diff -Nru requests-2.28.1+dfsg/debian/changelog requests-2.31.0+dfsg/debian/changelog
--- requests-2.28.1+dfsg/debian/changelog	2023-06-05 16:54:33.000000000 +0000
+++ requests-2.31.0+dfsg/debian/changelog	2023-07-25 21:54:56.000000000 +0000
@@ -1,3 +1,38 @@
+requests (2.31.0+dfsg-1ubuntu1) mantic; urgency=medium
+
+  * Merge with Debian unstable (LP: #2018104). Remaining changes:
+    - d/p/remove-charset-normalizer-dependency.patch: Remove charset-normalizer
+      as a dependency of requests (LP #1975541)
+  * Dropped changes:
+    - d/p/CVE-2023-32681.patch: Unintended leak of Proxy-Authorization header
+    [Fixed upstream in 2.31.0]
+    - d/p/0002-Fix-tests-with-HTTP-proxy.patch: Fix autopkgtest when
+      http_proxy, https_proxy or no_proxy variable is set (LP #1974182)
+    [Fixed in 2.31.0+dfsg-1]
+
+ -- Lena Voytek <lena.voytek@canonical.com>  Tue, 25 Jul 2023 14:54:56 -0700
+
+requests (2.31.0+dfsg-1) unstable; urgency=medium
+
+  [ Max-Julian Pogner ]
+  * Update upstream homepage, as the previous url would direct browsers
+    to a non-existant webserver.
+
+  [ Daniele Tricoli ]
+  * New upstream version 2.31.0+dfsg
+    - Fix CVE-2023-32681 (Closes: #1036693).
+  * Refresh 0001-Remove-remote-images-traking-code-and-ads.patch.
+  * Add a patch by Olivier Gayot (thanks Oliver!) to fix autopkgtest when
+    http_proxy, https_proxy or no_proxy is set. (Closes: #1011276).
+  * debian/control
+    - Bump standards version to 4.6.2, no changes needed.
+  * Skip tests: test_header_with_subclass_types and
+    test_urllib3_pool_connection_closed due connection error.
+  * debian/copyright
+    - Update copyright years.
+
+ -- Daniele Tricoli <eriol@debian.org>  Mon, 17 Jul 2023 18:31:20 +0200
+
 requests (2.28.1+dfsg-1ubuntu2) mantic; urgency=medium
 
   * SECURITY UPDATE: Unintended leak of Proxy-Authorization header
diff -Nru requests-2.28.1+dfsg/debian/control requests-2.31.0+dfsg/debian/control
--- requests-2.28.1+dfsg/debian/control	2022-11-28 22:18:43.000000000 +0000
+++ requests-2.31.0+dfsg/debian/control	2023-07-25 21:54:56.000000000 +0000
@@ -19,8 +19,8 @@
  python3-sphinx (>= 1.3),
  python3-trustme,
  python3-urllib3 (>= 1.21.1),
-Standards-Version: 4.6.1
-Homepage: http://python-requests.org
+Standards-Version: 4.6.2
+Homepage: https://requests.readthedocs.io/
 Vcs-Git: https://salsa.debian.org/python-team/packages/requests.git
 Vcs-Browser: https://salsa.debian.org/python-team/packages/requests
 
diff -Nru requests-2.28.1+dfsg/debian/copyright requests-2.31.0+dfsg/debian/copyright
--- requests-2.28.1+dfsg/debian/copyright	2022-11-28 22:18:43.000000000 +0000
+++ requests-2.31.0+dfsg/debian/copyright	2023-07-25 21:54:56.000000000 +0000
@@ -49,7 +49,7 @@
  POSSIBILITY OF SUCH DAMAGE.
 
 Files: debian/*
-Copyright: 2011-2022, Daniele Tricoli <eriol@debian.org>
+Copyright: 2011-2023, Daniele Tricoli <eriol@debian.org>
 License: Apache
 
 License: Apache
diff -Nru requests-2.28.1+dfsg/debian/patches/0001-Remove-remote-images-traking-code-and-ads.patch requests-2.31.0+dfsg/debian/patches/0001-Remove-remote-images-traking-code-and-ads.patch
--- requests-2.28.1+dfsg/debian/patches/0001-Remove-remote-images-traking-code-and-ads.patch	2022-11-28 22:18:43.000000000 +0000
+++ requests-2.31.0+dfsg/debian/patches/0001-Remove-remote-images-traking-code-and-ads.patch	2023-07-25 21:54:56.000000000 +0000
@@ -4,11 +4,11 @@
 
 ---
  docs/_templates/hacks.html        | 54 ---------------------------------------
- docs/_templates/sidebarintro.html | 32 -----------------------
- docs/_templates/sidebarlogo.html  | 33 ------------------------
+ docs/_templates/sidebarintro.html |  6 -----
+ docs/_templates/sidebarlogo.html  | 24 -----------------
  docs/conf.py                      |  2 +-
  docs/index.rst                    | 17 ------------
- 5 files changed, 1 insertion(+), 137 deletions(-)
+ 5 files changed, 1 insertion(+), 102 deletions(-)
 
 diff --git a/docs/_templates/hacks.html b/docs/_templates/hacks.html
 index eca5dff..196abbe 100644
@@ -73,21 +73,21 @@
 -  );
 -</script>
 diff --git a/docs/_templates/sidebarintro.html b/docs/_templates/sidebarintro.html
-index 45d57b9..029c8c4 100644
+index 2b595b5..241c4fc 100644
 --- a/docs/_templates/sidebarintro.html
 +++ b/docs/_templates/sidebarintro.html
-@@ -5,11 +5,6 @@
+@@ -4,11 +4,6 @@
+   </a>
  </p>
  
