Skip to content

fix: bump dependencies and resolve security vulnerabilities (drop Python 3.8/3.9)#149

Closed
dianaKhortiuk-frontegg wants to merge 1 commit into
masterfrom
deps-security-bump
Closed

fix: bump dependencies and resolve security vulnerabilities (drop Python 3.8/3.9)#149
dianaKhortiuk-frontegg wants to merge 1 commit into
masterfrom
deps-security-bump

Conversation

@dianaKhortiuk-frontegg

Copy link
Copy Markdown
Collaborator

Summary

Regenerates poetry.lock and raises dependency floors so an OSV / pip-audit scan reports 0 known vulnerabilities across the full tree (main, extras, and dev). The Nov-2024 lockfile pinned many now-vulnerable versions (aiohttp 3.9.1, urllib3 1.26.18, certifi 2023.11.17, starlette 0.35.1, jinja2 3.1.3, werkzeug 3.0.1, …).

⚠️ Breaking change — Python 3.10+ required

The current (2026) security fixes for requests, aiohttp, starlette, and click require Python ≥ 3.10, and the patched cryptography / PyJWT releases dropped Python 3.8. Since Python 3.8 (EOL Oct 2024) and 3.9 (EOL Oct 2025) are both end-of-life, the minimum supported Python is raised to 3.10. This is a major release → version bumped to 4.0.0 (adjust to match your release process if needed).

Changes

Shipped dependencies (pyproject.toml):

package before after (locked)
requests ^2.28.2 ^2.33.0 → 2.34.2
aiohttp (extra) ^3.6.2 ^3.14.1 → 3.14.1
PyJWT ^2.6.0 ^2.10.1 → 2.13.0
cryptography >=42.0.5 >=44.0.1 → 49.0.0
flask (extra) ^2.0 ^3.1.3 → 3.1.3
urllib3 (trans.) 1.26.18 2.7.0
starlette (trans.) 0.35.1 1.3.1
certifi / idna / jinja2 / werkzeug / click 2026.6.17 / 3.18 / 3.1.6 / 3.1.8 / 8.4.2

Dev tooling — modernized for Python 3.10+ (the old versions don't install on 3.10+): pytest 5→9, flake8 3→7, autopep8 1→2, pydocstyle 5→6, pytest-flask 0.15→1.3, flask-cors 3→6, uvicorn 0.18→0.34; removed the deprecated/abandoned flake8-mypy.

Docs / meta: version 3.0.3 → 4.0.0, classifiers updated to 3.10–3.13, tox.ini envlist → py310-py313, README Breaking Changes + new Security section (disclosure to security@frontegg.com).

Verification

  • OSV/pip-audit: 0 vulnerabilities across the full poetry.lock (main + extras + dev).
  • Smoke test on Python 3.13: all shipped modules import and the Flask (3.1.3) and FastAPI (0.139 / starlette 1.3.1) Frontegg integrations instantiate cleanly under the new dependency set.

Note (pre-existing, out of scope)

tests/conftest.py on master imports frontegg.flask2.flask, a module that does not exist in the repo, so the existing suite fails to collect regardless of dependency versions. This is unrelated to this PR (verification was done via import/instantiation smoke tests instead) and is worth fixing separately. The vestigial Pipfile / Pipfile.lock (a different, unmanaged package set, referenced only by .gitignore) were left untouched and could be removed in a follow-up.

🤖 Generated with Claude Code

BREAKING CHANGE: drop Python 3.8 and 3.9 support; Python 3.10+ is now required.

Regenerate poetry.lock so an OSV/pip-audit scan reports 0 known
vulnerabilities across the full dependency tree (main, extras, and dev).

The 2026 security fixes for several dependencies (requests, aiohttp,
starlette, click) require Python >=3.10, and the patched cryptography /
PyJWT releases dropped Python 3.8. Since Python 3.8 (EOL 2024-10) and 3.9
(EOL 2025-10) are both end-of-life, the minimum supported Python is
raised to 3.10.

Shipped dependencies:
- requests ^2.28.2 -> ^2.33.0
- aiohttp (extra) ^3.6.2 -> ^3.14.1
- PyJWT ^2.6.0 -> ^2.10.1
- cryptography >=42.0.5 -> >=44.0.1
- flask (extra) ^2.0 -> ^3.1.3
- transitive: urllib3 2.7.0, starlette 1.3.1, certifi 2026.6.17,
  idna 3.18, jinja2 3.1.6, werkzeug 3.1.8, click 8.4.2 (all patched)

Dev tooling modernized for Python 3.10+ (pytest 9, flake8 7, autopep8 2,
pydocstyle 6, pytest-flask 1.3, flask-cors 6, uvicorn 0.34) and the
deprecated flake8-mypy removed.

Bump version to 4.0.0 and add a README Security section (responsible
disclosure to security@frontegg.com).

Verified: shipped modules import and the Flask/FastAPI integrations
instantiate cleanly on Python 3.13 under the new dependency set.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@dianaKhortiuk-frontegg

Copy link
Copy Markdown
Collaborator Author

Superseded by #150, rebased onto the frontegg/4.0.0 release branch to match the repo's release convention. Same changes.

@dianaKhortiuk-frontegg dianaKhortiuk-frontegg deleted the deps-security-bump branch July 14, 2026 11:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant