Skip to content

Release 1.0.0: remove support for Python 3.6, 3.7; fix linting errors#5

Merged
richdawe-cio merged 22 commits into
mainfrom
cdp-6173
Jun 25, 2026
Merged

Release 1.0.0: remove support for Python 3.6, 3.7; fix linting errors#5
richdawe-cio merged 22 commits into
mainfrom
cdp-6173

Conversation

@richdawe-cio

@richdawe-cio richdawe-cio commented Jun 17, 2026

Copy link
Copy Markdown
Collaborator

Changes:

  • Remove support for Python 3.6 and 3.7. We need to use a version of requests later than 2.32.0, because there are important security fixes. requests changelog
  • Bump version to 1.0.0, since removing support for Python versions is a breaking change.
  • Fix pylint errors: missing __init__.py, import ordering, exception handling
    • Add customerio/__init__.py so pylint can resolve the package hierarchy.
    • Fix raise-missing-from, return-in-finally, and import ordering warnings.
    • Fix RuntimeError formatting bug where %-placeholders were not interpolated.
  • Easier local dev experience using mise and venvs.
  • Split linting out of tests.
  • Fail CI on linting errors.

Note

Medium Risk
Breaking change for users on Python 3.6/3.7 and a major version bump; dependency floor changes install behavior, though application logic changes are small.

Overview
Major release 1.0.0 drops Python 3.6/3.7 (python_requires>=3.8) and raises requests to >=2.32.4 (and related pins) for security fixes. Version is bumped in .bumpversion.cfg and version.py.

CI and local dev are reworked: a dedicated Lint workflow runs make lint-ci; tests no longer run pylint/flake8. The test matrix covers 3.8–3.14 with fail-fast: false, and GitHub Actions use checkout/setup-python v6. mise (.mise.toml) and .venv in .gitignore support local workflows; Makefile adds lint, lint-ci, and clean.

Small runtime fixes: oversized-message RuntimeError in client.py uses correct formatting; consumer.py returns upload success outside finally; request.py chains ValueError when building APIError. README doc URLs are updated.

Reviewed by Cursor Bugbot for commit ddc5d6a. Bugbot is set up for automated code reviews on this repo. Configure here.

@richdawe-cio richdawe-cio marked this pull request as draft June 17, 2026 12:32
Comment thread .github/workflows/test.yml Outdated
@socket-security

socket-security Bot commented Jun 17, 2026

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Addedpypi/​pylint@​3.3.37410010010070
Addedpypi/​mock@​2.0.095100100100100
Addedpypi/​flake8@​3.7.998100100100100
Addedpypi/​python-dateutil@​2.8.2100100100100100

View full report

@socket-security

socket-security Bot commented Jun 17, 2026

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
License policy violation: pypi enum34 under BSD-3-Clause

Location: Package overview

From: ?pypi/flake8@3.7.9pypi/enum34@1.1.10

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/enum34@1.1.10. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
License policy violation: pypi enum34 under BSD-3-Clause

Location: Package overview

From: ?pypi/flake8@3.7.9pypi/enum34@1.1.10

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/enum34@1.1.10. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
License policy violation: pypi enum34 under BSD-3-Clause

Location: Package overview

From: ?pypi/flake8@3.7.9pypi/enum34@1.1.10

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/enum34@1.1.10. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
License policy violation: pypi mock

Location: Package overview

From: requirements.txtpypi/mock@2.0.0

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/mock@2.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
License policy violation: pypi pylint

Location: Package overview

From: requirements.txtpypi/pylint@3.3.3

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/pylint@3.3.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
License policy violation: pypi pylint

Location: Package overview

From: requirements.txtpypi/pylint@3.3.3

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/pylint@3.3.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
License policy violation: pypi python-dateutil under BSD-3-Clause

Location: Package overview

From: requirements.txtpypi/python-dateutil@2.8.2

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/python-dateutil@2.8.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
License policy violation: pypi python-dateutil under BSD-3-Clause

