External Libraries: Update Requests library to version 2.0.17

[rodrigosprimo]

WordPress currently bundles Requests 2.0.11 (updated in #60838 for WP 6.6). The latest version is ​2.0.17, released in December 2025.

The most notable changes between 2.0.11 and 2.0.17 are PHP 8.5 compatibility fixes in ​2.0.16.

This update is related to #64634 (updating PHPCompatibilityWP to 3.0.0-alpha2). Some of the PHP compatibility violations surfaced by that update in the Requests library were already fixed upstream in ​Requests#988 (included in 2.0.16). Updating the bundled copy would resolve those violations without needing temporary exclusions in phpcompat.xml.dist.

Release notes for each version:

• ​2.0.12 - Certificate bundle update.
• ​2.0.13 - Certificate bundle update.
• ​2.0.14 - Certificate bundle update. Confirmed PHP 8.4 compatibility.
• ​2.0.15 - Certificate bundle update.
• ​2.0.16 - PHP 8.5 compatibility fixes (see above).
• ​2.0.17 - Certificate bundle update.

Full diff: ​https://github.com/WordPress/Requests/compare/v2.0.11...v2.0.17

My understanding from previous updates is that the certificate bundle updates included in these releases can be skipped, as WordPress manages its own certificate bundle independently from Requests (see #62812).

Previous: #33055, #47746, #49922, #53101, #53334, #54504, #58079, #59322, #59842, #60838.

The most notable changes are PHP 8.5 compatibility fixes in version 2.0.16. Other releases between 2.0.11 and 2.0.17 contain only certificate bundle updates, which are skipped as WordPress manages its own certificate bundle (see #62812).

I basically downloaded the Requests package from GitHub and manually copied its contents to src/wp-includes/Requests, ignoring the library/ directory, which appears to have been modified by WP Core to handle backward compatibility differently from upstream. I'm not sure if there is a better way to handle the Requests update. While doing it, I also had to manually ensure that the __wakeup() methods in Hooks.php, Iri.php, and Session.php added in https://core.trac.wordpress.org/changeset/56835 as security hardening are preserved in this update (related upstream ticket: ​https://github.com/WordPress/Requests/issues/949).

References:

• ​Requests 2.0.12 release notes
• ​Requests 2.0.13 release notes
• ​Requests 2.0.14 release notes
• ​Requests 2.0.15 release notes
• ​Requests 2.0.16 release notes
• ​Requests 2.0.17 release notes
• ​Full list of changes since 2.0.11

Trac ticket: https://core.trac.wordpress.org/ticket/64752

[desrosj]

Thanks @rodrigosprimo!

Given that these releases primarily include PHP 8.5 compatibility fixes and bundled root certificate updates, which we don't bundle from Requests and maintain separately (see #64245), I think this is update worth considering for 7.0.

[SergeyBiryukov]

In 61769:

External Libraries: Update the Requests library to version 2.0.17.

The most notable changes are PHP 8.5 compatibility fixes in version 2.0.16. Other releases between 2.0.11 and 2.0.17 contain only certificate bundle updates, which are skipped as WordPress manages its own certificate bundle (#62812).

References:

• ​Requests 2.0.17 release notes
• ​Requests 2.0.16 release notes
• ​Requests 2.0.15 release notes
• ​Requests 2.0.14 release notes
• ​Requests 2.0.13 release notes
• ​Requests 2.0.12 release notes
• ​Full list of changes from Requests 2.0.11 to 2.0.17

Follow-up to [54997], [55629], [56554], [56835], [57086], [57876].

Props rodrigosprimo, desrosj.
Fixes #64752.

[audrasjb]

We'll need to mention this in the Field Guide.