Drop support for Python 3.9 (EOL since October 2025)#821
Drop support for Python 3.9 (EOL since October 2025)#821Pierre-Sassoulas wants to merge 5 commits into
Conversation
Python 3.9 is end-of-life since October 2025, and it kept vulnerable fallback pins in poetry.lock: the patched releases of urllib3, cryptography, starlette, filelock, requests and pytest all require Python >= 3.10, so 15 of the 16 dependabot alerts could not be resolved while the lock still had to solve for 3.9. Changes: - requires-python >= 3.10, drop the 3.9 trove classifier - remove 3.9 from the CI matrix and the tox envlist - re-lock: every dependency now has a single, patched version - bump ruff target-version to py310 and apply the new lint fixes (Callable from collections.abc, Literal from typing, zip(strict=True))
Merge the two overlapping envlist rows: the only reason for the split is that pytest 7.0-7.2 do not support python 3.12+. Env coverage is unchanged (verified with `tox -l` before/after). The pytest8.2 and pytest8.3 factors had no matching pin in the deps section, so those envs silently installed the latest pytest and just duplicated pytestlatest. Pin them, and add a pytest9.0 factor now that pytest 9 is out.
Available there since Python 3.10, which is now the minimum supported version. typing-extensions remains a dependency for NotRequired and Self, which need Python 3.11.
0972af1 to
51962a2
Compare
| [[package]] | ||
| name = "iniconfig" | ||
| version = "2.1.0" | ||
| description = "brain-dead simple config-ini parsing" | ||
| optional = false | ||
| python-versions = ">=3.8" | ||
| groups = ["main", "dev"] | ||
| markers = "python_version == \"3.9\"" | ||
| files = [ | ||
| {file = "iniconfig-2.1.0-py3-none-any.whl", hash = "sha256:9deba5723312380e77435581c6bf4935c94cbfab9b1ed33ef8d238ea168eb760"}, | ||
| {file = "iniconfig-2.1.0.tar.gz", hash = "sha256:3abbd2e30b36733fee78f9c7f7308f2d0050e88f0087fd25c2645f63c773e1c7"}, | ||
| ] | ||
|
|
There was a problem hiding this comment.
There was two entries for some value (as you can see there's an iniconfig entry for 2.3.0 below), this is why there's a lot of removal.
|
@youtux the only way to fix the CVE was to drop python 3.9, or it's impossible to upgrade (urllib 2.6.3 does not support python 3.9 for example) |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #821 +/- ##
==========================================
- Coverage 96.12% 96.08% -0.05%
==========================================
Files 55 55
Lines 2398 2398
Branches 136 136
==========================================
- Hits 2305 2304 -1
- Misses 56 57 +1
Partials 37 37 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
Co-authored-by: 🇺🇦 Sviatoslav Sydorenko (Святослав Сидоренко) <wk.cvs.github@sydorenko.org.ua>
1dee2a7 to
131f4cb
Compare
|
Would also need a setting change to not require the python 3.9 job anymore |
Integrate alls-green instead? |
|
I added 3.14 and removed 3.9 in required job, I don't know about all green, could be a separate MR. |
The remaining 15 dependabot alerts could not be resolved while poetry.lock still solved for 3.9: every patched release (urllib3 2.7.0, cryptography 49.0.0, starlette 1.3.1, pytest 9.0.3, filelock 3.20.3, requests 2.33.0) requires Python >= 3.10, so the lock kept vulnerable 3.9 fallback pins. Follow-up to #819.
Also bumps ruff to
target-version = py310and applies the new lint fixes.