From 438467d72a0c66589d0079fa234b4652c2d178d5 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 19 May 2026 04:46:46 +0000
Subject: [PATCH 1/3] build(deps): bump requests from 2.33.1 to 2.34.0

Bumps [requests](https://github.com/psf/requests) from 2.33.1 to 2.34.0.
- [Release notes](https://github.com/psf/requests/releases)
- [Changelog](https://github.com/psf/requests/blob/main/HISTORY.md)
- [Commits](https://github.com/psf/requests/compare/v2.33.1...v2.34.0)

---
updated-dependencies:
- dependency-name: requests
  dependency-version: 2.34.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 install/requirements.txt | 6 +++---
 uv.lock                  | 6 +++---
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/install/requirements.txt b/install/requirements.txt
index b976ecbf..91ee0e24 100644
--- a/install/requirements.txt
+++ b/install/requirements.txt
@@ -585,9 +585,9 @@ pyopenssl==26.2.0 \
     --hash=sha256:4f9d971bc5298b8bc1fab282803da04bf000c755d4ad9d99b52de2569ca19a70 \
     --hash=sha256:8c6fcecd1183a7fc897548dfe388b0cdb7f37e018200d8409cf33959dbe35387
     # via sigstore
-requests==2.32.5 \
-    --hash=sha256:2462f94637a34fd532264295e186976db0f5d453d1cdd31473c85a6a161affb6 \
-    --hash=sha256:dbba0bac56e100853db0ea71b82b4dfd5fe2bf6d3754a8893c3af500cec7d7cf
+requests==2.34.0 \
+    --hash=sha256:7d62fe92f50eb82c529b0916bb445afa1531a566fc8f35ffdc64446e771b856a \
+    --hash=sha256:917520a21b767485ce7c588f4ebb917c436b24a31231b44228715eaeb5a52c60
     # via sigstore
 rfc3161-client==1.0.6 \
     --hash=sha256:0b3920334f7334ec3bb9c319d53a5d08cd43b6883f75e2669cfd869cd264d53a \
diff --git a/uv.lock b/uv.lock
index cb5cc0a6..338fef1f 100644
--- a/uv.lock
+++ b/uv.lock
@@ -1538,7 +1538,7 @@ wheels = [
 
 [[package]]
 name = "requests"
-version = "2.33.1"
+version = "2.34.0"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "certifi" },
@@ -1546,9 +1546,9 @@ dependencies = [
     { name = "idna" },
     { name = "urllib3" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/5f/a4/98b9c7c6428a668bf7e42ebb7c79d576a1c3c1e3ae2d47e674b468388871/requests-2.33.1.tar.gz", hash = "sha256:18817f8c57c6263968bc123d237e3b8b08ac046f5456bd1e307ee8f4250d3517", size = 134120, upload-time = "2026-03-30T16:09:15.531Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/43/b8/7a707d60fea4c49094e40262cc0e2ca6c768cca21587e34d3f705afec47e/requests-2.34.0.tar.gz", hash = "sha256:7d62fe92f50eb82c529b0916bb445afa1531a566fc8f35ffdc64446e771b856a", size = 142436, upload-time = "2026-05-11T19:29:51.717Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/d7/8e/7540e8a2036f79a125c1d2ebadf69ed7901608859186c856fa0388ef4197/requests-2.33.1-py3-none-any.whl", hash = "sha256:4e6d1ef462f3626a1f0a0a9c42dd93c63bad33f9f1c1937509b8c5c8718ab56a", size = 64947, upload-time = "2026-03-30T16:09:13.83Z" },
+    { url = "https://files.pythonhosted.org/packages/ef/e6/e300fce5fe83c30520607a015dabd985df3251e188d234bfe9492e17a389/requests-2.34.0-py3-none-any.whl", hash = "sha256:917520a21b767485ce7c588f4ebb917c436b24a31231b44228715eaeb5a52c60", size = 73021, upload-time = "2026-05-11T19:29:49.923Z" },
 ]
 
 [[package]]

