Skip to content

Security: bump deps, retire EOL Pythons, add Python 3.14#56

Merged
ahothan merged 4 commits into
masterfrom
sec-update
May 3, 2026
Merged

Security: bump deps, retire EOL Pythons, add Python 3.14#56
ahothan merged 4 commits into
masterfrom
sec-update

Conversation

@ahothan

@ahothan ahothan commented May 3, 2026

Copy link
Copy Markdown
Contributor

No source code, API, or wire-format changes.

  • CVE fixes & CI hardening (488b587): pin setuptools>=78.1.1
    (CVE-2024-6345, CVE-2025-47273) and zipp>=3.19.1 (CVE-2024-5569);
    raise pytest/pylint/pytest-cov minimums; upgrade all GitHub
    Actions v3 → v4/v5; pin pypa/gh-action-pypi-publish to an
    immutable tag.
  • Retire EOL Pythons (797f84c): drop 3.6–3.9 (all past
    end-of-life); add python_requires>=3.10; trim tox envlist, CI
    matrix, and wheel targets to 3.10–3.13.
  • Add Python 3.14 (ff98528): extend support to Python 3.14
    (stable since Oct 2025) across tox, CI, wheel builds, PyPI
    classifiers, and README.

ahothan and others added 4 commits May 3, 2026 09:02
Dependencies (transitive, pinned at minimum-safe versions):
  * setuptools>=78.1.1 in requirements.txt -- closes CVE-2024-6345
    (RCE in PackageIndex.download) and CVE-2025-47273 (path traversal
    in PackageIndex). Affects build-time only.
  * zipp>=3.19.1 in test-requirements.txt -- closes CVE-2024-5569
    (infinite-loop DoS in zipp.Path).

Test tools (raise minimum versions to currently-supported lines and
shed years of vulnerable transitives):
  * pytest >=2.7.2 -> >=8.0.0
  * pylint >=1.7.1 -> >=3.0.0
  * pytest-cov >=2.9 -> >=5.0.0

GitHub Actions (move off EOL Node 16 runtimes; v3 of upload/download-
artifact was disabled by GitHub on 2025-01-30):
  * actions/checkout@v3 -> v4 (both workflows)
  * actions/setup-python@v3 -> v5 (tox.yml)
  * actions/upload-artifact@v3 -> v4 (python-publish.yml) with the
    unique-name-per-matrix-entry change v4 requires
  * actions/download-artifact@v3 -> v4 (python-publish.yml) with
    pattern + merge-multiple to re-aggregate the renamed artifacts
    back into dist/
  * pypa/cibuildwheel@v2.15.0 -> v2.21.3 (adds Python 3.13 wheels and
    ~18 months of CI hardening)

Supply-chain hardening:
  * pypa/gh-action-pypi-publish: replace the moving release/v1 tag
    with the immutable v1.10.3 tag for the action that holds PyPI
    publish authority for this project.

No source code (Python or C extension) changes; no API or wire-format
changes. Only dependency floors and CI/release configuration.

Co-authored-by: Cursor <cursoragent@cursor.com>
As of May 2026, Python 3.6 (EOL 2021-12), 3.7 (EOL 2023-06), 3.8
(EOL 2024-10), and 3.9 (EOL 2025-10) no longer receive upstream
security patches. Continuing to advertise support and ship wheels
for those versions exposes downstream consumers to unpatched
interpreter CVEs and forces this project to remain on aging,
vulnerable transitive deps.

Supported Python versions are now 3.10, 3.11, 3.12, and 3.13.

Changes:
  * setup.cfg: add python_requires = >=3.10 so that pip on EOL
    interpreters refuses install with a clear error rather than
    pulling an incompatible wheel; classifiers reduced to 3.10-3.13.
  * tox.ini: envlist trimmed to py310, py311, py312, py313, lint.
  * .github/workflows/tox.yml: CI matrix trimmed to 3.10-3.13.
  * .github/workflows/python-publish.yml: explicit
    CIBW_BUILD="cp310-* cp311-* cp312-* cp313-*" so that
    cibuildwheel does not produce wheels for unsupported Pythons
    on release.

This is a breaking change for users still on Python <3.10 and
should be released as a new minor version (e.g. 0.11.0).

Co-authored-by: Cursor <cursoragent@cursor.com>
Python 3.14 (released October 2025) is now a fully supported stable
release. Add it to the tox envlist, CI test matrix, wheel build targets
(CIBW_BUILD), and PyPI classifiers. Update README to list the supported
versions explicitly (3.10–3.14) and replace stale Python 3.6.8 example
output with current tooling versions.

Co-authored-by: Cursor <cursoragent@cursor.com>
- overgeneral-exceptions: 'Exception' -> 'builtins.Exception' to
  satisfy the fully-qualified name requirement introduced in pylint 3.x.
- Add max-positional-arguments=7 (new R0917 check in pylint 3.x, default
  is 5) to align with the existing max-args=12 policy; covers
  HdrHistogram.__init__ (7 positional incl. self) and check_zz_identity
  (6 positional).

Co-authored-by: Cursor <cursoragent@cursor.com>
@ahothan ahothan merged commit b22cc13 into master May 3, 2026
6 checks passed
@ahothan ahothan deleted the sec-update branch June 9, 2026 13:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant