fix(deps): vuln minor: requests, tensorflow [lib/wasm-micro-runtime-WAMR-1.3.3]

[gh-worker-campaigns-3e9aa4]

Summary: High-severity security update — 2 packages upgraded (MINOR changes included)

Manifests changed:

• lib/wasm-micro-runtime-WAMR-1.3.3 (pip)

---

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

---

Updates

Package	From	To	Type	Dep Type	Vulnerabilities Fixed
tensorflow	2.11.1	2.21.0	minor	Direct	2 HIGH
requests	2.31.0	2.33.1	minor	Direct	6 MODERATE

---

Security Details

🚨 Critical & High Severity (2 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
tensorflow	GHSA-gjh7-xx4r-x345	HIGH	TensorFlow has segfault in array_ops.upper_bound	2.11.1	2.12.1
tensorflow	CVE-2023-33976	HIGH	TensorFlow segfault in array_ops.upper_bound	2.11.1	-

ℹ️ Other Vulnerabilities (6)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
requests	GHSA-9wx4-h78v-vm56	MODERATE	Requests Session object does not verify requests after making first request with verify=False	2.31.0	2.32.0
requests	CVE-2024-35195	MODERATE	Requests Session object does not verify requests after making first request with verify=False	2.31.0	-
requests	GHSA-9hjg-9r4m-mvj7	MODERATE	Requests vulnerable to .netrc credentials leak via malicious URLs	2.31.0	2.32.4
requests	CVE-2024-47081	MODERATE	Requests vulnerable to .netrc credentials leak via malicious URLs	2.31.0	-
requests	GHSA-gc5v-m9x4-r6x2	MODERATE	Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function	2.31.0	2.33.0
requests	CVE-2026-25645	MODERATE	Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function	2.31.0	-

⚠️ Dependencies that have Reached EOL (1)

Dependency	Unsafe Version	EOL Date	New Version	Path
requests	2.31.0	-	2.33.1	lib/wasm-micro-runtime-WAMR-1.3.3/build-scripts/requirements.txt

---

Review Checklist

Standard review:

• Review changes for compatibility with your code
• Check for breaking changes in release notes
• Run tests locally or wait for CI
• Approve and merge this PR

---

Update Mode: Vulnerability Remediation (High)

🤖 Generated by DataDog Automated Dependency Management System

[campaigner-prod]

Release Notes

requests (2.31.0 → 2.33.1) — GitHub Release

v2.33.1

2.33.1 (2026-03-30)

Bugfixes

• Fixed test cleanup for CVE-2026-25645 to avoid leaving unnecessary
  files in the tmp directory. (Cleanup extracted file after extract_zipped_path test psf/requests#7305)
• Fixed Content-Type header parsing for malformed values. (Fix malformed value parsing for Content-Type psf/requests#7309)
• Improved error consistency for malformed header values. (Fix cosmetic header validity parsing regex psf/requests#7308)

New Contributors

• @ferdnyc made their first contribution in Packaging: DRY out extras definition psf/requests#7277

Full Changelog: https://github.com/psf/requests/blob/main/HISTORY.md#2331-2026-03-30

v2.33.0

2.33.0 (2026-03-25)

Announcements

• 📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at RFC: Adding inline type annotations to Requests psf/requests#7271. Give it a try, and report any gaps or feedback you may have in the issue. 📣

Security

• CVE-2026-25645 requests.utils.extract_zipped_paths now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly.

Improvements

• Migrated to a PEP 517 build system using setuptools. (Migrate build system to PEP 517 psf/requests#7012)

Bugfixes

• Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+. (Fix empty netrc entry usage psf/requests#7205)

Deprecations

• Dropped support for Python 3.9 following its end of support. (Drop support for Python 3.9 psf/requests#7196)

Documentation

• Various typo fixes and doc improvements.

New Contributors

• @M0d3v1 made their first contribution in Update docstring for Session.verify to include string support (#6859) psf/requests#6865
• @aminvakil made their first contribution in Increase chardet upper limit to 7 psf/requests#7220
• @E8Price made their first contribution in docs: clarify Quickstart POST example (fixes #6949) psf/requests#6960
• @mitre88 made their first contribution in docs: hide Response.is_permanent_redirect from API reference psf/requests#7244
• @magsen made their first contribution in docs(socks): same block as other sections psf/requests#6553
• @Rohan5commit made their first contribution in docs: fix FAQ grammar in httplib2 example psf/requests#7227

Full Changelog: https://github.com/psf/requests/blob/main/HISTORY.md#2330-2026-03-25

v2.32.5

2.32.5 (2025-08-18)

Bugfixes

• The SSLContext caching feature originally introduced in 2.32.0 has created
  a new class of issues in Requests that have had negative impact across a number
  of use cases. The Requests team has decided to revert this feature as long term
  maintenance of it is proving to be unsustainable in its current iteration.

Deprecations

• Added support for Python 3.14.
• Dropped support for Python 3.8 following its end of support.

v2.32.4

2.32.4 (2025-06-10)

Security

• CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted
  environment will retrieve credentials for the wrong hostname/machine from a
  netrc file. (Only use hostname to do netrc lookup instead of netloc psf/requests#6965)

Improvements

• Numerous documentation improvements

Deprecations

• Added support for pypy 3.11 for Linux and macOS. (Drop pypy 3.9 and add pypy 3.11 support psf/requests#6926)
• Dropped support for pypy 3.9 following its end of support. (Drop pypy 3.9 and add pypy 3.11 support psf/requests#6926)

v2.32.3

2.32.3 (2024-05-29)

Bugfixes

• Fixed bug breaking the ability to specify custom SSLContexts in sub-classes of
  HTTPAdapter. (Allow for overriding of specific pool key params psf/requests#6716)
• Fixed issue where Requests started failing to run on Python versions compiled
  without the ssl module. (Don't create default SSLContext if ssl module isn't present psf/requests#6724)

v2.32.2

2.32.2 (2024-05-21)

Deprecations

• To provide a more stable migration for custom HTTPAdapters impacted
  by the CVE changes in 2.32.0, we've renamed _get_connection to
  a new public API, get_connection_with_tls_context. Existing custom
  HTTPAdapters will need to migrate their code to use this new API.
  get_connection is considered deprecated in all versions of Requests>=2.32.0.

  A minimal (2-line) example has been provided in the linked PR to ease
  migration, but we strongly urge users to evaluate if their custom adapter
  is subject to the same issue described in CVE-2024-35195. (Move _get_connection to get_connection_with_tls_context psf/requests#6710)

v2.32.1

2.32.1 (2024-05-20)

Bugfixes

• Add missing test certs to the sdist distributed on PyPI.

v2.32.0

2.32.0 (2024-05-20)

🐍 PYCON US 2024 EDITION 🐍

Security

• Fixed an issue where setting verify=False on the first request from a
  Session will cause subsequent requests to the same origin to also ignore
  cert verification, regardless of the value of verify.
  (GHSA-9wx4-h78v-vm56)

Improvements

• verify=True now reuses a global SSLContext which should improve
  request time variance between first and subsequent requests. It should
  also minimize certificate load time on Windows systems when using a Python
  version built with OpenSSL 3.x. (Avoid reloading root certificates to improve concurrent performance psf/requests#6667)
• Requests now supports optional use of character detection
  (chardet or charset_normalizer) when repackaged or vendored.
  This enables pip and other projects to minimize their vendoring
  surface area. The Response.text() and apparent_encoding APIs
  will default to utf-8 if neither library is present. (Allow optional char detection dependencies in post-packaging psf/requests#6702)

Bugfixes

• Fixed bug in length detection where emoji length was incorrectly
  calculated in the request content-length. (Enhance super_len to count encoded bytes for str psf/requests#6589)
• Fixed deserialization bug in JSONDecodeError. (Fix #6628 - JSONDecodeError are not deserializable psf/requests#6629)
• Fixed bug where an extra leading / (path separator) could lead
  urllib3 to unnecessarily reparse the request URI. (Trim excess leading path separators psf/requests#6644)

Deprecations

• Requests has officially added support for CPython 3.12 (Add 3.12 classifier and tox configuration psf/requests#6503)
• Requests has officially added support for PyPy 3.9 and 3.10 (Fix CI psf/requests#6641)
• Requests has officially dropped support for CPython 3.7 (Drop support for CPython 3.7 psf/requests#6642)
• Requests has officially dropped support for PyPy 3.7 and 3.8 (Fix CI psf/requests#6641)

Documentation

• Various typo fixes and doc improvements.

Packaging

• Requests has started adopting some modern packaging practices.
  The source files for the projects (formerly requests) is now located
  in src/requests in the Requests sdist. (Move to src directory psf/requests#6506)
• Starting in Requests 2.33.0, Requests will migrate to a PEP 517 build system
  using hatchling. This

(truncated)

---

Generated by ADMS Sources: 1 GitHub Release, 1 not available.

[seberm-6]

Hey, sorry for the noise. This was caused by a bug in our automated dependency update system that incorrectly included upstream changelog content in PR comments, triggering notifications to external contributors. The feature flag has been turned off and we're working on a fix. Sorry about that again.