- <p>
+-<p>
 -  <iframe src="https://ghbtns.com/github-btn.html?user=psf&repo=requests&type=watch&count=true&size=large"
 -    allowtransparency="true" frameborder="0" scrolling="0" width="200px" height="35px"></iframe>
 -</p>
 -
--<p>
+ <p>
    Requests is an elegant and simple HTTP library for Python, built for
    human beings.
- </p>
 @@ -33,5 +28,4 @@
    <li><a href="https://github.com/psf/requests/issues">Issue Tracker</a></li>
  </ul>
@@ -95,16 +95,16 @@
 -<div id="native-ribbon">
  </div>
 diff --git a/docs/_templates/sidebarlogo.html b/docs/_templates/sidebarlogo.html
-index 56d6109..5a88a69 100644
+index a3454b7..2b4057d 100644
 --- a/docs/_templates/sidebarlogo.html
 +++ b/docs/_templates/sidebarlogo.html
 @@ -1,30 +1,6 @@
- <p>
+-<p>
 -  <iframe src="https://ghbtns.com/github-btn.html?user=psf&repo=requests&type=watch&count=true&size=large"
 -    allowtransparency="true" frameborder="0" scrolling="0" width="200px" height="35px"></iframe>
 -</p>
 -
--<p>
+ <p>
    Requests is an elegant and simple HTTP library for Python, built for
    human beings. You are currently looking at the documentation of the
    development release.
@@ -143,7 +143,7 @@
      "note_bg": "#FFF59C",
  }
 diff --git a/docs/index.rst b/docs/index.rst
-index dbcaa55..31c774d 100644
+index 306b60f..6f1beda 100644
 --- a/docs/index.rst
 +++ b/docs/index.rst
 @@ -8,23 +8,6 @@ Requests: HTTP for Humans™
diff -Nru requests-2.28.1+dfsg/debian/patches/0002-Fix-tests-with-HTTP-proxy.patch requests-2.31.0+dfsg/debian/patches/0002-Fix-tests-with-HTTP-proxy.patch
--- requests-2.28.1+dfsg/debian/patches/0002-Fix-tests-with-HTTP-proxy.patch	2022-11-28 22:18:43.000000000 +0000
+++ requests-2.31.0+dfsg/debian/patches/0002-Fix-tests-with-HTTP-proxy.patch	2023-07-25 21:54:56.000000000 +0000
@@ -3,15 +3,15 @@
  variables to be present in the environment. They make pytest fail and
  therefore autopkgtest fail as well.
 Author: Olivier Gayot <olivier.gayot@canonical.com>
-Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011276
+Bug: <URL to the upstream bug report if any, implies patch has been forwarded, optional>
 Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/requests/+bug/1974182
 Forwarded: no
-Last-Update: 2022-11-28
+Last-Update: 2022-05-19
 ---
 This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
 --- a/tests/test_requests.py
 +++ b/tests/test_requests.py
-@@ -578,8 +578,9 @@
+@@ -579,8 +579,9 @@
          ),
      )
      def test_errors(self, url, exception):
@@ -23,7 +23,7 @@
  
      def test_proxy_error(self):
          # any proxy related error (address resolution, no route to host, etc) should result in a ProxyError
-@@ -602,14 +603,14 @@
+@@ -603,14 +604,14 @@
              requests.get(httpbin(), proxies={"http": "http:///example.com:8080"})
  
      def test_respect_proxy_env_on_send_self_prepared_request(self, httpbin):
@@ -40,7 +40,7 @@
              with pytest.raises(ProxyError):
                  session = requests.Session()
                  request = requests.Request("GET", httpbin())
-@@ -617,7 +618,7 @@
+@@ -618,7 +619,7 @@
                  session.send(prepared)
  
      def test_respect_proxy_env_on_send_with_redirects(self, httpbin):
@@ -49,7 +49,7 @@
              with pytest.raises(ProxyError):
                  session = requests.Session()
                  url = httpbin("redirect/1")
-@@ -626,13 +627,13 @@
+@@ -627,13 +628,13 @@
                  session.send(request.prepare())
  
      def test_respect_proxy_env_on_get(self, httpbin):
diff -Nru requests-2.28.1+dfsg/debian/patches/CVE-2023-32681.patch requests-2.31.0+dfsg/debian/patches/CVE-2023-32681.patch
--- requests-2.28.1+dfsg/debian/patches/CVE-2023-32681.patch	2023-06-05 16:54:29.000000000 +0000
+++ requests-2.31.0+dfsg/debian/patches/CVE-2023-32681.patch	1970-01-01 00:00:00.000000000 +0000
@@ -1,56 +0,0 @@
-From 74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5 Mon Sep 17 00:00:00 2001
-From: Nate Prewitt <nate.prewitt@gmail.com>
-Date: Mon, 22 May 2023 08:08:57 -0700
-Subject: [PATCH] Merge pull request from GHSA-j8r2-6x86-q33q
-
----
- requests/sessions.py   |  4 +++-
- tests/test_requests.py | 20 ++++++++++++++++++++
- 2 files changed, 23 insertions(+), 1 deletion(-)
-
-diff --git a/requests/sessions.py b/requests/sessions.py
-index 6cb3b4dae3..dbcf2a7b0e 100644
---- a/requests/sessions.py
-+++ b/requests/sessions.py
-@@ -324,7 +324,9 @@ def rebuild_proxies(self, prepared_request, proxies):
-         except KeyError:
-             username, password = None, None
- 
--        if username and password:
-+        # urllib3 handles proxy authorization for us in the standard adapter.
-+        # Avoid appending this to TLS tunneled requests where it may be leaked.
-+        if not scheme.startswith('https') and username and password:
-             headers["Proxy-Authorization"] = _basic_auth_str(username, password)
- 
-         return new_proxies
-diff --git a/tests/test_requests.py b/tests/test_requests.py
-index b1c8dd4534..b420c44d73 100644
---- a/tests/test_requests.py
-+++ b/tests/test_requests.py
-@@ -647,6 +647,26 @@ def test_proxy_authorization_preserved_on_request(self, httpbin):
- 
-         assert sent_headers.get("Proxy-Authorization") == proxy_auth_value
- 
-+
-+    @pytest.mark.parametrize(
-+        "url,has_proxy_auth",
-+        (
-+            ('http://example.com', True),
-+            ('https://example.com', False),
-+        ),
-+    )
-+    def test_proxy_authorization_not_appended_to_https_request(self, url, has_proxy_auth):
-+        session = requests.Session()
-+        proxies = {
-+            'http': 'http://test:pass@localhost:8080',
-+            'https': 'http://test:pass@localhost:8090',
-+        }
-+        req = requests.Request('GET', url)
-+        prep = req.prepare()
-+        session.rebuild_proxies(prep, proxies)
-+
-+        assert ('Proxy-Authorization' in prep.headers) is has_proxy_auth
-+
-     def test_basicauth_with_netrc(self, httpbin):
-         auth = ("user", "pass")
-         wrong_auth = ("wronguser", "wrongpass")
diff -Nru requests-2.28.1+dfsg/debian/patches/remove-charset-normalizer-dependency.patch requests-2.31.0+dfsg/debian/patches/remove-charset-normalizer-dependency.patch
--- requests-2.28.1+dfsg/debian/patches/remove-charset-normalizer-dependency.patch	2022-11-28 22:18:43.000000000 +0000
+++ requests-2.31.0+dfsg/debian/patches/remove-charset-normalizer-dependency.patch	2023-07-25 21:54:56.000000000 +0000
@@ -84,8 +84,8 @@
      sys.exit()
  
