build(deps): bump the pip group across 3 directories with 2 updates

[dependabot]

Bumps the pip group with 1 update in the /config/alternatives directory: requests.
Bumps the pip group with 1 update in the /docs/requirements directory: requests.
Bumps the pip group with 1 update in the /platforms/docker/docker/agents directory: cryptography.

Updates requests from 2.32.4 to 2.33.0

Release notes

Sourced from requests's releases.

v2.33.0

2.33.0 (2026-03-25)

Announcements

• 📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at #7271. Give it a try, and report any gaps or feedback you may have in the issue. 📣

Security

• CVE-2026-25645 requests.utils.extract_zipped_paths now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly.

Improvements

• Migrated to a PEP 517 build system using setuptools. (#7012)

Bugfixes

• Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+. (#7205)

Deprecations

• Dropped support for Python 3.9 following its end of support. (#7196)

Documentation

• Various typo fixes and doc improvements.

New Contributors

• @​M0d3v1 made their first contribution in psf/requests#6865
• @​aminvakil made their first contribution in psf/requests#7220
• @​E8Price made their first contribution in psf/requests#6960
• @​mitre88 made their first contribution in psf/requests#7244
• @​magsen made their first contribution in psf/requests#6553
• @​Rohan5commit made their first contribution in psf/requests#7227

Full Changelog: https://github.com/psf/requests/blob/main/HISTORY.md#2330-2026-03-25

v2.32.5

2.32.5 (2025-08-18)

Bugfixes

• The SSLContext caching feature originally introduced in 2.32.0 has created a new class of issues in Requests that have had negative impact across a number of use cases. The Requests team has decided to revert this feature as long term maintenance of it is proving to be unsustainable in its current iteration.

Deprecations

• Added support for Python 3.14.
• Dropped support for Python 3.8 following its end of support.

Changelog

Sourced from requests's changelog.

2.33.0 (2026-03-25)

Announcements

• 📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at #7271. Give it a try, and report any gaps or feedback you may have in the issue. 📣

Security

• CVE-2026-25645 requests.utils.extract_zipped_paths now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly.

Improvements

• Migrated to a PEP 517 build system using setuptools. (#7012)

Bugfixes

• Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+. (#7205)

Deprecations

• Dropped support for Python 3.9 following its end of support. (#7196)

Documentation

• Various typo fixes and doc improvements.

2.32.5 (2025-08-18)

Bugfixes

• The SSLContext caching feature originally introduced in 2.32.0 has created a new class of issues in Requests that have had negative impact across a number of use cases. The Requests team has decided to revert this feature as long term maintenance of it is proving to be unsustainable in its current iteration.

Deprecations

• Added support for Python 3.14.
• Dropped support for Python 3.8 following its end of support.

Commits

• bc04dfd v2.33.0
• 66d21cb Merge commit from fork
• 8b9bc8f Move badges to top of README (#7293)
• e331a28 Remove unused extraction call (#7292)
• 753fd08 docs: fix FAQ grammar in httplib2 example
• 774a0b8 docs(socks): same block as other sections
• 9c72a41 Bump github/codeql-action from 4.33.0 to 4.34.1
• ebf7190 Bump github/codeql-action from 4.32.0 to 4.33.0
• 0e4ae38 docs: exclude Response.is_permanent_redirect from API docs (#7244)
• d568f47 docs: clarify Quickstart POST example (#6960)
• Additional commits viewable in compare view

Updates requests from 2.32.4 to 2.33.0

Release notes

Sourced from requests's releases.

v2.33.0

2.33.0 (2026-03-25)

Announcements

• 📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at #7271. Give it a try, and report any gaps or feedback you may have in the issue. 📣

Security

• CVE-2026-25645 requests.utils.extract_zipped_paths now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly.

Improvements

• Migrated to a PEP 517 build system using setuptools. (#7012)

Bugfixes

• Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+. (#7205)

Deprecations

• Dropped support for Python 3.9 following its end of support. (#7196)

Documentation

• Various typo fixes and doc improvements.

