbose --cov-report term --cov-report xml --cov=src/requests tests
 
-publish:
-	python -m pip install 'twine>=1.5.0'
-	python setup.py sdist bdist_wheel
-	twine upload dist/*
+.publishenv:
+	python -m venv .publishenv
+	.publishenv/bin/pip install 'twine>=1.5.0' build
+
+publish: .publishenv
+	.publishenv/bin/python -m build
+	.publishenv/bin/python -m twine upload --skip-existing dist/*
 	rm -fr build dist .egg requests.egg-info
 
 docs:

README.md

@@ -60,7 +60,7 @@ Requests is ready for the demands of building robust and reliable HTTP–speakin
 ## Cloning the repository
 
 When cloning the Requests repository, you may need to add the `-c
-fetch.fsck.badTimezone=ignore` flag to avoid an error about a bad commit (see
+fetch.fsck.badTimezone=ignore` flag to avoid an error about a bad commit timestamp (see
 [this issue](https://github.com/psf/requests/issues/2690) for more background):
 
 ```shell

docs/conf.py

@@ -58,7 +58,7 @@
 
 # General information about the project.
 project = u"Requests"
-copyright = u'MMXVIX. A <a href="https://kenreitz.org/projects">Kenneth Reitz</a> Project'
+copyright = u'MMXVIX. A Kenneth Reitz Project'
 author = u"Kenneth Reitz"
 
 # The version info for the project you're documenting, acts as replacement for

docs/dev/contributing.rst

@@ -22,19 +22,17 @@ The guide is split into sections based on the type of contribution you're
 thinking of making, with a section that covers general guidelines for all
 contributors.
 
-Be Cordial
-----------
+Code of Conduct
+---------------
 
-    **Be cordial or be on your way**. *—Kenneth Reitz*
+The Python community is made up of members from around the globe with a diverse
+set of skills, personalities, and experiences. It is through these differences
+that our community experiences great successes and continued growth. When you're
+working with members of the community, follow the
+`Python Software Foundation Code of Conduct`_ to help steer your interactions
+and keep Python a positive, successful, and growing community.
 
-Requests has one very important rule governing all forms of contribution,
-including reporting bugs or requesting features. This golden rule is
-"`be cordial or be on your way`_".
-
-**All contributions are welcome**, as long as
-everyone involved is treated with respect.
-
-.. _be cordial or be on your way: https://kenreitz.org/essays/2013/01/27/be-cordial-or-be-on-your-way
+.. _Python Software Foundation Code of Conduct: https://policies.python.org/python.org/code-of-conduct/
 
 .. _early-feedback:
 

docs/user/advanced.rst

@@ -969,11 +969,9 @@ Requests will automatically parse these link headers and make them easily consum
 Transport Adapters
 ------------------
 
-As of v1.0.0, Requests has moved to a modular internal design. Part of the
-reason this was done was to implement Transport Adapters, originally
-`described here`_. Transport Adapters provide a mechanism to define interaction
-methods for an HTTP service. In particular, they allow you to apply per-service
-configuration.
+As of v1.0.0, Requests has moved to a modular internal design using Transport
+Adapters. These objects provide a mechanism to define interaction methods for an
+HTTP service. In particular, they allow you to apply per-service configuration.
 
 Requests ships with a single Transport Adapter, the :class:`HTTPAdapter
 <requests.adapters.HTTPAdapter>`. This adapter provides the default Requests
@@ -1053,7 +1051,6 @@ backoff, within a Requests :class:`Session <requests.Session>` using the
     )
     s.mount('https://', HTTPAdapter(max_retries=retries))
 
-.. _`described here`: https://kenreitz.org/essays/2012/06/14/the-future-of-python-http
 .. _`urllib3`: https://github.com/urllib3/urllib3
 .. _`urllib3.util.Retry`: https://urllib3.readthedocs.io/en/stable/reference/urllib3.util.html#urllib3.util.Retry
 

docs/user/authentication.rst

@@ -44,6 +44,16 @@ set with `headers=`.
 If credentials for the hostname are found, the request is sent with HTTP Basic
 Auth.
 
+Requests will search for the netrc file at `~/.netrc`, `~/_netrc`, or at the path
+specified by the `NETRC` environment variable. `~` denotes the user's home
+directory, which is `$HOME` on Unix based systems and `%USERPROFILE%` on Windows.
+
+Usage of netrc file can be disabled by setting `trust_env` to `False` in the
+Requests session::
+
+    >>> s = requests.Session()
+    >>> s.trust_env = False
+    >>> s.get('https://httpbin.org/basic-auth/user/pass')
 
 Digest Authentication
 ---------------------

docs/user/quickstart.rst

@@ -222,6 +222,7 @@ Note: Custom headers are given less precedence than more specific sources of inf
   are specified in ``.netrc``, which in turn will be overridden by the  ``auth=``
   parameter. Requests will search for the netrc file at `~/.netrc`, `~/_netrc`,
   or at the path specified by the `NETRC` environment variable.
+  Check details in :ref:`netrc authentication <authentication>`.
 * Authorization headers will be removed if you get redirected off-host.
 * Proxy-Authorization headers will be overridden by proxy credentials provided in the URL.
 * Content-Length headers will be overridden when we can determine the length of the content.

src/requests/__version__.py

@@ -5,8 +5,8 @@
 __title__ = "requests"
 __description__ = "Python HTTP for Humans."
 __url__ = "https://requests.readthedocs.io"
-__version__ = "2.32.3"
-__build__ = 0x023203
+__version__ = "2.32.4"
+__build__ = 0x023204
 __author__ = "Kenneth Reitz"
 __author_email__ = "[email protected]"
 __license__ = "Apache-2.0"