vndangkhoa/zed
1
0
Fork 0
mirror of https://github.com/zed-industries/zed.git synced 2026-05-31 19:05:00 +07:00
Code Issues Projects Releases Packages Wiki Activity Actions 6
zed/script
History
renovate[bot] e2e7a6769e
Some checks are pending
Congratsbot / check-author (push) Waiting to run
Details
Congratsbot / congrats (push) Blocked by required conditions
Details
run_tests / orchestrate (push) Waiting to run
Details
run_tests / check_style (push) Waiting to run
Details
run_tests / clippy_windows (push) Blocked by required conditions
Details
deploy_nightly_docs / deploy_docs (push) Has been skipped
Details
run_tests / clippy_linux (push) Blocked by required conditions
Details
run_tests / clippy_mac (push) Blocked by required conditions
Details
run_tests / clippy_mac_x86_64 (push) Blocked by required conditions
Details
run_tests / run_tests_windows (push) Blocked by required conditions
Details
run_tests / run_tests_linux (push) Blocked by required conditions
Details
run_tests / run_tests_mac (push) Blocked by required conditions
Details
run_tests / miri_scheduler (push) Blocked by required conditions
Details
run_tests / doctests (push) Blocked by required conditions
Details
run_tests / check_workspace_binaries (push) Blocked by required conditions
Details
run_tests / build_visual_tests_binary (push) Blocked by required conditions
Details
run_tests / check_wasm (push) Blocked by required conditions
Details
run_tests / check_dependencies (push) Blocked by required conditions
Details
run_tests / check_docs (push) Blocked by required conditions
Details
run_tests / check_licenses (push) Blocked by required conditions
Details
run_tests / check_scripts (push) Blocked by required conditions
Details
run_tests / check_postgres_and_protobuf_migrations (push) Blocked by required conditions
Details
run_tests / extension_tests (push) Blocked by required conditions
Details
run_tests / tests_pass (push) Blocked by required conditions
Details
Update dependency requests to v2.33.0 [SECURITY] (#58093) 
This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [requests](https://redirect.github.com/psf/requests)
([changelog](https://redirect.github.com/psf/requests/blob/master/HISTORY.md))
| `2.32.3` → `2.33.0` |
![age](https://developer.mend.io/api/mc/badges/age/pypi/requests/2.33.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/requests/2.32.3/2.33.0?slim=true)
|

---

> [!WARNING]
> Some dependencies could not be looked up. Check the [Dependency
Dashboard](../issues/15138) for more information.

---

### Requests vulnerable to .netrc credentials leak via malicious URLs
[CVE-2024-47081](https://nvd.nist.gov/vuln/detail/CVE-2024-47081) /
[GHSA-9hjg-9r4m-mvj7](https://redirect.github.com/advisories/GHSA-9hjg-9r4m-mvj7)

<details>
<summary>More information</summary>

#### Details
##### Impact

Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak
.netrc credentials to third parties for specific maliciously-crafted
URLs.

##### Workarounds
For older versions of Requests, use of the .netrc file can be disabled
with `trust_env=False` on your Requests Session
([docs](https://requests.readthedocs.io/en/latest/api/#requests.Session.trust_env)).

##### References

[https://github.com/psf/requests/pull/6965](https://redirect.github.com/psf/requests/pull/6965)
https://seclists.org/fulldisclosure/2025/Jun/2

#### Severity
- CVSS Score: 5.3 / 10 (Medium)
- Vector String: `CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N`

#### References
-
[https://github.com/psf/requests/security/advisories/GHSA-9hjg-9r4m-mvj7](https://redirect.github.com/psf/requests/security/advisories/GHSA-9hjg-9r4m-mvj7)
-
[https://nvd.nist.gov/vuln/detail/CVE-2024-47081](https://nvd.nist.gov/vuln/detail/CVE-2024-47081)
-
[https://github.com/psf/requests/pull/6965](https://redirect.github.com/psf/requests/pull/6965)
-
[96ba401c12)
-
[https://requests.readthedocs.io/en/latest/api/#requests.Session.trust_env](https://requests.readthedocs.io/en/latest/api/#requests.Session.trust_env)
-
[https://seclists.org/fulldisclosure/2025/Jun/2](https://seclists.org/fulldisclosure/2025/Jun/2)
-
[http://seclists.org/fulldisclosure/2025/Jun/2](http://seclists.org/fulldisclosure/2025/Jun/2)
-
[http://www.openwall.com/lists/oss-security/2025/06/03/11](http://www.openwall.com/lists/oss-security/2025/06/03/11)
-
[http://www.openwall.com/lists/oss-security/2025/06/03/9](http://www.openwall.com/lists/oss-security/2025/06/03/9)
-
[http://www.openwall.com/lists/oss-security/2025/06/04/1](http://www.openwall.com/lists/oss-security/2025/06/04/1)
-
[http://www.openwall.com/lists/oss-security/2025/06/04/6](http://www.openwall.com/lists/oss-security/2025/06/04/6)
-
[https://github.com/advisories/GHSA-9hjg-9r4m-mvj7](https://redirect.github.com/advisories/GHSA-9hjg-9r4m-mvj7)