  requires = [
--    "charset_normalizer>=2,<3",
+-    "charset_normalizer>=2,<4",
 +    "chardet>=3.0.2,<5",
      "idna>=2.5,<4",
-     "urllib3>=1.21.1,<1.27",
+     "urllib3>=1.21.1,<3",
      "certifi>=2017.4.17",
diff -Nru requests-2.28.1+dfsg/debian/patches/series requests-2.31.0+dfsg/debian/patches/series
--- requests-2.28.1+dfsg/debian/patches/series	2023-06-05 16:54:29.000000000 +0000
+++ requests-2.31.0+dfsg/debian/patches/series	2023-07-25 21:54:56.000000000 +0000
@@ -1,4 +1,3 @@
 0001-Remove-remote-images-traking-code-and-ads.patch
 0002-Fix-tests-with-HTTP-proxy.patch
 remove-charset-normalizer-dependency.patch
-CVE-2023-32681.patch
diff -Nru requests-2.28.1+dfsg/debian/rules requests-2.31.0+dfsg/debian/rules
--- requests-2.28.1+dfsg/debian/rules	2022-11-28 22:18:43.000000000 +0000
+++ requests-2.31.0+dfsg/debian/rules	2023-07-25 21:54:56.000000000 +0000
@@ -104,7 +104,9 @@
 not test_redirecting_to_bad_url and \
 not test_json_decode_compatibility and \
 not test_set_environ and \
-not test_json_decode_persists_doc_attr"
+not test_json_decode_persists_doc_attr and \
+not test_header_with_subclass_types and \
+not test_urllib3_pool_connection_closed"
 export PYBUILD_TEST_ARGS=tests -k ${TESTS_TO_EXCLUDE}
 
 BUILD_DATE  = $(shell LC_ALL=C date -u "+%B %d, %Y" -d "@$(SOURCE_DATE_EPOCH)")
diff -Nru requests-2.28.1+dfsg/debian/tests/python3-requests requests-2.31.0+dfsg/debian/tests/python3-requests
--- requests-2.28.1+dfsg/debian/tests/python3-requests	2022-11-28 22:18:43.000000000 +0000
+++ requests-2.31.0+dfsg/debian/tests/python3-requests	2023-07-25 21:54:56.000000000 +0000
@@ -105,7 +105,10 @@
 not test_urllib3_retries and \
 not test_redirecting_to_bad_url and \
 not test_json_decode_compatibility and \
-not test_set_environ"
+not test_set_environ and \
+not test_json_decode_persists_doc_attr and \
+not test_header_with_subclass_types and \
+not test_urllib3_pool_connection_closed"
 
 cp -r tests "$AUTOPKGTEST_TMP/"
 cd "$AUTOPKGTEST_TMP"
diff -Nru requests-2.28.1+dfsg/docs/api.rst requests-2.31.0+dfsg/docs/api.rst
--- requests-2.28.1+dfsg/docs/api.rst	2022-06-29 15:09:11.000000000 +0000
+++ requests-2.31.0+dfsg/docs/api.rst	2023-05-22 15:10:32.000000000 +0000
@@ -36,6 +36,7 @@
 .. autoexception:: requests.ConnectTimeout
 .. autoexception:: requests.ReadTimeout
 .. autoexception:: requests.Timeout
+.. autoexception:: requests.JSONDecodeError
 
 
 Request Sessions
diff -Nru requests-2.28.1+dfsg/docs/user/advanced.rst requests-2.31.0+dfsg/docs/user/advanced.rst
--- requests-2.28.1+dfsg/docs/user/advanced.rst	2022-06-29 15:09:11.000000000 +0000
+++ requests-2.31.0+dfsg/docs/user/advanced.rst	2023-05-22 15:10:32.000000000 +0000
@@ -656,10 +656,10 @@
     from requests.utils import DEFAULT_CA_BUNDLE_PATH
     print(DEFAULT_CA_BUNDLE_PATH)
 
-You override this default certificate bundle by setting the standard
-``curl_ca_bundle`` environment variable to another file path::
+You override this default certificate bundle by setting the ``REQUESTS_CA_BUNDLE``
+(or ``CURL_CA_BUNDLE``) environment variable to another file path::
 
-    $ export curl_ca_bundle="/usr/local/myproxy_info/cacert.pem"
+    $ export REQUESTS_CA_BUNDLE="/usr/local/myproxy_info/cacert.pem"
     $ export https_proxy="http://10.10.1.10:1080"
 
     $ python
@@ -717,10 +717,9 @@
 library is an LGPL-licenced dependency and some users of requests
 cannot depend on mandatory LGPL-licensed dependencies.
 
-When you install ``request`` without specifying ``[use_chardet_on_py3]]`` extra,
+When you install ``requests`` without specifying ``[use_chardet_on_py3]`` extra,
 and ``chardet`` is not already installed, ``requests`` uses ``charset-normalizer``
-(MIT-licensed) to guess the encoding. For Python 2, ``requests`` uses only
-``chardet`` and is a mandatory dependency there.
+(MIT-licensed) to guess the encoding.
 
