fix: upgrade requests to 2.33.0 to address CVE-2026-25645

[lfarrel6]

Linear Issue

COM-122

CVE Summary

CVE-2026-25645 — requests Predictable Temp File Extraction

requests.utils.extract_zipped_paths() extracts files from ZIP archives into the system temp directory using a predictable filename. If that file already exists it is silently reused with no integrity check, allowing a local attacker who can write to /tmp to pre-plant a malicious file and have it loaded in place of a legitimate certificate bundle or resource.

Vulnerability Details

• CVSS Score: 4.4 (Medium)
• Severity: MEDIUM
• Fixed in: requests >= 2.33.0
• Advisory: GHSA-gc5v-m9x4-r6x2
• SLA Deadline: 2026-05-25T17:36:00.523Z

Risk Assessment

Risk is very low. The codebase uses requests only for standard HTTP operations and does not directly call extract_zipped_paths(). However, the dependency must still be upgraded to clear the Dependabot alert and satisfy the SLA deadline.

Changes

• Updated requests constraint in pyproject.toml from ^2.32.4 to ^2.33.0
• Regenerated poetry.lock with requests upgraded to 2.34.2
• Verified all core functionality tests pass (88/98 tests passing; 10 pre-existing failures unrelated to this change)

Testing

✅ All core tests pass
✅ No direct calls to extract_zipped_paths() found in codebase
✅ Compatible with existing test dependencies (requests-mock, responses)

[changeset-bot]

⚠️ No Changeset found

Latest commit: fdf2d71

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[lfarrel6]

Addressed in #173