New Contributors

• @​M0d3v1 made their first contribution in psf/requests#6865
• @​aminvakil made their first contribution in psf/requests#7220
• @​E8Price made their first contribution in psf/requests#6960
• @​mitre88 made their first contribution in psf/requests#7244
• @​magsen made their first contribution in psf/requests#6553
• @​Rohan5commit made their first contribution in psf/requests#7227

Full Changelog: https://github.com/psf/requests/blob/main/HISTORY.md#2330-2026-03-25

v2.32.5

2.32.5 (2025-08-18)

Bugfixes

• The SSLContext caching feature originally introduced in 2.32.0 has created a new class of issues in Requests that have had negative impact across a number of use cases. The Requests team has decided to revert this feature as long term maintenance of it is proving to be unsustainable in its current iteration.

Deprecations

• Added support for Python 3.14.
• Dropped support for Python 3.8 following its end of support.

Changelog

Sourced from requests's changelog.

2.33.0 (2026-03-25)

Announcements

• 📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at #7271. Give it a try, and report any gaps or feedback you may have in the issue. 📣

Security

• CVE-2026-25645 requests.utils.extract_zipped_paths now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly.

Improvements

• Migrated to a PEP 517 build system using setuptools. (#7012)

Bugfixes

• Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+. (#7205)

Deprecations

• Dropped support for Python 3.9 following its end of support. (#7196)

Documentation

• Various typo fixes and doc improvements.

2.32.5 (2025-08-18)

Bugfixes

• The SSLContext caching feature originally introduced in 2.32.0 has created a new class of issues in Requests that have had negative impact across a number of use cases. The Requests team has decided to revert this feature as long term maintenance of it is proving to be unsustainable in its current iteration.

Deprecations

• Added support for Python 3.14.
• Dropped support for Python 3.8 following its end of support.

Commits

• bc04dfd v2.33.0
• 66d21cb Merge commit from fork
• 8b9bc8f Move badges to top of README (#7293)
• e331a28 Remove unused extraction call (#7292)
• 753fd08 docs: fix FAQ grammar in httplib2 example
• 774a0b8 docs(socks): same block as other sections
• 9c72a41 Bump github/codeql-action from 4.33.0 to 4.34.1
• ebf7190 Bump github/codeql-action from 4.32.0 to 4.33.0
• 0e4ae38 docs: exclude Response.is_permanent_redirect from API docs (#7244)
• d568f47 docs: clarify Quickstart POST example (#6960)
• Additional commits viewable in compare view

Updates cryptography from 46.0.5 to 46.0.6

Changelog

Sourced from cryptography's changelog.

46.0.6 - 2026-03-25

* **SECURITY ISSUE**: Fixed a bug where name constraints were not applied
  to peer names during verification when the leaf certificate contains a
  wildcard DNS SAN. Ordinary X.509 topologies are not affected by this bug,
  including those used by the Web PKI. Credit to **Oleh Konko (1seal)** for
  reporting the issue. **CVE-2026-34073**
.. _v46-0-5:

Commits

• 91d7288 Cherry-pick #14542 (#14543)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[github-actions]

Dependency Audit Results

# npm audit report

@hono/node-server  <1.19.10
Severity: high
@hono/node-server has authorization bypass for protected static paths via encoded slashes in Serve Static Middleware - https://github.com/advisories/GHSA-wc8c-qw6v-h7f6
fix available via `npm audit fix --force`
Will install prisma@7.6.0, which is outside the stated dependency range
node_modules/@hono/node-server
  @prisma/dev  <=0.22.0
  Depends on vulnerable versions of @hono/node-server
  node_modules/@prisma/dev
    prisma  6.13.0-dev.1 - 7.6.0-integration-feat-prisma-bootstrap.13
    Depends on vulnerable versions of @prisma/config
    Depends on vulnerable versions of @prisma/dev
    node_modules/prisma

basic-ftp  <5.2.0
Severity: critical
Basic FTP has Path Traversal Vulnerability in its downloadToDir() method - https://github.com/advisories/GHSA-5rq4-664w-9x2c
fix available via `npm audit fix`
node_modules/basic-ftp