This data is provided by the [GitHub Advisory
Database](https://redirect.github.com/advisories/GHSA-9hjg-9r4m-mvj7)
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Requests has Insecure Temp File Reuse in its extract_zipped_paths()
utility function
[CVE-2026-25645](https://nvd.nist.gov/vuln/detail/CVE-2026-25645) /
[GHSA-gc5v-m9x4-r6x2](https://redirect.github.com/advisories/GHSA-gc5v-m9x4-r6x2)

<details>
<summary>More information</summary>

#### Details
##### Impact
The `requests.utils.extract_zipped_paths()` utility function uses a
predictable filename when extracting files from zip archives into the
system temporary directory. If the target file already exists, it is
reused without validation. A local attacker with write access to the
temp directory could pre-create a malicious file that would be loaded in
place of the legitimate one.

##### Affected usages
**Standard usage of the Requests library is not affected by this
vulnerability.** Only applications that call `extract_zipped_paths()`
directly are impacted.

##### Remediation
Upgrade to at least Requests 2.33.0, where the library now extracts
files to a non-deterministic location.

If developers are unable to upgrade, they can set `TMPDIR` in their
environment to a directory with restricted write access.

#### Severity
- CVSS Score: 4.4 / 10 (Medium)
- Vector String: `CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N`

#### References
-
[https://github.com/psf/requests/security/advisories/GHSA-gc5v-m9x4-r6x2](https://redirect.github.com/psf/requests/security/advisories/GHSA-gc5v-m9x4-r6x2)
-
[66d21cb07b)
-
[https://github.com/psf/requests/releases/tag/v2.33.0](https://redirect.github.com/psf/requests/releases/tag/v2.33.0)
-
[https://nvd.nist.gov/vuln/detail/CVE-2026-25645](https://nvd.nist.gov/vuln/detail/CVE-2026-25645)
-
[https://github.com/advisories/GHSA-gc5v-m9x4-r6x2](https://redirect.github.com/advisories/GHSA-gc5v-m9x4-r6x2)

This data is provided by the [GitHub Advisory
Database](https://redirect.github.com/advisories/GHSA-gc5v-m9x4-r6x2)
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Release Notes

<details>
<summary>psf/requests (requests)</summary>

###
[`v2.33.0`](https://redirect.github.com/psf/requests/blob/HEAD/HISTORY.md#2330-2026-03-25)

[Compare
Source](https://redirect.github.com/psf/requests/compare/v2.32.5...v2.33.0)

**Announcements**

- 📣 Requests is adding inline types. If you have a typed code base that
uses Requests, please take a look at
[#&#8203;7271](https://redirect.github.com/psf/requests/issues/7271).
Give it a try, and report
  any gaps or feedback you may have in the issue. 📣

**Security**

- CVE-2026-25645 `requests.utils.extract_zipped_paths` now extracts
  contents to a non-deterministic location to prevent malicious file
  replacement. This does not affect default usage of Requests, only
  applications calling the utility function directly.

**Improvements**

- Migrated to a PEP 517 build system using setuptools.
([#&#8203;7012](https://redirect.github.com/psf/requests/issues/7012))

**Bugfixes**

- Fixed an issue where an empty netrc entry could cause
  malformed authentication to be applied to Requests on
Python 3.11+.
([#&#8203;7205](https://redirect.github.com/psf/requests/issues/7205))

**Deprecations**

- Dropped support for Python 3.9 following its end of support.
([#&#8203;7196](https://redirect.github.com/psf/requests/issues/7196))

**Documentation**

- Various typo fixes and doc improvements.

###
[`v2.32.5`](https://redirect.github.com/psf/requests/blob/HEAD/HISTORY.md#2325-2025-08-18)

[Compare
Source](https://redirect.github.com/psf/requests/compare/v2.32.4...v2.32.5)

**Bugfixes**

- The SSLContext caching feature originally introduced in 2.32.0 has
created
a new class of issues in Requests that have had negative impact across a
number
of use cases. The Requests team has decided to revert this feature as
long term
maintenance of it is proving to be unsustainable in its current
iteration.

