Merge branch 'main' into fix/stringio-content-length-warning

veeceey · web-flow · commit 20d9eef29eb1 · 2026-02-18T21:21:34.000-08:00
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -0,0 +1,8 @@
+# Restrict all files related to deploying to
+# require lead maintainer approval.
+
+.github/workflows/            @nateprewitt @sigmavirus24
+.github/CODEOWNERS            @nateprewitt @sigmavirus24
+src/requests/__version__.py   @nateprewitt @sigmavirus24
+HISTORY.md                    @nateprewitt @sigmavirus24
+pyproject.toml                @nateprewitt @sigmavirus24
diff --git a/.github/workflows/lock-issues.yml b/.github/workflows/lock-issues.yml
@@ -13,7 +13,7 @@ jobs:
     if: github.repository_owner == 'psf'
     runs-on: ubuntu-latest
     steps:
-      - uses: dessant/lock-threads@d42e5f49803f3c4e14ffee0378e31481265dda22 # v5.0.0
+      - uses: dessant/lock-threads@7266a7ce5c1df01b1c6db85bf8cd86c737dadbe7 # v6.0.0
         with:
             issue-lock-inactive-days: 90
             pr-lock-inactive-days: 90
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -4,6 +4,12 @@ on:
   push:
     tags:
       - "v*"
+  workflow_dispatch:
+    inputs:
+      test-pypi-only:
+        description: "Publish to Test PyPI only"
+        type: boolean
+        default: true
 
 permissions:
   contents: read
@@ -12,41 +18,28 @@ jobs:
   build:
     name: "Build dists"
     runs-on: "ubuntu-latest"
-    environment:
-      name: "publish"
     outputs:
-      hashes: ${{ steps.hash.outputs.hashes }}
       artifact-id: ${{ steps.upload-artifact.outputs.artifact-id }}
 
     steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
-        with:
-          egress-policy: audit
-
       - name: "Checkout repository"
-        uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd"
+        uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" # v6.0.2
         with:
           persist-credentials: false
 
       - name: "Setup Python"
-        uses: "actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405"
+        uses: "actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405" # v6.2.0
         with:
           python-version: "3.x"
 
       - name: "Install dependencies"
-        run: python -m pip install build==0.8.0
+        run: python -m pip install build==1.4.0
 
       - name: "Build dists"
         run: |
           SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct) \
           python -m build
 
-      - name: "Generate hashes"
-        id: hash
-        run: |
-          cd dist && echo "::set-output name=hashes::$(sha256sum * | base64 -w0)"
-
       - name: "Upload dists"
         uses: "actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f"
         id: upload-artifact
@@ -56,38 +49,47 @@ jobs:
           if-no-files-found: error
           retention-days: 5
 
-  provenance:
-    needs: [build]
-    permissions:
-      actions: read
-      contents: write
-      id-token: write # Needed to access the workflow's OIDC identity.
-    uses: "slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0"
-    with:
-      base64-subjects: "${{ needs.build.outputs.hashes }}"
-      upload-assets: true
-      compile-generator: true # Workaround for https://github.com/slsa-framework/slsa-github-generator/issues/1163
-
   publish:
     name: "Publish"
     if: startsWith(github.ref, 'refs/tags/')
-    needs: ["build", "provenance"]
+    needs: ["build"]
     permissions:
-      contents: write
       id-token: write
     runs-on: "ubuntu-latest"
+    environment:
+      name: "publish"
 
     steps:
-    - name: Harden the runner (Audit all outbound calls)
-      uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
+    - name: "Download dists"
+      uses: "actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131" # v7.0.0
       with:
-        egress-policy: audit
+        artifact-ids: ${{ needs.build.outputs.artifact-id }}
+        path: "dist/"
+
+    - name: "Publish dists to PyPI"
+      uses: "pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e" # v1.13.0
+      with:
+        attestations: true
+
+  publish-test-pypi:
+    name: "Publish to Test PyPI"
+    if: github.event_name == 'workflow_dispatch'
+    needs: ["build"]
+    permissions:
+      id-token: write
+    runs-on: "ubuntu-latest"
+    environment:
+      name: "testpypi"
 
+    steps:
     - name: "Download dists"
       uses: "actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131" # v7.0.0
       with:
         artifact-ids: ${{ needs.build.outputs.artifact-id }}
         path: "dist/"
 
-    - name: "Publish dists to PyPI"
-      uses: "pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e"
+    - name: "Publish dists to Test PyPI"
+      uses: "pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e" # v1.13.0
+      with:
+        repository-url: https://test.pypi.org/legacy/
+        attestations: true
diff --git a/pyproject.toml b/pyproject.toml
@@ -18,8 +18,8 @@ requires-python = ">=3.10"
 dependencies = [
     "charset_normalizer>=2,<4",
     "idna>=2.5,<4",
-    "urllib3>=1.21.1,<3",
-    "certifi>=2017.4.17"
+    "urllib3>=1.26,<3",
+    "certifi>=2023.5.7"
 ]
 dynamic = ["version"]
 
diff --git a/src/requests/__version__.py b/src/requests/__version__.py
@@ -5,8 +5,8 @@
 __title__ = "requests"
 __description__ = "Python HTTP for Humans."
 __url__ = "https://requests.readthedocs.io"
-__version__ = "2.32.5"
-__build__ = 0x023205
+__version__ = "2.33.0.dev1"
+__build__ = 0x023300
 __author__ = "Kenneth Reitz"
 __author_email__ = "me@kennethreitz.org"
 __license__ = "Apache-2.0"
diff --git a/src/requests/sessions.py b/src/requests/sessions.py
@@ -422,6 +422,8 @@ def __init__(self):
         #: expired certificates, which will make your application vulnerable to
         #: man-in-the-middle (MitM) attacks.
         #: Only set this to `False` for testing.
+        #: If verify is set to a string, it must be the path to a CA bundle file
+        #: that will be used to verify the TLS certificate.
         self.verify = True
 
         #: SSL client certificate default, if String, path to ssl client
diff --git a/src/requests/utils.py b/src/requests/utils.py
@@ -248,7 +248,7 @@ def get_netrc_auth(url, raise_errors=False):
 
         try:
             _netrc = netrc(netrc_path).authenticators(host)
-            if _netrc:
+            if _netrc and any(_netrc):
                 # Return with login / password
                 login_i = 0 if _netrc[0] else 1
                 return (_netrc[login_i], _netrc[2])
diff --git a/tests/test_utils.py b/tests/test_utils.py
@@ -194,6 +194,16 @@ def test_not_vulnerable_to_bad_url_parsing(self, tmp_path, monkeypatch):
         auth = get_netrc_auth("http://example.com:@evil.com/&apos;")
         assert auth is None
 
+    def test_empty_default_credentials_ignored(self, tmp_path, monkeypatch):
+        """Empty default credentials should not be returned."""
+        netrc_path = tmp_path / ".netrc"
+        monkeypatch.setenv("NETRC", str(netrc_path))
+        with open(netrc_path, "w") as f:
+            f.write("machine example.com login user password pass\ndefault\n")
+
+        auth = get_netrc_auth("http://httpbin.org/")
+        assert auth is None
+
 
 class TestToKeyValList:
     @pytest.mark.parametrize(
