tscheburaschka

@nateprewitt, can you maybe take a look at this PR before the next release? We would really appreciate this bugfix included in the next available version of requests. Thank you.

Hello, I would like to add to the topic of this issue. As far as I can see, the hierarchy of proxy-settings applied to the final request is not consistent...

After thinking a bit more about it, I guess the problem arises in `Session.merge_environment_settings()` [here](https://github.com/psf/requests/blob/8c211a96cdbe9fe320d63d9e1ae15c5c07e179f8/requests/sessions.py#L701). The proxy-settings from environment are merged into proxy-settings from kwargs before session properties are merged....

Concerning the documentation, I read the section [Proxies](https://github.com/psf/requests/blob/master/docs/user/advanced.rst#proxies) as if the environment configuration is "overridden" by settings in Python code, and the examples shown suggest the hierarchy I indicated above.

I am also hit by this upper boundary on the selenium version. Is there a particular reason for this?

In our company this feature would offer a major speedup of the renovate workflow that aims to periodically upgrade all dependencies of a project. Since the feature is now offered...

Hi, we also have this issue hitting us. The problem here is not that the normal usage of botocore would not trigger this vulnerability, but that in many deployment pipelines...