Skip to content

[python] require Python >= 3.10 and restore full dependency floors#24280

Open
johanneswuerbach wants to merge 1 commit into
OpenAPITools:masterfrom
johanneswuerbach:python-require-3.10-restore-floors
Open

[python] require Python >= 3.10 and restore full dependency floors#24280
johanneswuerbach wants to merge 1 commit into
OpenAPITools:masterfrom
johanneswuerbach:python-require-3.10-restore-floors

Conversation

@johanneswuerbach

@johanneswuerbach johanneswuerbach commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Follow-up to #24186 — raise requires-python to >=3.10 and restore the full dependency floors

#24186 raised the generated Python client dependency floors above known-vulnerable ranges, but had to lower three of them to keep the generated clients installable under the declared requires-python:

package #24186 shipped fully-patched floor
urllib3 >= 2.6.3, < 3.0.0 >= 2.7.0, < 3.0.0
aiohttp >= 3.13.5 >= 3.14.1
pytest (dev) >= 8.4.2 >= 9.0.3

The safest patched releases of these packages are published only for Python ≥ 3.10, so at requires-python = ">=3.9" the resolver would still be free to pick vulnerable versions on 3.9. That left the newest advisories uncleared at the declaration level:

What this PR does

  1. Raises requires-python from >=3.9 to >=3.10 in the Python generator templates. This aligns the PEP-621 [project] metadata with the poetry (python = "^3.10") and setup.py (PYTHON_REQUIRES = ">= 3.10") declarations, which already dropped 3.9 in Drop python 3.9 and support python 3.14 in python generator #22926 — the PEP-621 requires-python line was the one spot left at >=3.9.
  2. Restores the higher floors (urllib3 >= 2.7.0, aiohttp >= 3.14.1, pytest >= 9.0.3) so the declared ranges fully exclude the vulnerable versions for every supported interpreter.

With the minimum interpreter at 3.10, the restored floors resolve cleanly and the declared ranges no longer admit any of the advisory-affected releases.

Breaking change

Dropping Python 3.9 support from the generated clients is intentional and is the mechanism by which the floors can be raised. Generated-client consumers still on 3.9 would need to stay on an older generator version.

Samples

Regenerated the affected Python client samples (python, python-aiohttp, python-httpx, python-httpx-sync, python-lazyImports, python-echo-api, and the disallowAdditionalPropertiesIfNotPresent echo variant) — the same set touched by #24186. The diff is limited to the floor lines and the requires-python line.


Summary by cubic

Raise Python requirement for generated Python clients to >=3.10 and restore secure floors for urllib3, aiohttp, and pytest. This aligns PEP-621 metadata with poetry/setup.py and prevents installs from picking vulnerable versions.

  • Dependencies

    • urllib3 >= 2.7.0, < 3.0.0
    • aiohttp >= 3.14.1
    • pytest >= 9.0.3 (dev)
  • Migration

    • Python 3.9 is no longer supported. Pin to an older generator if you must support 3.9.

Written for commit 56efc73. Summary will update on new commits.

Review in cubic

Follow-up to OpenAPITools#24186, which raised the generated Python client dependency
floors above known-vulnerable ranges but had to lower urllib3 to 2.6.3,
aiohttp to 3.13.5 and pytest to 8.4.2 to stay installable under the
PEP-621 requires-python >=3.9 declaration. The safest patched releases of
those packages ship only for Python >= 3.10, so the newest advisories were
left uncleared at the declaration level.

This raises requires-python to >=3.10 (aligning the PEP-621 metadata with
the poetry/setup.py declarations, which already dropped 3.9) and restores
the higher floors so the declared ranges fully exclude the vulnerable
versions:

  urllib3 >= 2.7.0, < 3.0.0  (clears GHSA-mf9v-mfxr-j63j, GHSA-qccp-gfcp-xxvc)
  aiohttp >= 3.14.1          (clears the aiohttp <=3.14.0 advisory batch)
  pytest  >= 9.0.3           (dev; clears GHSA-6w46-j5rx-g56g / CVE-2025-71176)

Dropping Python 3.9 is a deliberate breaking change. Samples regenerated.

Signed-off-by: Johannes Würbach <johannes.wuerbach@googlemail.com>

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 28 files

Re-trigger cubic

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant