version 4.0.0 - bump dependencies and drop Python 3.8/3.9 (security)#150
version 4.0.0 - bump dependencies and drop Python 3.8/3.9 (security)#150dianaKhortiuk-frontegg wants to merge 2 commits into
Conversation
Raise the minimum Python to 3.10 (3.8 EOL 2024-10, 3.9 EOL 2025-10) and regenerate poetry.lock so an OSV/pip-audit scan reports 0 known vulnerabilities across the full dependency tree (main, extras, and dev). The 2026 security fixes for requests/aiohttp/starlette/click require Python >=3.10, and the patched cryptography/PyJWT releases dropped 3.8. Shipped dependencies: - requests ^2.28.2 -> ^2.33.0 - aiohttp (extra) ^3.6.2 -> ^3.14.1 - PyJWT ^2.6.0 -> ^2.10.1 - cryptography >=42.0.5 -> >=44.0.1 - flask (extra) ^2.0 -> ^3.1.3 - transitive: urllib3 2.7.0, starlette 1.3.1, certifi 2026.6.17, idna 3.18, jinja2 3.1.6, werkzeug 3.1.8, click 8.4.2 (all patched) Dev tooling modernized for Python 3.10+ (pytest 9, flake8 7, autopep8 2, pydocstyle 6, pytest-flask 1.3, flask-cors 6, uvicorn 0.34) and the deprecated flake8-mypy removed. Add a README Security section (disclosure to security@frontegg.com). Verified: shipped modules import and the Flask/FastAPI integrations instantiate cleanly on Python 3.13 under the new dependency set. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
6a8b705 to
aff114a
Compare
|
Folded in the test-suite repair from #151 (the broken |
Bring the comprehensive test suite from #148 into the 4.0.0 release: 26 unit test files plus 3 e2e files (Flask/FastAPI secure access and a credential-gated live vendor-auth suite). The conftest mints real RS256 JWTs and fakes the vendor-token HTTP call so tests never hit the network. - Verified against the 4.0.0 dependency set: passes on Python 3.13 / pytest 9 / Flask 3 / FastAPI + starlette 1.x / cryptography 49 / PyJWT 2.13 -> 162 passed, 31 skipped (live vendor auth, needs credentials). - Add fakeredis dev dependency (required by test_redis_cache_manager). - Remove the obsolete proxy-era tests (test_functional.py, test_integration.py, and the send_audits VCR cassette) that exercised the proxy middleware removed in v2.0.0. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
9f96811 to
653c57f
Compare
|
Also folded in the comprehensive test suite from #148 (26 unit files + 3 e2e files: Flask/FastAPI secure access + a credential-gated live-vendor-auth suite; conftest mints real RS256 JWTs and fakes the vendor-token HTTP call). Adapted to the 4.0.0 stack and verified: 162 passed, 31 skipped (live vendor auth needs credentials), 0 failures, on Python 3.13 / pytest 9 / Flask 3 / FastAPI+starlette 1.x / cryptography 49 / PyJWT 2.13. Added |
version 4.0.0
Security-driven dependency refresh. Regenerates
poetry.lockso an OSV / pip-audit scan reports 0 known vulnerabilities across the full tree (main, extras, and dev). The Nov-2024 lockfile pinned many now-vulnerable versions (aiohttp 3.9.1, urllib3 1.26.18, certifi 2023.11.17, starlette 0.35.1, jinja2 3.1.3, werkzeug 3.0.1, …).The 2026 security fixes for
requests,aiohttp,starlette, andclickrequire Python ≥ 3.10, and the patchedcryptography/PyJWTreleases dropped Python 3.8. Since Python 3.8 (EOL Oct 2024) and 3.9 (EOL Oct 2025) are both end-of-life, the minimum supported Python is raised to 3.10. Consistent with3.0.0, which dropped Python 3.7 → this is 4.0.0.Changes
Shipped dependencies (
pyproject.toml):2.34.23.14.12.13.049.0.03.1.32.7.01.3.12026.6.17 / 3.18 / 3.1.6 / 3.1.8 / 8.4.2Dev tooling — modernized for Python 3.10+ (old versions don't install on 3.10+):
pytest 5→9,flake8 3→7,autopep8 1→2,pydocstyle 5→6,pytest-flask 0.15→1.3,flask-cors 3→6,uvicorn 0.18→0.34; removed the deprecatedflake8-mypy.Docs / meta: version
3.0.3 → 4.0.0, classifiers → 3.10–3.13,tox.ini→py310-py313, README Breaking Changes + Security section (disclosure to security@frontegg.com).Verification
poetry.lock.Fronteggintegrations instantiate cleanly.Note (pre-existing, out of scope)
tests/conftest.pyonmasterimportsfrontegg.flask2.flask, a module that doesn't exist in the repo, so the suite fails to collect regardless of deps (verification was done via smoke tests). The vestigialPipfile/Pipfile.lock(a different, unmanaged package set, referenced only by.gitignore) were left untouched — candidates for a follow-up cleanup.🤖 Generated with Claude Code