**Deprecations**

- Added support for Python 3.14.
- Dropped support for Python 3.8 following its end of support.

###
[`v2.32.4`](https://redirect.github.com/psf/requests/blob/HEAD/HISTORY.md#2324-2025-06-10)

[Compare
Source](https://redirect.github.com/psf/requests/compare/v2.32.3...v2.32.4)

**Security**

- CVE-2024-47081 Fixed an issue where a maliciously crafted URL and
trusted
environment will retrieve credentials for the wrong hostname/machine
from a
  netrc file.

**Improvements**

- Numerous documentation improvements

**Deprecations**

- Added support for pypy 3.11 for Linux and macOS.
- Dropped support for pypy 3.9 following its end of support.

</details>

---

### Configuration

📅 **Schedule**: (in timezone America/New_York)

- Branch creation
  - ""
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

Release Notes:

- N/A

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMDIuMSIsInVwZGF0ZWRJblZlciI6IjQzLjIwMi4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-05-29 20:29:38 +00:00
..
danger Update danger deps for CI (#55615) 2026-05-04 10:31:07 +00:00
flatpak Add (flatpak) and (snap) suffixes to Zed version in system info (#32903) 2025-06-17 20:39:35 +00:00
lib gpui: Fix typo in publish script (#39836) 2025-10-09 05:11:11 +00:00
licenses Relicense Zed source code under GPL (#57948) 2026-05-28 20:19:17 +00:00
terms Relicense Zed source code under GPL (#57948) 2026-05-28 20:19:17 +00:00
update_top_ranking_issues Update dependency requests to v2.33.0 [SECURITY] (#58093) 2026-05-29 20:29:38 +00:00
analyze_highlights.py Use a proper name for highlights.scm (#43412) 2025-11-24 16:15:38 +00:00
bootstrap collab: Add automatic install of minio deb or rpm to script/bootstrap (#32968) 2025-06-18 19:07:57 +00:00
bootstrap.ps1 windows: Make collab run on Windows (#23117) 2025-01-17 09:39:13 +02:00
build-docker Support More Linux (#18480) 2024-09-30 17:46:21 -04:00
bump-extension-cli Fix nix build (#26270) 2025-03-10 01:06:11 -07:00
bump-gpui-version gpui: Update dependency package names (#40143) 2025-10-14 04:43:28 +00:00
bump-nightly ci: Build nightly more frequently (#53800) 2026-05-15 09:08:55 +00:00
bump-zed-version ci: Add workflow for bumping Zed versions (#54485) 2026-04-23 00:56:18 +02:00
bundle-freebsd linux: Make desktop file executable (#35597) 2025-08-04 15:35:19 -04:00
bundle-linux linux: Bundle libstdc++.so for release (#57132) 2026-05-19 21:43:35 +00:00
bundle-mac Remove unnused line from bundle-mac (#48972) 2026-02-11 21:33:01 -07:00
bundle-windows.ps1 Fail windows bundle when cargo about fails (#48056) 2026-01-30 19:55:29 -07:00
cargo Better cargo wrapper (#49946) 2026-02-24 05:13:04 +00:00
cargo-timing-info.js Add a cargo wrapper to report build times (#49632) 2026-02-23 09:46:28 -07:00
check-keymaps Add CI check that cmd- is not in linux keymaps + check other mods (#32334) 2025-06-08 09:34:07 +00:00
check-licenses Relicense Zed source code under GPL (#57948) 2026-05-28 20:19:17 +00:00
check-links ci: Restore lychee link check. Only validate internal links (#32463) 2025-06-10 11:20:07 -04:00
check-todos Add CI check that cmd- is not in linux keymaps + check other mods (#32334) 2025-06-08 09:34:07 +00:00
cherry-pick Fetch (just) enough refs in script/cherry-pick (#41949) 2025-11-04 17:09:43 -07:00
clear-target-dir-if-larger-than ci: Clean workspace members more eagerly (#53427) 2026-04-09 00:21:02 +02:00
clear-target-dir-if-larger-than.ps1 ci: Clean workspace members more eagerly (#53427) 2026-04-09 00:21:02 +02:00
clippy ci: Add check for protobuf formatting (#50418) 2026-03-01 13:18:09 +01:00
