Remove types-requests dependency

[horgh]

requests 2.34.0 ships inline type annotations, replacing the typeshed stubs. The types-requests PyPI page recommends uninstalling when on requests 2.34.0 or newer.

[gemini-code-assist]

Code Review

This pull request removes the types-requests dependency from the linting group in pyproject.toml and updates the uv.lock file. A review comment identifies a potential issue where removing these type stubs without bumping the minimum requests version to 2.34.0 (the version where inline types were introduced) could lead to static analysis failures in environments using older versions of the library.

[gemini-code-assist]

Removing types-requests from the lint group relies on requests providing its own type annotations, which started in version 2.34.0. However, the project.dependencies section (line 12) still specifies requests>=2.24.0. This discrepancy can lead to static analysis failures in environments where an older version of requests is installed, as no type information will be available. The minimum version of requests should be bumped to 2.34.0 to maintain type safety.

[horgh]

From Claude:

  My read: Gemini has a point, but it's narrower than it sounds.

  - For this project's own mypy run: uv.lock pins requests==2.34.0, so CI and uv run mypy will always see the inline types. No risk here.
  - For downstream consumers importing minfraud: types-requests was in the lint dependency-group, which is dev-only. Downstream users never got those stubs via minfraud — they
  had to install types-requests themselves if they wanted typed requests. So removing the dev-only stub doesn't change anything about what downstream users see; their mypy
  behavior over import requests was already governed by whatever requests version they have. Gemini's framing implies downstream regression but there isn't one.
  - The only real-world scenario where this bites is: someone editing this repo who bypasses uv.lock and ends up with requests<2.34.0. Unlikely, and easily fixed by re-locking.