Skip to content

version 4.0.0 - bump dependencies and drop Python 3.8/3.9 (security)#150

Open
dianaKhortiuk-frontegg wants to merge 2 commits into
masterfrom
frontegg/4.0.0
Open

version 4.0.0 - bump dependencies and drop Python 3.8/3.9 (security)#150
dianaKhortiuk-frontegg wants to merge 2 commits into
masterfrom
frontegg/4.0.0

Conversation

@dianaKhortiuk-frontegg

Copy link
Copy Markdown
Collaborator

version 4.0.0

Security-driven dependency refresh. Regenerates poetry.lock so an OSV / pip-audit scan reports 0 known vulnerabilities across the full tree (main, extras, and dev). The Nov-2024 lockfile pinned many now-vulnerable versions (aiohttp 3.9.1, urllib3 1.26.18, certifi 2023.11.17, starlette 0.35.1, jinja2 3.1.3, werkzeug 3.0.1, …).

⚠️ Breaking change — Python 3.10+ required (major bump)

The 2026 security fixes for requests, aiohttp, starlette, and click require Python ≥ 3.10, and the patched cryptography / PyJWT releases dropped Python 3.8. Since Python 3.8 (EOL Oct 2024) and 3.9 (EOL Oct 2025) are both end-of-life, the minimum supported Python is raised to 3.10. Consistent with 3.0.0, which dropped Python 3.7 → this is 4.0.0.

Changes

Shipped dependencies (pyproject.toml):

package before after (locked)
requests ^2.28.2 ^2.33.0 → 2.34.2
aiohttp (extra) ^3.6.2 ^3.14.1 → 3.14.1
PyJWT ^2.6.0 ^2.10.1 → 2.13.0
cryptography >=42.0.5 >=44.0.1 → 49.0.0
flask (extra) ^2.0 ^3.1.3 → 3.1.3
urllib3 (trans.) 1.26.18 2.7.0
starlette (trans.) 0.35.1 1.3.1
certifi / idna / jinja2 / werkzeug / click 2026.6.17 / 3.18 / 3.1.6 / 3.1.8 / 8.4.2

Dev tooling — modernized for Python 3.10+ (old versions don't install on 3.10+): pytest 5→9, flake8 3→7, autopep8 1→2, pydocstyle 5→6, pytest-flask 0.15→1.3, flask-cors 3→6, uvicorn 0.18→0.34; removed the deprecated flake8-mypy.

Docs / meta: version 3.0.3 → 4.0.0, classifiers → 3.10–3.13, tox.inipy310-py313, README Breaking Changes + Security section (disclosure to security@frontegg.com).

Verification

  • OSV/pip-audit: 0 vulnerabilities across the full poetry.lock.
  • Smoke test on Python 3.13: all shipped modules import and the Flask (3.1.3) and FastAPI (0.139 / starlette 1.3.1) Frontegg integrations instantiate cleanly.

Note (pre-existing, out of scope)

tests/conftest.py on master imports frontegg.flask2.flask, a module that doesn't exist in the repo, so the suite fails to collect regardless of deps (verification was done via smoke tests). The vestigial Pipfile / Pipfile.lock (a different, unmanaged package set, referenced only by .gitignore) were left untouched — candidates for a follow-up cleanup.

🤖 Generated with Claude Code

Raise the minimum Python to 3.10 (3.8 EOL 2024-10, 3.9 EOL 2025-10) and
regenerate poetry.lock so an OSV/pip-audit scan reports 0 known
vulnerabilities across the full dependency tree (main, extras, and dev).

The 2026 security fixes for requests/aiohttp/starlette/click require
Python >=3.10, and the patched cryptography/PyJWT releases dropped 3.8.

Shipped dependencies:
- requests ^2.28.2 -> ^2.33.0
- aiohttp (extra) ^3.6.2 -> ^3.14.1
- PyJWT ^2.6.0 -> ^2.10.1
- cryptography >=42.0.5 -> >=44.0.1
- flask (extra) ^2.0 -> ^3.1.3
- transitive: urllib3 2.7.0, starlette 1.3.1, certifi 2026.6.17,
  idna 3.18, jinja2 3.1.6, werkzeug 3.1.8, click 8.4.2 (all patched)

Dev tooling modernized for Python 3.10+ (pytest 9, flake8 7, autopep8 2,
pydocstyle 6, pytest-flask 1.3, flask-cors 6, uvicorn 0.34) and the
deprecated flake8-mypy removed.

Add a README Security section (disclosure to security@frontegg.com).

Verified: shipped modules import and the Flask/FastAPI integrations
instantiate cleanly on Python 3.13 under the new dependency set.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@dianaKhortiuk-frontegg

Copy link
Copy Markdown
Collaborator Author

Folded in the test-suite repair from #151 (the broken frontegg.flask2 conftest import + obsolete proxy tests, replaced with network-free tests against the current frontegg.flask API). #151 is now closed as superseded — this PR is the single consolidated 4.0.0 change. Verified: 5 tests pass, OSV audit 0 vulnerabilities, Flask/FastAPI smoke test clean.

Bring the comprehensive test suite from #148 into the 4.0.0 release:
26 unit test files plus 3 e2e files (Flask/FastAPI secure access and a
credential-gated live vendor-auth suite). The conftest mints real RS256
JWTs and fakes the vendor-token HTTP call so tests never hit the network.

- Verified against the 4.0.0 dependency set: passes on Python 3.13 /
  pytest 9 / Flask 3 / FastAPI + starlette 1.x / cryptography 49 / PyJWT
  2.13 -> 162 passed, 31 skipped (live vendor auth, needs credentials).
- Add fakeredis dev dependency (required by test_redis_cache_manager).
- Remove the obsolete proxy-era tests (test_functional.py,
  test_integration.py, and the send_audits VCR cassette) that exercised
  the proxy middleware removed in v2.0.0.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@dianaKhortiuk-frontegg

Copy link
Copy Markdown
Collaborator Author

Also folded in the comprehensive test suite from #148 (26 unit files + 3 e2e files: Flask/FastAPI secure access + a credential-gated live-vendor-auth suite; conftest mints real RS256 JWTs and fakes the vendor-token HTTP call). Adapted to the 4.0.0 stack and verified: 162 passed, 31 skipped (live vendor auth needs credentials), 0 failures, on Python 3.13 / pytest 9 / Flask 3 / FastAPI+starlette 1.x / cryptography 49 / PyJWT 2.13. Added fakeredis as a dev dependency and removed the obsolete proxy-era tests. OSV audit remains 0 vulnerabilities. #148 will be closed as superseded — this PR is now the single consolidated 4.0.0 change (deps + security + full test suite).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants