Security: bump deps, retire EOL Pythons, add Python 3.14#56
Merged
Conversation
Dependencies (transitive, pinned at minimum-safe versions): * setuptools>=78.1.1 in requirements.txt -- closes CVE-2024-6345 (RCE in PackageIndex.download) and CVE-2025-47273 (path traversal in PackageIndex). Affects build-time only. * zipp>=3.19.1 in test-requirements.txt -- closes CVE-2024-5569 (infinite-loop DoS in zipp.Path). Test tools (raise minimum versions to currently-supported lines and shed years of vulnerable transitives): * pytest >=2.7.2 -> >=8.0.0 * pylint >=1.7.1 -> >=3.0.0 * pytest-cov >=2.9 -> >=5.0.0 GitHub Actions (move off EOL Node 16 runtimes; v3 of upload/download- artifact was disabled by GitHub on 2025-01-30): * actions/checkout@v3 -> v4 (both workflows) * actions/setup-python@v3 -> v5 (tox.yml) * actions/upload-artifact@v3 -> v4 (python-publish.yml) with the unique-name-per-matrix-entry change v4 requires * actions/download-artifact@v3 -> v4 (python-publish.yml) with pattern + merge-multiple to re-aggregate the renamed artifacts back into dist/ * pypa/cibuildwheel@v2.15.0 -> v2.21.3 (adds Python 3.13 wheels and ~18 months of CI hardening) Supply-chain hardening: * pypa/gh-action-pypi-publish: replace the moving release/v1 tag with the immutable v1.10.3 tag for the action that holds PyPI publish authority for this project. No source code (Python or C extension) changes; no API or wire-format changes. Only dependency floors and CI/release configuration. Co-authored-by: Cursor <cursoragent@cursor.com>
As of May 2026, Python 3.6 (EOL 2021-12), 3.7 (EOL 2023-06), 3.8
(EOL 2024-10), and 3.9 (EOL 2025-10) no longer receive upstream
security patches. Continuing to advertise support and ship wheels
for those versions exposes downstream consumers to unpatched
interpreter CVEs and forces this project to remain on aging,
vulnerable transitive deps.
Supported Python versions are now 3.10, 3.11, 3.12, and 3.13.
Changes:
* setup.cfg: add python_requires = >=3.10 so that pip on EOL
interpreters refuses install with a clear error rather than
pulling an incompatible wheel; classifiers reduced to 3.10-3.13.
* tox.ini: envlist trimmed to py310, py311, py312, py313, lint.
* .github/workflows/tox.yml: CI matrix trimmed to 3.10-3.13.
* .github/workflows/python-publish.yml: explicit
CIBW_BUILD="cp310-* cp311-* cp312-* cp313-*" so that
cibuildwheel does not produce wheels for unsupported Pythons
on release.
This is a breaking change for users still on Python <3.10 and
should be released as a new minor version (e.g. 0.11.0).
Co-authored-by: Cursor <cursoragent@cursor.com>
Python 3.14 (released October 2025) is now a fully supported stable release. Add it to the tox envlist, CI test matrix, wheel build targets (CIBW_BUILD), and PyPI classifiers. Update README to list the supported versions explicitly (3.10–3.14) and replace stale Python 3.6.8 example output with current tooling versions. Co-authored-by: Cursor <cursoragent@cursor.com>
- overgeneral-exceptions: 'Exception' -> 'builtins.Exception' to satisfy the fully-qualified name requirement introduced in pylint 3.x. - Add max-positional-arguments=7 (new R0917 check in pylint 3.x, default is 5) to align with the existing max-args=12 policy; covers HdrHistogram.__init__ (7 positional incl. self) and check_zz_identity (6 positional). Co-authored-by: Cursor <cursoragent@cursor.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No source code, API, or wire-format changes.
488b587): pinsetuptools>=78.1.1(CVE-2024-6345, CVE-2025-47273) and
zipp>=3.19.1(CVE-2024-5569);raise
pytest/pylint/pytest-covminimums; upgrade all GitHubActions v3 → v4/v5; pin
pypa/gh-action-pypi-publishto animmutable tag.
797f84c): drop 3.6–3.9 (all pastend-of-life); add
python_requires>=3.10; trim tox envlist, CImatrix, and wheel targets to 3.10–3.13.
ff98528): extend support to Python 3.14(stable since Oct 2025) across tox, CI, wheel builds, PyPI
classifiers, and README.