brace-expansion  <=1.1.12 || 2.0.0 - 2.0.2 || 4.0.0 - 5.0.4
Severity: moderate
brace-expansion: Zero-step sequence causes process hang and memory exhaustion - https://github.com/advisories/GHSA-f886-m6hf-6m8v
brace-expansion: Zero-step sequence causes process hang and memory exhaustion - https://github.com/advisories/GHSA-f886-m6hf-6m8v
brace-expansion: Zero-step sequence causes process hang and memory exhaustion - https://github.com/advisories/GHSA-f886-m6hf-6m8v
fix available via `npm audit fix`
node_modules/@eslint/config-array/node_modules/brace-expansion
node_modules/@eslint/eslintrc/node_modules/brace-expansion
node_modules/brace-expansion
node_modules/eslint-plugin-import/node_modules/brace-expansion
node_modules/eslint-plugin-jsx-a11y/node_modules/brace-expansion
node_modules/eslint-plugin-react/node_modules/brace-expansion
node_modules/eslint/node_modules/brace-expansion
node_modules/readdir-glob/node_modules/brace-expansion
node_modules/test-exclude/node_modules/brace-expansion

dompurify  <=3.3.1
Severity: moderate
DOMPurify is vulnerable to mutation-XSS via Re-Contextualization  - https://github.com/advisories/GHSA-h8r8-wccr-v5f2
DOMPurify contains a Cross-site Scripting vulnerability - https://github.com/advisories/GHSA-v2wj-7wpq-c8vv
fix available via `npm audit fix --force`
Will install monaco-editor@0.53.0, which is a breaking change
node_modules/dompurify
  monaco-editor  >=0.54.0-dev-20250909
  Depends on vulnerable versions of dompurify
  node_modules/monaco-editor

effect  <3.20.0
Severity: high
Effect `AsyncLocalStorage` context lost/contaminated inside Effect fibers under concurrent load with RPC - https://github.com/advisories/GHSA-38f7-945m-qr2g
fix available via `npm audit fix --force`
Will install prisma@7.6.0, which is outside the stated dependency range
node_modules/effect
  @prisma/config  6.13.0-dev.1 - 7.6.0-integration-feat-prisma-bootstrap.13
  Depends on vulnerable versions of effect
  node_modules/@prisma/config

express-rate-limit  8.2.0 - 8.2.1
Severity: high
express-rate-limit: IPv4-mapped IPv6 addresses bypass per-client rate limiting on servers with dual-stack network - https://github.com/advisories/GHSA-46wh-pxpv-q5gq
fix available via `npm audit fix`
node_modules/express-rate-limit

fast-xml-parser  4.0.0-beta.3 - 5.5.6
Severity: high
fast-xml-parser has stack overflow in XMLBuilder with preserveOrder - https://github.com/advisories/GHSA-fj3w-jwp8-x2g3
fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278) - https://github.com/advisories/GHSA-8gc5-j5rx-235r
Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parser - https://github.com/advisories/GHSA-jp2q-39xq-3w4g
fix available via `npm audit fix`
node_modules/fast-xml-parser
  @aws-sdk/xml-builder  3.894.0 - 3.972.8
  Depends on vulnerable versions of fast-xml-parser
  node_modules/@aws-sdk/xml-builder

flatted  <=3.4.1
Severity: high
flatted vulnerable to unbounded recursion DoS in parse() revive phase - https://github.com/advisories/GHSA-25h7-pfq9-p65f
Prototype Pollution via parse() in NodeJS flatted - https://github.com/advisories/GHSA-rf6f-7fwh-wjgh
fix available via `npm audit fix`
node_modules/flatted