 The only time Requests will not guess the encoding is if no explicit charset
 is present in the HTTP headers **and** the ``Content-Type``
diff -Nru requests-2.28.1+dfsg/docs/user/install.rst requests-2.31.0+dfsg/docs/user/install.rst
--- requests-2.28.1+dfsg/docs/user/install.rst	2022-06-29 15:09:11.000000000 +0000
+++ requests-2.31.0+dfsg/docs/user/install.rst	2023-05-22 15:10:32.000000000 +0000
@@ -22,7 +22,7 @@
 
 You can either clone the public repository::
 
-    $ git clone git://github.com/psf/requests.git
+    $ git clone https://github.com/psf/requests.git
 
 Or, download the `tarball <https://github.com/psf/requests/tarball/main>`_::
 
diff -Nru requests-2.28.1+dfsg/docs/user/quickstart.rst requests-2.31.0+dfsg/docs/user/quickstart.rst
--- requests-2.28.1+dfsg/docs/user/quickstart.rst	2022-06-29 15:09:11.000000000 +0000
+++ requests-2.31.0+dfsg/docs/user/quickstart.rst	2023-05-22 15:10:32.000000000 +0000
@@ -177,7 +177,7 @@
     <urllib3.response.HTTPResponse object at 0x101194810>
 
     >>> r.raw.read(10)
-    '\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\x03'
+    b'\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\x03'
 
 In general, however, you should use a pattern like this to save what is being
 streamed to a file::
@@ -237,7 +237,7 @@
 
     >>> payload = {'key1': 'value1', 'key2': 'value2'}
 
-    >>> r = requests.post("https://httpbin.org/post", data=payload)
+    >>> r = requests.post('https://httpbin.org/post', data=payload)
     >>> print(r.text)
     {
       ...
diff -Nru requests-2.28.1+dfsg/.github/workflows/codeql-analysis.yml requests-2.31.0+dfsg/.github/workflows/codeql-analysis.yml
--- requests-2.28.1+dfsg/.github/workflows/codeql-analysis.yml	2022-06-29 15:09:11.000000000 +0000
+++ requests-2.31.0+dfsg/.github/workflows/codeql-analysis.yml	2023-05-22 15:10:32.000000000 +0000
@@ -14,8 +14,15 @@
   schedule:
     - cron: '0 23 * * 0'
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
+    permissions:
+      actions: read  # for github/codeql-action/init to get workflow details
+      contents: read  # for actions/checkout to fetch code
+      security-events: write  # for github/codeql-action/autobuild to send a status report
     name: Analyze
     runs-on: ubuntu-latest
 
diff -Nru requests-2.28.1+dfsg/.github/workflows/lint.yml requests-2.31.0+dfsg/.github/workflows/lint.yml
--- requests-2.28.1+dfsg/.github/workflows/lint.yml	2022-06-29 15:09:11.000000000 +0000
+++ requests-2.31.0+dfsg/.github/workflows/lint.yml	2023-05-22 15:10:32.000000000 +0000
@@ -1,16 +1,20 @@
 name: Lint code
 
-on:
-  push:
-  pull_request:
+on: [push, pull_request]
+
+permissions:
+  contents: read
 
 jobs:
   lint:
     runs-on: ubuntu-20.04
+    timeout-minutes: 10
 
     steps:
     - uses: actions/checkout@v3
     - name: Set up Python
-      uses: actions/setup-python@v3
+      uses: actions/setup-python@v4
+      with:
+        python-version: "3.x"
     - name: Run pre-commit
       uses: pre-commit/action@v3.0.0
diff -Nru requests-2.28.1+dfsg/.github/workflows/run-tests.yml requests-2.31.0+dfsg/.github/workflows/run-tests.yml
--- requests-2.28.1+dfsg/.github/workflows/run-tests.yml	2022-06-29 15:09:11.000000000 +0000
+++ requests-2.31.0+dfsg/.github/workflows/run-tests.yml	2023-05-22 15:10:32.000000000 +0000
@@ -2,6 +2,9 @@
 
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ${{ matrix.os }}
@@ -9,14 +12,13 @@
     strategy:
       fail-fast: false
       matrix:
-        python-version: ["3.7", "3.8", "3.9", "3.10", "3.11-dev"]
-        os: [ubuntu-18.04, macOS-latest, windows-latest]
+        python-version: ["3.7", "3.8", "3.9", "3.10", "3.11", "3.12-dev", "pypy-3.8", "pypy-3.9"]
+        os: [ubuntu-22.04, macOS-latest, windows-latest]
         include:
-          # pypy-3.7 on Mac OS currently fails trying to compile
-          # brotlipy. Moving pypy3 to only test linux.
+          # pypy-3.7 on Windows and Mac OS currently fails trying to compile
+          # cryptography. Moving pypy-3.7 to only test linux.
           - python-version: pypy-3.7
             os: ubuntu-latest
-            experimental: false
 
     steps:
     - uses: actions/checkout@v2
diff -Nru requests-2.28.1+dfsg/HISTORY.md requests-2.31.0+dfsg/HISTORY.md
--- requests-2.28.1+dfsg/HISTORY.md	2022-06-29 15:09:11.000000000 +0000
+++ requests-2.31.0+dfsg/HISTORY.md	2023-05-22 15:10:32.000000000 +0000
@@ -6,6 +6,64 @@
 
 - \[Short description of non-trivial change.\]
 
