psf/requests

Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.

61 of your 68 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

Scan timing: clone 2.82s · analysis 4.57s · 4.5 MB · GitHub API rate-limit (preflight)

https://github.com/psf/requests · scanned 2026-06-04 21:59 UTC (1 week, 1 day ago) · 10 languages

164 raw signals (68 security + 96 graph) 76th percentile · Python · small (2-20K LoC) System graph score 90 (lower by 11)

File as issue Image

UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 1 week, 1 day ago · v2 · 76 actionable findings from 2 signal sources. 15 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON

77.8% cov · 36 findings

Score breakdown â 2026-05-18-v5

Component	Sub-score	Weight	Contribution
`structure_score`	100.0	0.15	15.00
`security_score`	60.9	0.25	15.22
`testing_score`	100.0	0.20	20.00
`documentation_score`	80.0	0.15	12.00
`practices_score`	74.0	0.15	11.10
`code_quality`	60.0	0.10	6.00
Overall		1.00	79.3

Severity distribution — click a segment to filter

Active filters: excluding tests × Reset all

Severity: Critical 1 High 2 Medium 6 Low 28 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 40 System graph 36 Crowd 0 Layer: Security 3 Software 26 Quality 44 Api 1 Frontend 1 Cicd 1

Exclude dismissed / FP Exclude test files

Scan summary Quality grade B+ (79/100). Dimensions: security 61, maintainability 100. 68 findings (7 security). 12,000 lines analyzed.

Showing 36 of 76 actionable findings. 91 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

high Security checks quality Quality conf 1.00 ✓ Repobility Missing import: `string` used but not imported

The file uses `string.something(...)` but never imports `string`. This raises NameError at runtime the first time the line executes.

src/requests/_internal_utils.py:34

high Security checks software dependencies conf 0.90 ✓ Repobility 2 occurrences pre-commit hook `https://github.com/pre-commit/pre-commit-hooks` pinned to mutable rev `v6.0.0`

`.pre-commit-config.yaml` references `https://github.com/pre-commit/pre-commit-hooks` at `rev: v6.0.0`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine.

lines 4, 15

.pre-commit-config.yaml:4, 15 (2 hits)

medium Security checks security auth conf 0.92 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.

The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.

medium Security checks software dependencies conf 0.90 Python package `Sphinx` is 2 major version(s) behind (7.2.6 -> 9.1.0)

`Sphinx==7.2.6` is 2 major version(s) behind the latest stable release on PyPI (9.1.0). Pinned-but-stale Python dependencies drift away from upstream security and bugfix releases. This is the version-currency signal Dependabot raises.

docs/requirements.txt:3

medium Security checks software dependencies conf 0.90 ✓ Repobility 3 occurrences requirements.txt: `pytest-cov` has no version pin

Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins.

lines 3, 6, 7

requirements-dev.txt:3, 6, 7 (3 hits)

medium System graph cicd CI/CD security conf 1.00 GitHub Actions workflow grants broad write permissions

CI tokens with write permissions increase blast radius when an action, dependency, or PR workflow is compromised. Prefer job-level least-privilege permissions.

.github/workflows/publish.yml CI/CD securitySupply chainGithub actions

medium System graph security security conf 1.00 Insecure pattern 'weak_hash' in src/requests/auth.py:170

Found a known-risky pattern (weak_hash). Review and replace if possible.

src/requests/auth.py:170 Weak hash

medium System graph quality Integrity conf 1.00 Network/subprocess call without timeout or try/except — src/requests/__init__.py:14

`requests.get(...)` here lacks both a `timeout=` arg and an enclosing try/except. This is exactly the class of bug that took down our git-clone earlier (HTTP/2 stream cancel surfaced as a fatal). Add a `timeout=` and wrap in try/except, or use a wrapper that retries.

runtime safetyRobustness

low System graph software Dead code candidate conf 1.00 File has no detected symbols: docs/conf.py

Source file with no class/function declarations — possible config, dead code, or scratch file.

low System graph software Dead code candidate conf 1.00 File has no detected symbols: setup.py

Source file with no class/function declarations — possible config, dead code, or scratch file.

low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/requests/__version__.py

Source file with no class/function declarations — possible config, dead code, or scratch file.

low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/requests/certs.py

Source file with no class/function declarations — possible config, dead code, or scratch file.

low System graph software Dead code candidate conf 1.00 File has no detected symbols: src/requests/packages.py

Source file with no class/function declarations — possible config, dead code, or scratch file.

low System graph quality Integrity conf 1.00 8 occurrences Near-duplicate function bodies in 2 places

Functions with the same first-5-line body hash: src/requests/adapters.py:send, src/requests/adapters.py:send This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). Consolidate or document why they're separate.

8 occurrences

repo-level (8 hits)

duplicatesduplication

low System graph quality Integrity conf 1.00 6 occurrences Near-duplicate function bodies in 3 places

Functions with the same first-5-line body hash: src/requests/cookies.py:cookiejar_from_dict, src/requests/cookies.py:cookiejar_from_dict, src/requests/cookies.py:cookiejar_from_dict This is *the* AI-coder failure mode (4× more duplication in vibe-coded repos — see https://jw.hn/ai-code-hygiene). C…

6 occurrences

repo-level (6 hits)

duplicatesduplication

low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `environ_copy` in tests/test_utils.py:967

Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.

old markerDead code

low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `test_cookie_policy_copy` in tests/test_requests.py:1409

Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.

old markerDead code

low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `test_copy` in tests/test_structures.py:37

Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.

old markerDead code

low System graph software Dead code conf 1.00 Possibly dead Python function: add_header