hono  <=4.12.6
Severity: high
Hono is Vulnerable to Authentication Bypass by IP Spoofing in AWS Lambda ALB conninfo - https://github.com/advisories/GHSA-xh87-mx6m-69f3
Hono Vulnerable to Cookie Attribute Injection via Unsanitized domain and path in setCookie() - https://github.com/advisories/GHSA-5pq2-9x2x-5p6w
Hono Vulnerable to SSE Control Field Injection via CR/LF in writeSSE() - https://github.com/advisories/GHSA-p6xx-57qc-3wxr
Hono vulnerable to arbitrary file access via serveStatic vulnerability  - https://github.com/advisories/GHSA-q5qw-h33p-qvwr
Hono vulnerable to Prototype Pollution possible through __proto__ key allowed in parseBody({ dot: true }) - https://github.com/advisories/GHSA-v8w9-8mx6-g223
fix available via `npm audit fix`
node_modules/hono

next  16.0.0-beta.0 - 16.1.6
Severity: moderate
Next.js: HTTP request smuggling in rewrites - https://github.com/advisories/GHSA-ggv3-7p47-pfv8
Next.js: Unbounded next/image disk cache growth can exhaust storage - https://github.com/advisories/GHSA-3x4c-7xq6-9pq8
Next.js: Unbounded postponed resume buffering can lead to DoS - https://github.com/advisories/GHSA-h27x-g6w4-24gq
Next.js: null origin can bypass Server Actions CSRF checks - https://github.com/advisories/GHSA-mq59-m269-xvcx
Next.js: null origin can bypass dev HMR websocket CSRF checks - https://github.com/advisories/GHSA-jcc7-9wpm-mj36
fix available via `npm audit fix --force`
Will install next@16.2.1, which is outside the stated dependency range
node_modules/next

path-to-regexp  8.0.0 - 8.3.0
Severity: high
path-to-regexp vulnerable to Denial of Service via sequential optional groups - https://github.com/advisories/GHSA-j3q9-mxjg-w52f
path-to-regexp vulnerable to Regular Expression Denial of Service via multiple wildcards - https://github.com/advisories/GHSA-27v5-c462-wpq7
fix available via `npm audit fix`
node_modules/router/node_modules/path-to-regexp

picomatch  <=2.3.1 || 4.0.0 - 4.0.3
Severity: high
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching - https://github.com/advisories/GHSA-3v7f-55p6-f55p
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching - https://github.com/advisories/GHSA-3v7f-55p6-f55p
Picomatch has a ReDoS vulnerability via extglob quantifiers - https://github.com/advisories/GHSA-c2c7-rcm5-vvqj
Picomatch has a ReDoS vulnerability via extglob quantifiers - https://github.com/advisories/GHSA-c2c7-rcm5-vvqj
fix available via `npm audit fix`
node_modules/jest-util/node_modules/picomatch
node_modules/picomatch
node_modules/tinyglobby/node_modules/picomatch

serialize-javascript  <=7.0.4
Severity: high
Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString() - https://github.com/advisories/GHSA-5c6j-r48x-rmvq
Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects - https://github.com/advisories/GHSA-qj8w-gfj5-8c6v
fix available via `npm audit fix --force`
Will install terser-webpack-plugin@5.4.0, which is outside the stated dependency range
node_modules/serialize-javascript
  terser-webpack-plugin  <=5.3.16
  Depends on vulnerable versions of serialize-javascript
  node_modules/terser-webpack-plugin