clippy.ps1 Windows tests on self-hosted runners (#29764) 2025-06-16 17:29:36 -04:00
collab-flamegraph Fix nix build (#26270) 2025-03-10 01:06:11 -07:00
community-pr-track-mapping.json Add new area labels to track mapping (#58083) 2026-05-29 16:08:53 +00:00
crate-dep-graph Fix nix build (#26270) 2025-03-10 01:06:11 -07:00
create-draft-release Avoid re-creating releases when re-running workflows (#42573) 2025-11-12 21:50:15 -07:00
debug-cli cli: Allow opening non-existent paths (#43250) 2025-11-24 11:30:19 +02:00
deploy-collab Fix nix build (#26270) 2025-03-10 01:06:11 -07:00
determine-release-channel Fix bad quote in script/determine-release-channel (#20613) 2024-11-13 12:41:50 -05:00
determine-release-channel.ps1 windows: Publish nightly (#24800) 2025-07-09 08:57:03 +08:00
digital-ocean-db.sh Add a script to connect to the database. (#32023) 2025-06-04 09:23:23 -06:00
docs-strip-preview-callouts Fix and improve docs automation scripts (#50120) 2026-02-25 19:02:37 -06:00
docs-suggest Improve agent pull request hygiene (#49469) 2026-02-18 08:46:47 -06:00
docs-suggest-publish git_graph: Remove feature flag (#52972) 2026-04-02 15:26:37 +00:00
download-wasi-sdk Add more harness to the CI scripts (#53816) 2026-04-13 22:28:20 +03:00
draft-release-notes Add fallback message when preview changelog is empty (#46260) 2026-01-07 14:24:02 +00:00
drop-test-dbs Fix nix build (#26270) 2025-03-10 01:06:11 -07:00
exit-ci-if-dev-drive-is-full.ps1 windows: Fix tests on Windows (#22616) 2025-02-05 14:30:09 +00:00
freebsd Fix capitalization of libX11 in FreeBSD dependencies (#48159) 2026-02-02 23:55:03 +01:00
generate-action-metadata Remove zed dependency from docs_preprocessor (#45130) 2025-12-18 21:59:05 -05:00
generate-licenses Pin cargo-about to 0.8.2 (#44012) 2025-12-02 17:54:08 +00:00
generate-licenses-csv Pin cargo-about to 0.8.2 (#44012) 2025-12-02 17:54:08 +00:00
generate-licenses.ps1 Fail windows bundle when cargo about fails (#48056) 2026-01-30 19:55:29 -07:00
generate-terms-rtf Fix invalid Unicode in terms & conditions (#42906) 2025-11-19 13:00:35 -05:00
get-crate-version Fix nix build (#26270) 2025-03-10 01:06:11 -07:00
get-crate-version.ps1 windows: Publish nightly (#24800) 2025-07-09 08:57:03 +08:00
get-pull-requests-since Add a get-release-notes-since script (#18445) 2024-09-27 10:59:19 -04:00
get-release-notes-since Add a get-release-notes-since script (#18445) 2024-09-27 10:59:19 -04:00
get-released-version Use cloud.zed.dev for install.sh (#42399) 2025-11-10 23:55:19 +00:00
github-assign-contributor-issue.py Add a broken POC for guild auto-assignment (#55205) 2026-04-29 13:59:31 +00:00
github-check-new-issue-for-duplicates.py Duplicate Bot: Reduce noise (#58074) 2026-05-29 13:28:35 +00:00
github-clean-issue-types.py Add a one-off cleanup script for GH issue types (#42515) 2025-11-12 11:40:31 +01:00
github-community-pr-board.py GitHub board automation: fix query (union selection error) (#56453) 2026-05-11 17:49:38 +00:00
github-find-top-duplicated-bugs.py Post comments on duplicate bug reports (#49482) 2026-02-18 17:15:15 +00:00
github-label-issues-to-triage.py Add a script to label untriaged GH issues (#43711) 2025-11-28 10:24:59 +01:00
github-pr-status A script to help with PR naggery (#32025) 2025-06-04 09:23:14 -06:00
github-track-duplicate-bot-effectiveness.py Duplicate Bot: Reduce noise (#58074) 2026-05-29 13:28:35 +00:00
histogram Print error message and skip line 2024-01-23 16:52:08 +01:00
import-themes Fix nix build (#26270) 2025-03-10 01:06:11 -07:00
install-cmake Improve install-cmake script (#20836) 2024-11-18 16:39:57 -05:00
install-linux Fix install linux (#43205) 2025-11-21 09:12:19 -07:00