+2.31.0 (2023-05-22)
+-------------------
+
+**Security**
+- Versions of Requests between v2.3.0 and v2.30.0 are vulnerable to potential
+  forwarding of `Proxy-Authorization` headers to destination servers when
+  following HTTPS redirects.
+
+  When proxies are defined with user info (https://user:pass@proxy:8080), Requests
+  will construct a `Proxy-Authorization` header that is attached to the request to
+  authenticate with the proxy.
+
+  In cases where Requests receives a redirect response, it previously reattached
+  the `Proxy-Authorization` header incorrectly, resulting in the value being
+  sent through the tunneled connection to the destination server. Users who rely on
+  defining their proxy credentials in the URL are *strongly* encouraged to upgrade
+  to Requests 2.31.0+ to prevent unintentional leakage and rotate their proxy
+  credentials once the change has been fully deployed.
+
+  Users who do not use a proxy or do not supply their proxy credentials through
+  the user information portion of their proxy URL are not subject to this
+  vulnerability.
+
+  Full details can be read in our [Github Security Advisory](https://github.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q)
+  and [CVE-2023-32681](https://nvd.nist.gov/vuln/detail/CVE-2023-32681).
+
+
+2.30.0 (2023-05-03)
+-------------------
+
+**Dependencies**
+- ⚠️ Added support for urllib3 2.0. ⚠️
+
+  This may contain minor breaking changes so we advise careful testing and
+  reviewing https://urllib3.readthedocs.io/en/latest/v2-migration-guide.html
+  prior to upgrading.
+
+  Users who wish to stay on urllib3 1.x can pin to `urllib3<2`.
+
+2.29.0 (2023-04-26)
+-------------------
+
+**Improvements**
+
+- Requests now defers chunked requests to the urllib3 implementation to improve
+  standardization. (#6226)
+- Requests relaxes header component requirements to support bytes/str subclasses. (#6356)
+
+2.28.2 (2023-01-12)
+-------------------
+
+**Dependencies**
+
+- Requests now supports charset\_normalizer 3.x. (#6261)
+
+**Bugfixes**
+
+- Updated MissingSchema exception to suggest https scheme rather than http. (#6188)
 
 2.28.1 (2022-06-29)
 -------------------
@@ -42,7 +100,7 @@
   cert verification. All Requests 2.x versions before 2.28.0 are affected. (#6074)
 - Fixed urllib3 exception leak, wrapping `urllib3.exceptions.SSLError` with
   `requests.exceptions.SSLError` for `content` and `iter_content`. (#6057)
-- Fixed issue where invalid Windows registry entires caused proxy resolution
+- Fixed issue where invalid Windows registry entries caused proxy resolution
   to raise an exception rather than ignoring the entry. (#6149)
 - Fixed issue where entire payload could be included in the error message for
   JSONDecodeError. (#6036)
diff -Nru requests-2.28.1+dfsg/Makefile requests-2.31.0+dfsg/Makefile
--- requests-2.28.1+dfsg/Makefile	2022-06-29 15:09:11.000000000 +0000
+++ requests-2.31.0+dfsg/Makefile	2023-05-22 15:10:32.000000000 +0000
@@ -2,7 +2,7 @@
 init:
 	pip install -r requirements-dev.txt
 test:
-	# This runs all of the tests, on both Python 2 and Python 3.
+	# This runs all of the tests on all supported Python versions.
 	tox -p
 ci:
 	pytest tests --junitxml=report.xml
diff -Nru requests-2.28.1+dfsg/.pre-commit-config.yaml requests-2.31.0+dfsg/.pre-commit-config.yaml
--- requests-2.28.1+dfsg/.pre-commit-config.yaml	2022-06-29 15:09:11.000000000 +0000
+++ requests-2.31.0+dfsg/.pre-commit-config.yaml	2023-05-22 15:10:32.000000000 +0000
@@ -9,7 +9,7 @@
   - id: end-of-file-fixer
   - id: trailing-whitespace
 - repo: https://github.com/PyCQA/isort
-  rev: 5.10.1
+  rev: 5.12.0
   hooks:
     - id: isort
 - repo: https://github.com/psf/black
@@ -22,7 +22,7 @@
   hooks:
     - id: pyupgrade
       args: [--py37-plus]
-- repo: https://gitlab.com/pycqa/flake8
-  rev: 4.0.1
+- repo: https://github.com/PyCQA/flake8
+  rev: 6.0.0
   hooks:
     - id: flake8
diff -Nru requests-2.28.1+dfsg/pyproject.toml requests-2.31.0+dfsg/pyproject.toml
--- requests-2.28.1+dfsg/pyproject.toml	2022-06-29 15:09:11.000000000 +0000
+++ requests-2.31.0+dfsg/pyproject.toml	2023-05-22 15:10:32.000000000 +0000
@@ -4,7 +4,7 @@
 honor_noqa = true
 
 [tool.pytest.ini_options]
-addopts = "-p no:warnings --doctest-modules"
+addopts = "--doctest-modules"
 doctest_optionflags = "NORMALIZE_WHITESPACE ELLIPSIS"
 minversion = "6.2"
 testpaths = [
diff -Nru requests-2.28.1+dfsg/requests/adapters.py requests-2.31.0+dfsg/requests/adapters.py
--- requests-2.28.1+dfsg/requests/adapters.py	2022-06-29 15:09:11.000000000 +0000
+++ requests-2.31.0+dfsg/requests/adapters.py	2023-05-22 15:10:32.000000000 +0000
@@ -22,7 +22,6 @@
 from urllib3.exceptions import ReadTimeoutError, ResponseError
 from urllib3.exceptions import SSLError as _SSLError
 from urllib3.poolmanager import PoolManager, proxy_from_url
-from urllib3.response import HTTPResponse
 from urllib3.util import Timeout as TimeoutSauce
 from urllib3.util import parse_url
 from urllib3.util.retry import Retry
@@ -194,7 +193,6 @@
             num_pools=connections,
             maxsize=maxsize,
             block=block,
-            strict=True,
             **pool_kwargs,
         )
 