From 1a58ecbcc99bfe8ed2045c73cd004e0dcd7c32f4 Mon Sep 17 00:00:00 2001
From: Jussi Kukkonen <jkukkonen@google.com>
Date: Tue, 19 May 2026 16:40:24 +0300
Subject: [PATCH 2/3] Remove types-requests dependency

requests should now be annotated

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
---
 pyproject.toml |  1 -
 uv.lock        | 14 --------------
 2 files changed, 15 deletions(-)

diff --git a/pyproject.toml b/pyproject.toml
index e9b52ce7..012b1855 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -67,7 +67,6 @@ dev = [
   # NOTE(ww): ruff is under active development, so we pin conservatively here
   # and let Dependabot periodically perform this update.
   "ruff < 0.15.13",
-  "types-requests",
   "types-pyOpenSSL",
   "mkdocs-material[imaging]",
   "mkdocstrings-python",
diff --git a/uv.lock b/uv.lock
index 338fef1f..4e2f2adb 100644
--- a/uv.lock
+++ b/uv.lock
@@ -1668,7 +1668,6 @@ dev = [
     { name = "pytest-cov" },
     { name = "ruff" },
     { name = "types-pyopenssl" },
-    { name = "types-requests" },
 ]
 
 [package.metadata]
@@ -1703,7 +1702,6 @@ dev = [
     { name = "pytest-cov" },
     { name = "ruff", specifier = "<0.15.13" },
     { name = "types-pyopenssl" },
-    { name = "types-requests" },
 ]
 
 [[package]]
@@ -1862,18 +1860,6 @@ wheels = [
     { url = "https://files.pythonhosted.org/packages/98/05/c868a850b6fbb79c26f5f299b768ee0adc1f9816d3461dcf4287916f655b/types_pyOpenSSL-24.1.0.20240722-py3-none-any.whl", hash = "sha256:6a7a5d2ec042537934cfb4c9d4deb0e16c4c6250b09358df1f083682fe6fda54", size = 7499, upload-time = "2024-07-22T02:32:21.232Z" },
 ]
 
-[[package]]
-name = "types-requests"
-version = "2.33.0.20260503"
-source = { registry = "https://pypi.org/simple" }
-dependencies = [
-    { name = "urllib3" },
-]
-sdist = { url = "https://files.pythonhosted.org/packages/a1/b8/57e94268c0d82ac3eaa2fc35aa8ca7bbc2542f726b67dcf90b0b00a3b14d/types_requests-2.33.0.20260503.tar.gz", hash = "sha256:9721b2d9dbee7131f2fb39f20f0ebb1999c18cef4b512c9a7932f3722de7c5f4", size = 23931, upload-time = "2026-05-03T05:20:08.882Z" }
-wheels = [
-    { url = "https://files.pythonhosted.org/packages/c3/82/959113a6351f3ca046cd0a8cd2cee071d7ea47473560557a01eeae9a6fe2/types_requests-2.33.0.20260503-py3-none-any.whl", hash = "sha256:02aaa7e3577a13471715bb1bddb693cc985ea514f754b503bf033e6a09a3e528", size = 20736, upload-time = "2026-05-03T05:20:07.858Z" },
-]
-
 [[package]]
 name = "types-setuptools"
 version = "82.0.0.20260408"

From e80f825e74b038e002675050f82d0bc21fb11518 Mon Sep 17 00:00:00 2001
From: Jussi Kukkonen <jkukkonen@google.com>
Date: Tue, 19 May 2026 16:54:29 +0300
Subject: [PATCH 3/3] Add two lint skips

* requests.__version__ is not strictly speaking public
* pydantic datamodel does not match what Session.post() expects

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
---
 sigstore/_internal/__init__.py     | 2 +-
 sigstore/_internal/rekor/client.py | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/sigstore/_internal/__init__.py b/sigstore/_internal/__init__.py
index 31e5d8cc..24cc58eb 100644
--- a/sigstore/_internal/__init__.py
+++ b/sigstore/_internal/__init__.py
@@ -19,7 +19,7 @@
 subject to any stability guarantees.
 """
 
-from requests import __version__ as requests_version
+from requests import __version__ as requests_version  # type: ignore[attr-defined]
 
 from sigstore import __version__ as sigstore_version
 
diff --git a/sigstore/_internal/rekor/client.py b/sigstore/_internal/rekor/client.py
index 56e686fe..d01c6d50 100644
--- a/sigstore/_internal/rekor/client.py
+++ b/sigstore/_internal/rekor/client.py
@@ -181,7 +181,7 @@ def post(
         """
         data = {"entries": [expected_entry.model_dump(mode="json", by_alias=True)]}
 
-        resp: requests.Response = self.session.post(self.url, json=data)
+        resp: requests.Response = self.session.post(self.url, json=data)  # type: ignore[arg-type]
         try:
             resp.raise_for_status()
         except requests.HTTPError as http_error: