fix: bump dependencies and resolve security vulnerabilities (drop Python 3.8/3.9)#149
Closed
dianaKhortiuk-frontegg wants to merge 1 commit into
Closed
fix: bump dependencies and resolve security vulnerabilities (drop Python 3.8/3.9)#149dianaKhortiuk-frontegg wants to merge 1 commit into
dianaKhortiuk-frontegg wants to merge 1 commit into
Conversation
BREAKING CHANGE: drop Python 3.8 and 3.9 support; Python 3.10+ is now required. Regenerate poetry.lock so an OSV/pip-audit scan reports 0 known vulnerabilities across the full dependency tree (main, extras, and dev). The 2026 security fixes for several dependencies (requests, aiohttp, starlette, click) require Python >=3.10, and the patched cryptography / PyJWT releases dropped Python 3.8. Since Python 3.8 (EOL 2024-10) and 3.9 (EOL 2025-10) are both end-of-life, the minimum supported Python is raised to 3.10. Shipped dependencies: - requests ^2.28.2 -> ^2.33.0 - aiohttp (extra) ^3.6.2 -> ^3.14.1 - PyJWT ^2.6.0 -> ^2.10.1 - cryptography >=42.0.5 -> >=44.0.1 - flask (extra) ^2.0 -> ^3.1.3 - transitive: urllib3 2.7.0, starlette 1.3.1, certifi 2026.6.17, idna 3.18, jinja2 3.1.6, werkzeug 3.1.8, click 8.4.2 (all patched) Dev tooling modernized for Python 3.10+ (pytest 9, flake8 7, autopep8 2, pydocstyle 6, pytest-flask 1.3, flask-cors 6, uvicorn 0.34) and the deprecated flake8-mypy removed. Bump version to 4.0.0 and add a README Security section (responsible disclosure to security@frontegg.com). Verified: shipped modules import and the Flask/FastAPI integrations instantiate cleanly on Python 3.13 under the new dependency set. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Collaborator
Author
|
Superseded by #150, rebased onto the |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Regenerates
poetry.lockand raises dependency floors so an OSV / pip-audit scan reports 0 known vulnerabilities across the full tree (main, extras, and dev). The Nov-2024 lockfile pinned many now-vulnerable versions (aiohttp 3.9.1, urllib3 1.26.18, certifi 2023.11.17, starlette 0.35.1, jinja2 3.1.3, werkzeug 3.0.1, …).The current (2026) security fixes for
requests,aiohttp,starlette, andclickrequire Python ≥ 3.10, and the patchedcryptography/PyJWTreleases dropped Python 3.8. Since Python 3.8 (EOL Oct 2024) and 3.9 (EOL Oct 2025) are both end-of-life, the minimum supported Python is raised to 3.10. This is a major release → version bumped to 4.0.0 (adjust to match your release process if needed).Changes
Shipped dependencies (
pyproject.toml):2.34.23.14.12.13.049.0.03.1.32.7.01.3.12026.6.17 / 3.18 / 3.1.6 / 3.1.8 / 8.4.2Dev tooling — modernized for Python 3.10+ (the old versions don't install on 3.10+):
pytest 5→9,flake8 3→7,autopep8 1→2,pydocstyle 5→6,pytest-flask 0.15→1.3,flask-cors 3→6,uvicorn 0.18→0.34; removed the deprecated/abandonedflake8-mypy.Docs / meta: version
3.0.3 → 4.0.0, classifiers updated to 3.10–3.13,tox.inienvlist →py310-py313, README Breaking Changes + new Security section (disclosure to security@frontegg.com).Verification
poetry.lock(main + extras + dev).Fronteggintegrations instantiate cleanly under the new dependency set.Note (pre-existing, out of scope)
tests/conftest.pyonmasterimportsfrontegg.flask2.flask, a module that does not exist in the repo, so the existing suite fails to collect regardless of dependency versions. This is unrelated to this PR (verification was done via import/instantiation smoke tests instead) and is worth fixing separately. The vestigialPipfile/Pipfile.lock(a different, unmanaged package set, referenced only by.gitignore) were left untouched and could be removed in a follow-up.🤖 Generated with Claude Code