@@ -485,63 +483,19 @@
             timeout = TimeoutSauce(connect=timeout, read=timeout)
 
         try:
-            if not chunked:
-                resp = conn.urlopen(
-                    method=request.method,
-                    url=url,
-                    body=request.body,
-                    headers=request.headers,
-                    redirect=False,
-                    assert_same_host=False,
-                    preload_content=False,
-                    decode_content=False,
-                    retries=self.max_retries,
-                    timeout=timeout,
-                )
-
-            # Send the request.
-            else:
-                if hasattr(conn, "proxy_pool"):
-                    conn = conn.proxy_pool
-
-                low_conn = conn._get_conn(timeout=DEFAULT_POOL_TIMEOUT)
-
-                try:
-                    skip_host = "Host" in request.headers
-                    low_conn.putrequest(
-                        request.method,
-                        url,
-                        skip_accept_encoding=True,
-                        skip_host=skip_host,
-                    )
-
-                    for header, value in request.headers.items():
-                        low_conn.putheader(header, value)
-
-                    low_conn.endheaders()
-
-                    for i in request.body:
-                        low_conn.send(hex(len(i))[2:].encode("utf-8"))
-                        low_conn.send(b"\r\n")
-                        low_conn.send(i)
-                        low_conn.send(b"\r\n")
-                    low_conn.send(b"0\r\n\r\n")
-
-                    # Receive the response from the server
-                    r = low_conn.getresponse()
-
-                    resp = HTTPResponse.from_httplib(
-                        r,
-                        pool=conn,
-                        connection=low_conn,
-                        preload_content=False,
-                        decode_content=False,
-                    )
-                except Exception:
-                    # If we hit any problems here, clean up the connection.
-                    # Then, raise so that we can handle the actual exception.
-                    low_conn.close()
-                    raise
+            resp = conn.urlopen(
+                method=request.method,
+                url=url,
+                body=request.body,
+                headers=request.headers,
+                redirect=False,
+                assert_same_host=False,
+                preload_content=False,
+                decode_content=False,
+                retries=self.max_retries,
+                timeout=timeout,
+                chunked=chunked,
+            )
 
         except (ProtocolError, OSError) as err:
             raise ConnectionError(err, request=request)
diff -Nru requests-2.28.1+dfsg/requests/api.py requests-2.31.0+dfsg/requests/api.py
--- requests-2.28.1+dfsg/requests/api.py	2022-06-29 15:09:11.000000000 +0000
+++ requests-2.31.0+dfsg/requests/api.py	2023-05-22 15:10:32.000000000 +0000
@@ -106,7 +106,7 @@
     :param url: URL for the new :class:`Request` object.
     :param data: (optional) Dictionary, list of tuples, bytes, or file-like
         object to send in the body of the :class:`Request`.
-    :param json: (optional) json data to send in the body of the :class:`Request`.
+    :param json: (optional) A JSON serializable Python object to send in the body of the :class:`Request`.
     :param \*\*kwargs: Optional arguments that ``request`` takes.
     :return: :class:`Response <Response>` object
     :rtype: requests.Response
@@ -121,7 +121,7 @@
     :param url: URL for the new :class:`Request` object.
     :param data: (optional) Dictionary, list of tuples, bytes, or file-like
         object to send in the body of the :class:`Request`.
-    :param json: (optional) json data to send in the body of the :class:`Request`.
+    :param json: (optional) A JSON serializable Python object to send in the body of the :class:`Request`.
     :param \*\*kwargs: Optional arguments that ``request`` takes.
     :return: :class:`Response <Response>` object
     :rtype: requests.Response
@@ -136,7 +136,7 @@
     :param url: URL for the new :class:`Request` object.
     :param data: (optional) Dictionary, list of tuples, bytes, or file-like
         object to send in the body of the :class:`Request`.
-    :param json: (optional) json data to send in the body of the :class:`Request`.
+    :param json: (optional) A JSON serializable Python object to send in the body of the :class:`Request`.
     :param \*\*kwargs: Optional arguments that ``request`` takes.
     :return: :class:`Response <Response>` object
     :rtype: requests.Response
diff -Nru requests-2.28.1+dfsg/requests/__init__.py requests-2.31.0+dfsg/requests/__init__.py
--- requests-2.28.1+dfsg/requests/__init__.py	2022-06-29 15:09:11.000000000 +0000
+++ requests-2.31.0+dfsg/requests/__init__.py	2023-05-22 15:10:32.000000000 +0000
@@ -66,10 +66,10 @@
     # Check urllib3 for compatibility.
     major, minor, patch = urllib3_version  # noqa: F811
     major, minor, patch = int(major), int(minor), int(patch)
-    # urllib3 >= 1.21.1, <= 1.26
-    assert major == 1
-    assert minor >= 21
-    assert minor <= 26
+    # urllib3 >= 1.21.1
+    assert major >= 1
+    if major == 1:
+        assert minor >= 21
 
     # Check charset_normalizer for compatibility.
     if chardet_version:
@@ -80,8 +80,8 @@
     elif charset_normalizer_version:
         major, minor, patch = charset_normalizer_version.split(".")[:3]
         major, minor, patch = int(major), int(minor), int(patch)
-        # charset_normalizer >= 2.0.0 < 3.0.0
-        assert (2, 0, 0) <= (major, minor, patch) < (3, 0, 0)
+        # charset_normalizer >= 2.0.0 < 4.0.0
+        assert (2, 0, 0) <= (major, minor, patch) < (4, 0, 0)
     else:
         raise Exception("You need either charset_normalizer or chardet installed")
 
diff -Nru requests-2.28.1+dfsg/requests/_internal_utils.py requests-2.31.0+dfsg/requests/_internal_utils.py
--- requests-2.28.1+dfsg/requests/_internal_utils.py	2022-06-29 15:09:11.000000000 +0000
+++ requests-2.31.0+dfsg/requests/_internal_utils.py	2023-05-22 15:10:32.000000000 +0000
@@ -14,9 +14,11 @@
 _VALID_HEADER_VALUE_RE_BYTE = re.compile(rb"^\S[^\r\n]*$|^$")
 _VALID_HEADER_VALUE_RE_STR = re.compile(r"^\S[^\r\n]*$|^$")
 
+_HEADER_VALIDATORS_STR = (_VALID_HEADER_NAME_RE_STR, _VALID_HEADER_VALUE_RE_STR)
+_HEADER_VALIDATORS_BYTE = (_VALID_HEADER_NAME_RE_BYTE, _VALID_HEADER_VALUE_RE_BYTE)
 HEADER_VALIDATORS = {
-    bytes: (_VALID_HEADER_NAME_RE_BYTE, _VALID_HEADER_VALUE_RE_BYTE),
-    str: (_VALID_HEADER_NAME_RE_STR, _VALID_HEADER_VALUE_RE_STR),
+    bytes: _HEADER_VALIDATORS_BYTE,
+    str: _HEADER_VALIDATORS_STR,
 }
 
 
diff -Nru requests-2.28.1+dfsg/requests/models.py requests-2.31.0+dfsg/requests/models.py
--- requests-2.28.1+dfsg/requests/models.py	2022-06-29 15:09:11.000000000 +0000
+++ requests-2.31.0+dfsg/requests/models.py	2023-05-22 15:10:32.000000000 +0000
@@ -438,7 +438,7 @@
         if not scheme:
             raise MissingSchema(
                 f"Invalid URL {url!r}: No scheme supplied. "
-                f"Perhaps you meant http://{url}?"
+                f"Perhaps you meant https://{url}?"
             )
 
         if not host:
diff -Nru requests-2.28.1+dfsg/requests/sessions.py requests-2.31.0+dfsg/requests/sessions.py
--- requests-2.28.1+dfsg/requests/sessions.py	2022-06-29 15:09:11.000000000 +0000
+++ requests-2.31.0+dfsg/requests/sessions.py	2023-05-22 15:10:32.000000000 +0000
@@ -324,7 +324,9 @@
         except KeyError:
             username, password = None, None
 
-        if username and password:
+        # urllib3 handles proxy authorization for us in the standard adapter.
+        # Avoid appending this to TLS tunneled requests where it may be leaked.
+        if not scheme.startswith('https') and username and password:
             headers["Proxy-Authorization"] = _basic_auth_str(username, password)
 
         return new_proxies
diff -Nru requests-2.28.1+dfsg/requests/utils.py requests-2.31.0+dfsg/requests/utils.py
--- requests-2.28.1+dfsg/requests/utils.py	2022-06-29 15:09:11.000000000 +0000
+++ requests-2.31.0+dfsg/requests/utils.py	2023-05-22 15:10:32.000000000 +0000
@@ -25,7 +25,12 @@
 from .__version__ import __version__
 
 # to_native_string is unused here, but imported here for backwards compatibility
-from ._internal_utils import HEADER_VALIDATORS, to_native_string  # noqa: F401
+from ._internal_utils import (  # noqa: F401
+    _HEADER_VALIDATORS_BYTE,
+    _HEADER_VALIDATORS_STR,
+    HEADER_VALIDATORS,
+    to_native_string,
+)
 from .compat import (
     Mapping,
     basestring,
@@ -1031,20 +1036,23 @@
     :param header: tuple, in the format (name, value).
     """
     name, value = header
+    _validate_header_part(header, name, 0)
+    _validate_header_part(header, value, 1)
 
-    for part in header:
-        if type(part) not in HEADER_VALIDATORS:
-            raise InvalidHeader(
-                f"Header part ({part!r}) from {{{name!r}: {value!r}}} must be "
-                f"of type str or bytes, not {type(part)}"
-            )
-
-    _validate_header_part(name, "name", HEADER_VALIDATORS[type(name)][0])
-    _validate_header_part(value, "value", HEADER_VALIDATORS[type(value)][1])
 
+def _validate_header_part(header, header_part, header_validator_index):
+    if isinstance(header_part, str):
+        validator = _HEADER_VALIDATORS_STR[header_validator_index]
+    elif isinstance(header_part, bytes):
+        validator = _HEADER_VALIDATORS_BYTE[header_validator_index]
+    else:
+        raise InvalidHeader(
+            f"Header part ({header_part!r}) from {header} "
+            f"must be of type str or bytes, not {type(header_part)}"
+        )
 
-def _validate_header_part(header_part, header_kind, validator):
     if not validator.match(header_part):
+        header_kind = "name" if header_validator_index == 0 else "value"
         raise InvalidHeader(
             f"Invalid leading whitespace, reserved character(s), or return"
             f"character(s) in header {header_kind}: {header_part!r}"
diff -Nru requests-2.28.1+dfsg/requests/__version__.py requests-2.31.0+dfsg/requests/__version__.py
--- requests-2.28.1+dfsg/requests/__version__.py	2022-06-29 15:09:11.000000000 +0000
+++ requests-2.31.0+dfsg/requests/__version__.py	2023-05-22 15:10:32.000000000 +0000
@@ -5,10 +5,10 @@
 __title__ = "requests"
 __description__ = "Python HTTP for Humans."
 __url__ = "https://requests.readthedocs.io"
-__version__ = "2.28.1"
-__build__ = 0x022801
+__version__ = "2.31.0"
+__build__ = 0x023100
 __author__ = "Kenneth Reitz"
 __author_email__ = "me@kennethreitz.org"
 __license__ = "Apache 2.0"
-__copyright__ = "Copyright 2022 Kenneth Reitz"
+__copyright__ = "Copyright Kenneth Reitz"
 __cake__ = "\u2728 \U0001f370 \u2728"
diff -Nru requests-2.28.1+dfsg/requirements-dev.txt requests-2.31.0+dfsg/requirements-dev.txt
--- requests-2.28.1+dfsg/requirements-dev.txt	2022-06-29 15:09:11.000000000 +0000
+++ requests-2.31.0+dfsg/requirements-dev.txt	2023-05-22 15:10:32.000000000 +0000
@@ -1,11 +1,12 @@
 -e .[socks]
 pytest>=2.8.0,<=6.2.5
 pytest-cov
-pytest-httpbin==1.0.0
+pytest-httpbin==2.0.0
 pytest-mock==2.0.0
 httpbin==0.7.0
 trustme
 wheel
+cryptography<40.0.0; python_version <= '3.7' and platform_python_implementation == 'PyPy'
 