install-rustup.ps1 Windows tests on self-hosted runners (#29764) 2025-06-16 17:29:36 -04:00
install.sh linux: Name desktop file correctly during bundle (#45508) 2026-02-13 20:21:07 +05:30
kube-shell Fix nix build (#26270) 2025-03-10 01:06:11 -07:00
linux Removal of mold/wild scripts and mentions in docs (#53078) 2026-04-08 21:20:02 +03:00
metal-debug Fix nix build (#26270) 2025-03-10 01:06:11 -07:00
mitm-proxy.sh Improve script/mitm-proxy.sh to support podman (#25834) 2025-02-28 22:37:03 +00:00
new-crate Relicense Zed source code under GPL (#57948) 2026-05-28 20:19:17 +00:00
prettier Improve autofix (#44930) 2025-12-15 22:19:18 -07:00
prompts Fix nix build (#26270) 2025-03-10 01:06:11 -07:00
randomized-test-ci Remove ZED_CLIENT_SECRET_TOKEN 2024-01-23 10:34:43 -07:00
randomized-test-minimize Format scripts with Prettier (#8393) 2024-02-25 11:03:33 -05:00
redeploy-vercel Fewer race-conditions in Vercel redeploy (#46826) 2026-01-15 14:48:05 -07:00
remote-server Add remote server cross compilation (#19136) 2024-10-12 23:23:56 -07:00
reset_db Fix reset_db script (#29067) 2025-04-18 19:28:14 +00:00
run-background-agent-mvp-local Update AI docs for retired hosted models (#49486) 2026-02-18 10:36:38 -06:00
run-local-minio collab: Add automatic install of minio deb or rpm to script/bootstrap (#32968) 2025-06-18 19:07:57 +00:00
run-unit-evals Fetch the unit eval commit before checking it out (#42636) 2025-11-13 15:21:53 +00:00
seed-db Fix nix build (#26270) 2025-03-10 01:06:11 -07:00
select-sentry-crash-candidates background-agent: Scaffold week-one crash MVP pipeline (#49299) 2026-02-16 20:32:51 -06:00
sentry-fetch Add prompts and scripts for automatic crash repro and fix (#49063) 2026-02-12 12:42:41 -08:00
setup-dev-driver.ps1 windows: Use dev drive instead of ReFS (#25858) 2025-03-01 22:43:10 +08:00
setup-sccache Fix sccache on windows (#48943) 2026-02-11 09:59:20 -07:00
setup-sccache.ps1 Fix sccache --show-stats not working sometimes on windows (#48974) 2026-02-11 21:40:42 +00:00
shellcheck-scripts ci: Add shellcheck for scripts (#20631) 2024-11-18 16:41:22 -05:00
snap-build Add scripts and configuration for building snap package (#25064) 2025-02-19 10:28:23 -07:00
snap-try Add scripts and configuration for building snap package (#25064) 2025-02-19 10:28:23 -07:00
squawk ACP debug tools pane (#36768) 2025-08-22 19:32:49 +00:00
storybook Fix nix build (#26270) 2025-03-10 01:06:11 -07:00
test-docs-suggest-batch Add documentation suggestion automation (#49194) 2026-02-18 06:39:09 -06:00
triage_project_sync.py Rework GH Project status logic to reflect triage runbook (#55845) 2026-05-06 15:22:50 +00:00
triage_watcher.jl Add script/triage_watcher.jl (#45384) 2025-12-19 18:09:40 +00:00
trigger-docs-build script: Trigger docs release (#56953) 2026-05-18 15:35:35 +00:00
trigger-release Fix nix build (#26270) 2025-03-10 01:06:11 -07:00
uninstall.sh Add an uninstall script (#21213) 2024-11-28 10:31:12 +02:00
update-json-schemas Bump JSON schemas: package.json, tsconfig.json (#20910) 2024-11-20 13:35:00 -05:00
upload-extension-cli Add GitHub Action for publishing the extension CLI (#9542) 2024-03-19 14:19:32 -04:00
upload-nightly Add more harness to the CI scripts (#53816) 2026-04-13 22:28:20 +03:00
upload-nightly.ps1 Add SSH remote server for Windows (#47460) 2026-01-24 13:15:01 -05:00
verify-macos-document-icon macOS: Bundle placeholder Document.icns so Finder can display Zed file icons (#44833) 2025-12-17 16:42:31 -06:00
what-is-deployed Fix nix build (#26270) 2025-03-10 01:06:11 -07:00
zed-local Fix script/zed-local on Windows (#38832) 2025-09-25 09:03:27 -04:00