Skip to content

Drop support for Python 3.9 (EOL since October 2025)#821

Open
Pierre-Sassoulas wants to merge 5 commits into
masterfrom
chore/dep-cves-and-py3.15
Open

Drop support for Python 3.9 (EOL since October 2025)#821
Pierre-Sassoulas wants to merge 5 commits into
masterfrom
chore/dep-cves-and-py3.15

Conversation

@Pierre-Sassoulas

Copy link
Copy Markdown
Member

The remaining 15 dependabot alerts could not be resolved while poetry.lock still solved for 3.9: every patched release (urllib3 2.7.0, cryptography 49.0.0, starlette 1.3.1, pytest 9.0.3, filelock 3.20.3, requests 2.33.0) requires Python >= 3.10, so the lock kept vulnerable 3.9 fallback pins. Follow-up to #819.

Also bumps ruff to target-version = py310 and applies the new lint fixes.

@Pierre-Sassoulas Pierre-Sassoulas added internal Internal work dependencies Pull requests that update a dependency file labels Jul 3, 2026
Python 3.9 is end-of-life since October 2025, and it kept vulnerable
fallback pins in poetry.lock: the patched releases of urllib3,
cryptography, starlette, filelock, requests and pytest all require
Python >= 3.10, so 15 of the 16 dependabot alerts could not be resolved
while the lock still had to solve for 3.9.

Changes:
- requires-python >= 3.10, drop the 3.9 trove classifier
- remove 3.9 from the CI matrix and the tox envlist
- re-lock: every dependency now has a single, patched version
- bump ruff target-version to py310 and apply the new lint fixes
  (Callable from collections.abc, Literal from typing, zip(strict=True))
Merge the two overlapping envlist rows: the only reason for the split
is that pytest 7.0-7.2 do not support python 3.12+. Env coverage is
unchanged (verified with `tox -l` before/after).

The pytest8.2 and pytest8.3 factors had no matching pin in the deps
section, so those envs silently installed the latest pytest and just
duplicated pytestlatest. Pin them, and add a pytest9.0 factor now that
pytest 9 is out.
Available there since Python 3.10, which is now the minimum supported
version. typing-extensions remains a dependency for NotRequired and
Self, which need Python 3.11.
@Pierre-Sassoulas Pierre-Sassoulas force-pushed the chore/dep-cves-and-py3.15 branch from 0972af1 to 51962a2 Compare July 3, 2026 05:50
Comment thread poetry.lock
Comment on lines -929 to -941
[[package]]
name = "iniconfig"
version = "2.1.0"
description = "brain-dead simple config-ini parsing"
optional = false
python-versions = ">=3.8"
groups = ["main", "dev"]
markers = "python_version == \"3.9\""
files = [
{file = "iniconfig-2.1.0-py3-none-any.whl", hash = "sha256:9deba5723312380e77435581c6bf4935c94cbfab9b1ed33ef8d238ea168eb760"},
{file = "iniconfig-2.1.0.tar.gz", hash = "sha256:3abbd2e30b36733fee78f9c7f7308f2d0050e88f0087fd25c2645f63c773e1c7"},
]

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There was two entries for some value (as you can see there's an iniconfig entry for 2.3.0 below), this is why there's a lot of removal.

@Pierre-Sassoulas

Copy link
Copy Markdown
Member Author

@youtux the only way to fix the CVE was to drop python 3.9, or it's impossible to upgrade (urllib 2.6.3 does not support python 3.9 for example)

@codecov

codecov Bot commented Jul 3, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 96.08%. Comparing base (9201cd6) to head (131f4cb).

Additional details and impacted files
@@            Coverage Diff             @@
##           master     #821      +/-   ##
==========================================
- Coverage   96.12%   96.08%   -0.05%     
==========================================
  Files          55       55              
  Lines        2398     2398              
  Branches      136      136              
==========================================
- Hits         2305     2304       -1     
- Misses         56       57       +1     
  Partials       37       37              

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Comment thread pyproject.toml Outdated
Co-authored-by: 🇺🇦 Sviatoslav Sydorenko (Святослав Сидоренко) <wk.cvs.github@sydorenko.org.ua>
@Pierre-Sassoulas Pierre-Sassoulas force-pushed the chore/dep-cves-and-py3.15 branch from 1dee2a7 to 131f4cb Compare July 3, 2026 09:29
@Pierre-Sassoulas

Copy link
Copy Markdown
Member Author

Would also need a setting change to not require the python 3.9 job anymore

@webknjaz

webknjaz commented Jul 3, 2026

Copy link
Copy Markdown
Member

Would also need a setting change to not require the python 3.9 job anymore

Integrate alls-green instead?

@Pierre-Sassoulas

Copy link
Copy Markdown
Member Author

I added 3.14 and removed 3.9 in required job, I don't know about all green, could be a separate MR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file internal Internal work

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants