Move DigestAuth hash algorithms to use usedforsecurity=False#7310
Merged
Conversation
zlplzp123wyt
pushed a commit
to zlplzp123wyt/claude-builders-bounty
that referenced
this pull request
Mar 31, 2026
Closes claude-builders-bounty#4 ## What this adds - — CLI tool that reviews GitHub PRs - — GitHub Action for automated reviews - — Full documentation with install & usage - — Sample outputs from 2 real PRs ## Features - Accepts PR URL as input, fetches diff via GitHub API - Static analysis: security patterns, size, test coverage, dependencies - Structured Markdown output: summary, risks, suggestions, confidence score - Zero dependencies (pure Python stdlib) - GitHub Action workflow included ## Sample Reviews 1. **psf/requests#7310** — DigestAuth FIPS fix (High confidence, 1 file) 2. **fastapi/fastapi#15263** — pygments bump (High confidence, 1 file)
sigmavirus24
approved these changes
Apr 15, 2026
Merged
Merged
luketainton
pushed a commit
to luketainton/repos_pypilot
that referenced
this pull request
May 13, 2026
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [requests](https://github.com/psf/requests) ([changelog](https://github.com/psf/requests/blob/master/HISTORY.md)) | `==2.33.1` → `==2.34.0` |  |  | --- ### Release Notes <details> <summary>psf/requests (requests)</summary> ### [`v2.34.0`](https://github.com/psf/requests/blob/HEAD/HISTORY.md#2340-2026-05-11) [Compare Source](psf/requests@v2.33.1...v2.34.0) **Announcements** - Requests 2.34.0 introduces inline types, replacing those provided by typeshed. Public API types should be fully compatible with mypy, pyright, and ty. We believe types are comprehensive but if you find issues, please report them to the pinned tracking issue. Special thanks to [@​bastimeyer](https://github.com/bastimeyer), [@​cthoyt](https://github.com/cthoyt), [@​edgarrmondragon](https://github.com/edgarrmondragon), and [@​srittau](https://github.com/srittau) for helping review and test the types ahead of the release. ([#​7272](psf/requests#7272)) **Improvements** - Digest Auth hashing algorithms have added `usedforsecurity=False` to clarify security considerations. ([#​7310](psf/requests#7310)) - Requests added support for Python 3.15 based on beta1. Downstream projects should be able to start testing prior to its release in October. ([#​7422](psf/requests#7422)) - Requests added support for Python 3.14t. ([#​7419](psf/requests#7419)) **Bugfixes** - `Response.history` no longer contains a reference to itself, preventing accidental looping when traversing the history list. ([#​7328](psf/requests#7328)) - Requests no longer performs greedy matching on no\_proxy domains. The proxy\_bypass implementation has been updated with CPython's fix from bpo-39057. ([#​7427](psf/requests#7427)) - Requests no longer incorrectly strips duplicate leading slashes in URI paths. This should address user issues with specific presigned URLs. Note the full fix requires urllib3 2.7.0+. ([#​7315](psf/requests#7315)) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNzMuMCIsInVwZGF0ZWRJblZlciI6IjQzLjE3My4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJ0eXBlL2RlcGVuZGVuY2llcyJdfQ==--> Reviewed-on: https://git.tainton.uk/repos/pypilot/pulls/443 Co-authored-by: renovate[bot] <renovate-bot@git.tainton.uk> Co-committed-by: renovate[bot] <renovate-bot@git.tainton.uk>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR moves the DigestAuth hash algorithms to use
usedforsecurity=False. This is to both avoid unnecessarily breaking DigestAuth on FIPS enabled systems and to make it clearer to security reporters these are not a security control.RFC 7616 makes it clear algorithm choice is decided by the server being called and the choice for hashing algorithm does not meaningfully change the risk profile for Digest auth usage.
- RFC 7616 § 5.1