Skip to content

Upgrade depencencies to fix cves, add support for python 3.14 and 3.15#819

Open
Pierre-Sassoulas wants to merge 5 commits into
masterfrom
chore/dep-cves-and-py3.15
Open

Upgrade depencencies to fix cves, add support for python 3.14 and 3.15#819
Pierre-Sassoulas wants to merge 5 commits into
masterfrom
chore/dep-cves-and-py3.15

Conversation

@Pierre-Sassoulas

Copy link
Copy Markdown
Member

Fix dependabot security alerts by upgrading locked dev dependencies with poetry update urllib3 cryptography starlette filelock requests pytest. Python 3.9 keeps older fallback pins (latest releases dropped 3.9 support), but all locked versions are free of known advisories (checked against OSV). Dropping python 3.9 would probably be a good idea at this point.

Also add Python 3.14 and 3.15-dev to the CI matrix.

Update urllib3, cryptography, starlette, filelock, requests and pytest
to versions without known advisories (verified against OSV). Python 3.9
keeps older-but-clean fallback pins since the latest releases dropped
support for it.
Python 3.14 was already in the tox envlist but missing from the CI
matrix and trove classifiers. Python 3.15 is still in development, so
its job is allowed to fail and only tests the latest pytest/gherkin.
The dev lock now installs pytest 9 on Python 3.10+, and pytest 9 uses
`match` statements, which mypy rejects as invalid syntax when told to
analyze for 3.9. Let mypy default to the running interpreter instead:
each CI job then checks with the pytest version locked for that
interpreter, and the 3.9 job still checks 3.9 syntax.
@codecov

codecov Bot commented Jul 2, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 96.10%. Comparing base (439e595) to head (444b497).

Additional details and impacted files
@@           Coverage Diff           @@
##           master     #819   +/-   ##
=======================================
  Coverage   96.10%   96.10%           
=======================================
  Files          55       55           
  Lines        2390     2390           
  Branches      136      136           
=======================================
  Hits         2297     2297           
  Misses         56       56           
  Partials       37       37           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

On 3.15-dev, `poetry install` fails because watchfiles (pulled in by
sphinx-autobuild) does not build against a Python newer than what its
pyo3 version supports. The existing ignore flags only covered the
typecheck and test steps, so mark the whole job as continue-on-error
for pythons where failures are tolerated.
sphinx-autobuild pulls in watchfiles, whose pinned pyo3 does not build
on pre-release pythons (max supported: 3.14). The docs tooling is not
needed by the CI test jobs, so restrict it to python < 3.15.

Verified locally on 3.15.0b1: `poetry install --only=dev`, the
py3.15-pytestlatest tox env (138 passed, 1 skipped) and `tox -e mypy`
all succeed.
@Pierre-Sassoulas Pierre-Sassoulas marked this pull request as ready for review July 2, 2026 21:33
@Pierre-Sassoulas Pierre-Sassoulas requested a review from youtux July 2, 2026 21:33
@Pierre-Sassoulas

Copy link
Copy Markdown
Member Author

@youtux I upgraded the pipeline to fix the CVEs warned by dependabot

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants