Bump requests >= 2.33.0 (Dependabot GHSA-gc5v-m9x4-r6x2 / CVE-2026-25645)

[boringethan]

Dependabot raised one open moderate-severity alert against requirements.txt:

• Package: requests (pip)
• Pinned at: requests>=2.32.5 (pyproject.toml:22) — currently resolves to a vulnerable version
• Vulnerable range: < 2.33.0
• Fixed in: 2.33.0
• CVE: CVE-2026-25645
• GHSA: GHSA-gc5v-m9x4-r6x2
• Alert: https://github.com/OpenwaterHealth/openmotion-sdk/security/dependabot/1
• Created: 2026-03-26

Summary

requests.utils.extract_zipped_paths() uses a predictable filename when extracting files from a zip into the system temp directory. If the target already exists, it is reused without validation — a local attacker with write access to the temp dir could pre-create a malicious file to be picked up in its place.

Are we actually exposed?

Per the advisory:

Standard usage of the Requests library is not affected by this vulnerability. Only applications that call extract_zipped_paths() directly are impacted.

A grep across omotion/, scripts/, and tests/ finds no calls to extract_zipped_paths, so the SDK is not exposed today. This is therefore mostly hygiene — bump the pin to clear the alert and pick up the fix in case any future code starts using that helper.

Fix

# pyproject.toml
"requests>=2.33.0",

(Was requests>=2.32.5.) That single-line bump in pyproject.toml is sufficient; nothing else in the repo references the affected helper.

Verification

After the bump:

pip install -U .
python -c "import requests; print(requests.__version__)"  # expect >= 2.33.0
grep -rn "extract_zipped_paths" omotion/ scripts/ tests/  # expect no matches

Dependabot should auto-close the alert on the next scan after the merge.