simple-git  3.15.0 - 3.32.2
Severity: critical
simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key enables RCE - https://github.com/advisories/GHSA-r275-fr43-pm7q
fix available via `npm audit fix --force`
Will install @datadog/datadog-ci@5.10.0, which is outside the stated dependency range
node_modules/simple-git
  @datadog/datadog-ci-base  <=5.9.0
  Depends on vulnerable versions of simple-git
  node_modules/@datadog/datadog-ci-base
    @datadog/datadog-ci  3.21.1 - 5.9.0
    Depends on vulnerable versions of @datadog/datadog-ci-base
    Depends on vulnerable versions of @datadog/datadog-ci-plugin-coverage
    Depends on vulnerable versions of @datadog/datadog-ci-plugin-deployment
    Depends on vulnerable versions of @datadog/datadog-ci-plugin-dora
    Depends on vulnerable versions of @datadog/datadog-ci-plugin-sarif
    Depends on vulnerable versions of @datadog/datadog-ci-plugin-sbom
    node_modules/@datadog/datadog-ci
  @datadog/datadog-ci-plugin-coverage  5.3.0 - 5.9.0
  Depends on vulnerable versions of simple-git
  node_modules/@datadog/datadog-ci-plugin-coverage
  @datadog/datadog-ci-plugin-deployment  <=5.9.0
  Depends on vulnerable versions of simple-git
  node_modules/@datadog/datadog-ci-plugin-deployment
  @datadog/datadog-ci-plugin-dora  <=5.9.0
  Depends on vulnerable versions of simple-git
  node_modules/@datadog/datadog-ci-plugin-dora
  @datadog/datadog-ci-plugin-sarif  <=5.9.0
  Depends on vulnerable versions of simple-git
  node_modules/@datadog/datadog-ci-plugin-sarif
  @datadog/datadog-ci-plugin-sbom  <=5.9.0
  Depends on vulnerable versions of simple-git
  node_modules/@datadog/datadog-ci-plugin-sbom

socket.io-parser  4.0.0 - 4.2.5
Severity: high
socket.io allows an unbounded number of binary attachments - https://github.com/advisories/GHSA-677m-j7p3-52f9
fix available via `npm audit fix`
node_modules/socket.io-parser

undici  7.0.0 - 7.23.0
Severity: high
Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client - https://github.com/advisories/GHSA-f269-vfmq-vjvj
Undici has an HTTP Request/Response Smuggling issue - https://github.com/advisories/GHSA-2mjp-6q6p-2qxm
Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression - https://github.com/advisories/GHSA-vrm6-8vpv-qv8q
Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation - https://github.com/advisories/GHSA-v9p9-hfj2-hcw8
Undici has CRLF Injection in undici via `upgrade` option - https://github.com/advisories/GHSA-4992-7rv2-5pvq
Undici has Unbounded Memory Consumption in its DeduplicationHandler via Response Buffering that leads to DoS - https://github.com/advisories/GHSA-phc3-fgpg-7m6h
fix available via `npm audit fix`
node_modules/undici

yaml  1.0.0 - 1.10.2 || 2.0.0 - 2.8.2
Severity: moderate
yaml is vulnerable to Stack Overflow via deeply nested YAML collections - https://github.com/advisories/GHSA-48c2-rrv3-qjmp
yaml is vulnerable to Stack Overflow via deeply nested YAML collections - https://github.com/advisories/GHSA-48c2-rrv3-qjmp
fix available via `npm audit fix`
node_modules/cosmiconfig/node_modules/yaml
node_modules/yaml

30 vulnerabilities (1 low, 5 moderate, 15 high, 9 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

[github-actions]

PR Analysis 📊

Changed Files Summary:

• JavaScript/TypeScript files: 0
• Test files: 0
• Documentation files: 0
• Configuration files: 0

CI Status: Running automated checks...

[github-actions]

Build Status ✅ Build successful

✅ Build completed successfully!

[github-actions]

🔒 Security Audit Results

✅ Secret Scanning: No secrets detected
⚠️ Environment Config: Missing variables
❌ NPM Audit: Critical/High vulnerabilities
✅ Secret Patterns: None detected

---

📊 View full results: Security Audit Summary
⏱️ Duration: < 2 minutes

[github-actions]

Quick Checks Results

Check	Status
ESLint	✅
TypeScript	✅

✅ All quick checks passed!

[github-actions]

Test Results ✅ Passed

Test Suites: 58 failed, 5 skipped, 487 passed, 545 of 550 total
Tests: 381 failed, 104 skipped, 30 todo, 10664 passed, 11179 total

✅ All tests passed! Ready for review.

View test output

Check the Actions tab for detailed test output.

[github-actions]

PR Status Summary

Check	Status
Quick Checks	✅ Passed
Tests	✅ Passed
Build	✅ Passed

✅ All checks passed! This PR is ready to merge. 🎉