 # Flask Stack
 Flask>1.0,<2.0
diff -Nru requests-2.28.1+dfsg/setup.cfg requests-2.31.0+dfsg/setup.cfg
--- requests-2.28.1+dfsg/setup.cfg	2022-06-29 15:09:11.000000000 +0000
+++ requests-2.31.0+dfsg/setup.cfg	2023-05-22 15:10:32.000000000 +0000
@@ -5,7 +5,7 @@
     use_chardet_on_py3
 requires-dist =
     certifi>=2017.4.17
-    charset_normalizer>=2,<3
+    charset_normalizer>=2,<4
     idna>=2.5,<4
     urllib3>=1.21.1,<1.27
 
diff -Nru requests-2.28.1+dfsg/setup.py requests-2.31.0+dfsg/setup.py
--- requests-2.28.1+dfsg/setup.py	2022-06-29 15:09:11.000000000 +0000
+++ requests-2.31.0+dfsg/setup.py	2023-05-22 15:10:32.000000000 +0000
@@ -59,13 +59,13 @@
     sys.exit()
 
 requires = [
-    "charset_normalizer>=2,<3",
+    "charset_normalizer>=2,<4",
     "idna>=2.5,<4",
-    "urllib3>=1.21.1,<1.27",
+    "urllib3>=1.21.1,<3",
     "certifi>=2017.4.17",
 ]
 test_requirements = [
-    "pytest-httpbin==0.0.7",
+    "pytest-httpbin==2.0.0",
     "pytest-cov",
     "pytest-mock",
     "pytest-xdist",
@@ -94,7 +94,7 @@
     package_data={"": ["LICENSE", "NOTICE"]},
     package_dir={"requests": "requests"},
     include_package_data=True,
-    python_requires=">=3.7, <4",
+    python_requires=">=3.7",
     install_requires=requires,
     license=about["__license__"],
     zip_safe=False,
diff -Nru requests-2.28.1+dfsg/tests/__init__.py requests-2.31.0+dfsg/tests/__init__.py
--- requests-2.28.1+dfsg/tests/__init__.py	2022-06-29 15:09:11.000000000 +0000
+++ requests-2.31.0+dfsg/tests/__init__.py	2023-05-22 15:10:32.000000000 +0000
@@ -2,9 +2,13 @@
 
 import warnings
 
-from urllib3.exceptions import SNIMissingWarning
+try:
+    from urllib3.exceptions import SNIMissingWarning
 
-# urllib3 sets SNIMissingWarning to only go off once,
-# while this test suite requires it to always fire
-# so that it occurs during test_requests.test_https_warnings
-warnings.simplefilter("always", SNIMissingWarning)
+    # urllib3 1.x sets SNIMissingWarning to only go off once,
+    # while this test suite requires it to always fire
+    # so that it occurs during test_requests.test_https_warnings
+    warnings.simplefilter("always", SNIMissingWarning)
+except ImportError:
+    # urllib3 2.0 removed that warning and errors out instead
+    SNIMissingWarning = None
diff -Nru requests-2.28.1+dfsg/tests/test_requests.py requests-2.31.0+dfsg/tests/test_requests.py
--- requests-2.28.1+dfsg/tests/test_requests.py	2022-06-29 15:09:11.000000000 +0000
+++ requests-2.31.0+dfsg/tests/test_requests.py	2023-05-22 15:10:32.000000000 +0000
@@ -48,6 +48,7 @@
 from requests.sessions import SessionRedirectMixin
 from requests.structures import CaseInsensitiveDict
 
+from . import SNIMissingWarning
 from .compat import StringIO
 from .utils import override_environ
 
@@ -646,6 +647,26 @@
 
         assert sent_headers.get("Proxy-Authorization") == proxy_auth_value
 
+
+    @pytest.mark.parametrize(
+        "url,has_proxy_auth",
+        (
+            ('http://example.com', True),
+            ('https://example.com', False),
+        ),
+    )
+    def test_proxy_authorization_not_appended_to_https_request(self, url, has_proxy_auth):
+        session = requests.Session()
+        proxies = {
+            'http': 'http://test:pass@localhost:8080',
+            'https': 'http://test:pass@localhost:8090',
+        }
+        req = requests.Request('GET', url)
+        prep = req.prepare()
+        session.rebuild_proxies(prep, proxies)
+
+        assert ('Proxy-Authorization' in prep.headers) is has_proxy_auth
+
     def test_basicauth_with_netrc(self, httpbin):
         auth = ("user", "pass")
         wrong_auth = ("wronguser", "wrongpass")
@@ -974,6 +995,10 @@
         r = requests.get(httpbin(), cert=".")
         assert r.status_code == 200
 
+    @pytest.mark.skipif(
+        SNIMissingWarning is None,
+        reason="urllib3 2.0 removed that warning and errors out instead",
+    )
     def test_https_warnings(self, nosan_server):
         """warnings are emitted with requests.get"""
         host, port, ca_bundle = nosan_server
@@ -1747,6 +1772,31 @@
         with pytest.raises(InvalidHeader):
             requests.get(httpbin("get"), headers=invalid_header)
 
+    def test_header_with_subclass_types(self, httpbin):
+        """If the subclasses does not behave *exactly* like
+        the base bytes/str classes, this is not supported.
+        This test is for backwards compatibility.
+        """
+
+        class MyString(str):
+            pass
+
+        class MyBytes(bytes):
+            pass
+
+        r_str = requests.get(httpbin("get"), headers={MyString("x-custom"): "myheader"})
+        assert r_str.request.headers["x-custom"] == "myheader"
+
+        r_bytes = requests.get(
+            httpbin("get"), headers={MyBytes(b"x-custom"): b"myheader"}
+        )
+        assert r_bytes.request.headers["x-custom"] == b"myheader"
+
+        r_mixed = requests.get(
+            httpbin("get"), headers={MyString("x-custom"): MyBytes(b"myheader")}
+        )
+        assert r_mixed.request.headers["x-custom"] == b"myheader"
+
     @pytest.mark.parametrize("files", ("foo", b"foo", bytearray(b"foo")))
     def test_can_send_objects_with_files(self, httpbin, files):
         data = {"a": "this is a string"}
diff -Nru requests-2.28.1+dfsg/tox.ini requests-2.31.0+dfsg/tox.ini
--- requests-2.28.1+dfsg/tox.ini	2022-06-29 15:09:11.000000000 +0000
+++ requests-2.31.0+dfsg/tox.ini	2023-05-22 15:10:32.000000000 +0000
@@ -1,5 +1,5 @@
 [tox]
-envlist = py{37,38,39,310}-{default, use_chardet_on_py3}
+envlist = py{37,38,39,310,311}-{default, use_chardet_on_py3}
 
 [testenv]
 deps = -rrequirements-dev.txt