Location: Package overview

From: requirements.txtpypi/python-dateutil@2.8.2

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/python-dateutil@2.8.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@richdawe-cio richdawe-cio changed the title Cdp 6173 Bump version to 0.1.0; modernize development environment Jun 22, 2026
@richdawe-cio richdawe-cio marked this pull request as ready for review June 22, 2026 13:23
fail-fast: false
matrix:
python-version: [3.7, 3.8, 3.9]
python-version: [ "3.8", "3.9", "3.10", "3.11", "3.12", "3.13", "3.14" ]

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

seems like 3.8 & 3.9 are also eol https://endoflife.date/python should we remove those as well?

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think I would keep these for now, since they are still available in GitHub runners.

Comment thread .mise.toml Outdated
Comment thread setup.py Outdated
Comment thread customerio/analytics/version.py
Comment thread Makefile
.PHONY: install test
clean:
rm -rf .venv
mise deps

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Clean target wrong mise command

Medium Severity

The new clean target removes .venv then runs mise deps, but this project’s .mise.toml only configures a Python venv and tasks—no mise deps providers. That command does not recreate the venv or reinstall pip install -e '.[test]', so make clean leaves local dev without the environment the PR documents.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit c761e31. Configure here.

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

mise deps does actually recreate the venv. That's why I included it in this make target.

Comment thread setup.py Outdated
Comment thread .github/workflows/lint.yml Outdated
@richdawe-cio richdawe-cio changed the title Bump version to 0.1.0; modernize development environment Bump version to 1.0.0; modernize development environment Jun 25, 2026

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 2 potential issues.

There are 3 total unresolved issues (including 1 from previous review).

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit 7673d4e. Configure here.

Comment thread Makefile
flake8 --max-complexity=10 --statistics --exit-zero customerio/analytics

lint-ci:
pylint --rcfile=.pylintrc --exit-zero --fail-on=E customerio/analytics

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pylint CI never fails

Medium Severity

The new lint-ci target passes both --exit-zero and --fail-on=E to pylint. --exit-zero forces a zero exit status even when errors are reported, so the Lint workflow can pass while pylint reports E-level issues, undermining the split lint CI gate.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 7673d4e. Configure here.

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

--fail-on=E seems to take precedence over --exit-zero, as seen in this failed lint run: https://github.com/customerio/cdp-analytics-python/actions/runs/28161429326/job/83402638737

Comment thread Makefile
.PHONY: install test
lint:
pylint --rcfile=.pylintrc --reports=y --exit-zero customerio/analytics
flake8 --max-complexity=10 --statistics --exit-zero customerio/analytics

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Invalid flake8 exit-zero flag

Medium Severity

The local lint target adds --exit-zero to the flake8 command. Flake8 3.7.x does not define that option (unlike pylint), so flake8 typically exits with an unrecognized-argument error and make lint / mise run lint fails before reporting style issues.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 7673d4e. Configure here.

@richdawe-cio richdawe-cio Jun 25, 2026

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Back in reality, this does not happen, and the command completes successfully with flake 3.7.9.

richdawe-cio and others added 2 commits June 25, 2026 10:58
…ndling

Add customerio/__init__.py so pylint can resolve the package hierarchy.
Fix raise-missing-from, return-in-finally, and import ordering warnings.
Fix RuntimeError formatting bug where %-placeholders were not interpolated.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@richdawe-cio richdawe-cio changed the title Bump version to 1.0.0; modernize development environment Release 1.0.0: remove support for Python 3.6, 3.7; fix linting errors Jun 25, 2026
Comment thread .mise.toml

[settings]
python.uv_venv_auto = false
python.venv_stdlib = true

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Prefer using venv over uv, and ensure that pip is installed in the venv.

@richdawe-cio richdawe-cio merged commit dccaa90 into main Jun 25, 2026
11 checks passed
@richdawe-cio richdawe-cio deleted the cdp-6173 branch June 25, 2026 10:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants