Patch dependency CVEs, drop Python 3.9, add Python 3.10–3.14 support (#608)

andystaples · web-flow · commit 2c4746d979c1 · 2026-06-24T11:53:43.000-06:00
* Bump aiohttp, requests, pytest to patch dependabot CVEs
* Bump Python minimum to 3.10, test and add support for 3.14
* Bump test deps for 3.14 compatibility
* Bump pytest-asyncio to cleanup 3.14 test warnings
diff --git a/.github/workflows/durable_python_action.yml b/.github/workflows/durable_python_action.yml
@@ -12,10 +12,10 @@ jobs:
 
     steps:
     - uses: actions/checkout@v1
-    - name: Set up Python 3.9.x
+    - name: Set up Python 3.10.x
       uses: actions/setup-python@v1
       with:
-        python-version: 3.9.x
+        python-version: 3.10.x
     - name: Install dependencies
       run: |
         python -m pip install --upgrade pip
diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
@@ -17,18 +17,24 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          # Fallback path: on Python 3.9 the SDK's df_dumps / df_loads cannot
-          # be installed (azure-functions 2.x requires >=3.13 and the 1.26.0
-          # line requires >=3.10), so this leg exercises the legacy
-          # serialization fallback in df_serialization.
-          - python-version: "3.9"
+          # Floor version. Pin an older azure-functions (< 1.26.0) that
+          # predates the centralized df_dumps / df_loads serializers so this
+          # leg exercises the legacy serialization fallback in
+          # df_serialization.
+          - python-version: "3.10"
+            functions-sdk: "azure-functions<1.26.0"
+          - python-version: "3.11"
+            functions-sdk: ""
+          - python-version: "3.12"
             functions-sdk: ""
           # SDK path: Python 3.13 with the beta that first ships df_dumps /
           # df_loads, exercising the SDK-delegated serialization branch.
           # TODO: change to "azure-functions>=2.2.0" once 2.2.0 GA ships, and
           # drop the explicit override step below.
           - python-version: "3.13"
             functions-sdk: "azure-functions>=2.2.0b5"
+          - python-version: "3.14"
+            functions-sdk: ""
     steps:
       - name: Checkout repository
         uses: actions/checkout@v2
@@ -41,16 +47,16 @@ jobs:
         run: |
           python -m pip install --upgrade pip
           pip install -r requirements.txt
-      - name: Install Functions SDK override
+      - name: Pin azure-functions version
         if: matrix.functions-sdk != ''
         run: pip install "${{ matrix.functions-sdk }}"
       - name: Run Linter
         # Lint only on the canonical Python version. On Python 3.12+, PEP 701
         # changed f-string tokenization so pycodestyle inspects tokens inside
         # f-strings, producing false positives (e.g. the ':' in 'http://' or
         # the indentation of multi-line f-string concatenations). Linting is
-        # environment-agnostic, so running it once on 3.9 is sufficient.
-        if: matrix.python-version == '3.9'
+        # environment-agnostic, so running it once on 3.10 is sufficient.
+        if: matrix.python-version == '3.10'
         run: |
           cd azure
           flake8 . --count --show-source --statistics
@@ -73,7 +79,7 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@v2
         with:
-          python-version: 3.9
+          python-version: "3.10"
       - name: Install dependencies
         run: |
           python -m pip install --upgrade pip
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -24,7 +24,7 @@ Thank you for taking the time to contribute to Durable Functions in [Python](htt
     - MacOS (or) Windows10 Ubuntu WSL
 - Language Runtimes
     - .NET Core 2.0
-    - \>= Python 3.9.x
+    - \>= Python 3.10.x
 
 Note: Some ML libraries may not be compatible with newer Python versions. Make sure the library is compatible with the Python version.
 
diff --git a/azure-pipelines-release.yml b/azure-pipelines-release.yml
@@ -17,7 +17,7 @@ jobs:
       steps:
           - task: UsePythonVersion@0
             inputs:
-                versionSpec: '3.9'
+                versionSpec: '3.10'
           - download: DurablePyCI
           - script: "rm -r ./azure_functions_durable/_manifest"
             displayName: 'Remove _manifest folder'
diff --git a/azure-pipelines.yml b/azure-pipelines.yml
@@ -13,7 +13,7 @@ trigger:
     - v*
 
 variables:     
-  python.version: '3.9'
+  python.version: '3.10'
   baseFolder: .
   componentArtifactName: 'azure_functions_durable'
   #componentArtifactName: 'dist'
@@ -38,6 +38,11 @@ stages:
         python -m pip install --upgrade pip
         pip install -r requirements.txt
         pip install wheel
+        # Pin an older azure-functions (< 1.26.0) that predates the
+        # centralized df_dumps / df_loads serializers so this job exercises
+        # the legacy serialization fallback in df_serialization. The
+        # Test_Functions_Sdk_Path job covers the SDK-delegated branch.
+        pip install "azure-functions<1.26.0"
       workingDirectory: $(baseFolder) 
       displayName: 'Install dependencies'
 
@@ -68,11 +73,11 @@ stages:
 
   - job: Test_Functions_Sdk_Path
     displayName: Test SDK Serialization Path (Py 3.13)
-    # The Build_Durable_Functions job runs on Python 3.9, where the SDK's
-    # df_dumps / df_loads cannot be installed (azure-functions 2.x requires
-    # >=3.13), so it only exercises the legacy serialization fallback.  This
-    # job runs on Python 3.13 with the beta that first ships df_dumps /
-    # df_loads to cover the SDK-delegated branch in df_serialization.
+    # The Build_Durable_Functions job runs on Python 3.10 with an older
+    # azure-functions (< 1.26.0) pinned, so it only exercises the legacy
+    # serialization fallback.  This job runs on Python 3.13 with the beta
+    # that first ships df_dumps / df_loads to cover the SDK-delegated branch
+    # in df_serialization.
     # TODO: change the override to 'azure-functions>=2.2.0' once 2.2.0 GA
     # ships, and drop the explicit install step.
     pool:
diff --git a/eng/templates/build.yml b/eng/templates/build.yml
@@ -12,11 +12,16 @@ jobs:
       steps:
         - task: UsePythonVersion@0
           inputs:
-            versionSpec: '3.9.x'
+            versionSpec: '3.10.x'
         - script: |
             python -m pip install --upgrade pip
             pip install -r requirements.txt
             pip install wheel
+            # Pin an older azure-functions (< 1.26.0) that predates the
+            # centralized df_dumps / df_loads serializers so this job
+            # exercises the legacy serialization fallback in df_serialization.
+            # The Test_Functions_Sdk_Path job covers the SDK-delegated branch.
+            pip install "azure-functions<1.26.0"
           workingDirectory: $(System.DefaultWorkingDirectory)
           displayName: 'Install dependencies'
 
@@ -44,11 +49,11 @@ jobs:
     - job: Test_Functions_Sdk_Path
       displayName: Test SDK Serialization Path (Py 3.13)
 
-      # The Build job runs on Python 3.9, where the SDK's df_dumps / df_loads
-      # cannot be installed (azure-functions 2.x requires >=3.13), so it only
-      # exercises the legacy serialization fallback.  This job runs on Python
-      # 3.13 with the beta that first ships df_dumps / df_loads to cover the
-      # SDK-delegated branch in df_serialization.
+      # The Build job runs on Python 3.10 with an older azure-functions
+      # (< 1.26.0) pinned, so it only exercises the legacy serialization
+      # fallback.  This job runs on Python 3.13 with the beta that first ships
+      # df_dumps / df_loads to cover the SDK-delegated branch in
+      # df_serialization.
       # TODO: change the override to 'azure-functions>=2.2.0' once 2.2.0 GA
       # ships, and drop the explicit install step.
       steps:
@@ -64,4 +69,4 @@ jobs:
         - script: |
             pip install pytest pytest-azurepipelines
             pytest --ignore=samples-v2
-          displayName: 'pytest'
+          displayName: 'pytest'
diff --git a/noxfile.py b/noxfile.py
@@ -1,26 +1,36 @@
 import nox
 
-@nox.session(python=["3.9","3.11"])
+# Mirror the supported range exercised by CI (.github/workflows/validate.yml).
+# nox automatically skips interpreters that aren't installed locally.
+SUPPORTED_PYTHONS = ["3.10", "3.11", "3.12", "3.13", "3.14"]
+
+# Lint and autopep run on a single canonical version: on Python 3.12+ the PEP
+# 701 f-string tokenization changes cause pycodestyle false positives, so CI
+# lints only on 3.10 and we match that here.
+CANONICAL_PYTHON = "3.10"
+
+
+@nox.session(python=SUPPORTED_PYTHONS)
 def tests(session):
     # same as pip install -r -requirements.txt
     session.install("-r", "requirements.txt")
     session.install("pytest")
     session.run("pytest", "-v", "tests")
 
 
-@nox.session(python=["3.9","3.11"])
+@nox.session(python=CANONICAL_PYTHON)
 def lint(session):
     session.install("flake8")
     session.install("flake8-docstrings")
     session.run("flake8", "./azure/")
 
-@nox.session(python=["3.9","3.11"])
+@nox.session(python=SUPPORTED_PYTHONS)
 def typecheck(session):
     session.install("-r", "requirements.txt")
     session.install("mypy")
     session.run("mypy", "./azure/")
 
-@nox.session(python=["3.9","3.11"])
+@nox.session(python=CANONICAL_PYTHON)
 def autopep(session):
     session.install("-r", "requirements.txt")
     session.run("autopep8", "--in-place --aggressive --aggressive --recursive \"./azure/\"")
diff --git a/requirements.txt b/requirements.txt
@@ -1,15 +1,15 @@
-flake8==3.7.8
-flake8-docstrings==1.5.0
-pytest==7.1.2
+flake8==7.1.1
+flake8-docstrings==1.7.0
+pytest==9.0.3
 python-dateutil==2.8.0
-requests==2.32.4
+requests==2.33.0
 jsonschema==4.25.1
-aiohttp==3.13.4
+aiohttp==3.14.1
 azure-functions>=1.11.3b3
 nox==2019.11.9
 furl==2.1.0
-pytest-asyncio==0.20.2
-autopep8
+pytest-asyncio==1.4.0
+autopep8==2.3.2
 types-python-dateutil
 opentelemetry-api==1.32.1
 opentelemetry-sdk==1.32.1
diff --git a/setup.py b/setup.py
@@ -45,34 +45,39 @@ def run(self, *args, **kwargs):
         'License :: OSI Approved :: MIT License',
         'Intended Audience :: Developers',
         'Programming Language :: Python :: 3',
+        'Programming Language :: Python :: 3.10',
+        'Programming Language :: Python :: 3.11',
+        'Programming Language :: Python :: 3.12',
+        'Programming Language :: Python :: 3.13',
+        'Programming Language :: Python :: 3.14',
         'Operating System :: Microsoft :: Windows',
         'Operating System :: POSIX',
         'Operating System :: MacOS :: MacOS X',
         'Environment :: Web Environment',
         'Development Status :: 5 - Production/Stable',
     ],
     license='MIT',
-    python_requires='>=3.9,<4',
+    python_requires='>=3.10,<4',
     install_requires=[
         'azure-functions>=1.12.0',
-        'aiohttp>=3.13.3',
-        'requests==2.*',
+        'aiohttp>=3.14.1',
+        'requests>=2.33.0,<3',
         'python-dateutil>=2.8.0',
         'furl>=2.1.0',
         'opentelemetry-api>=1.32.1',
         'opentelemetry-sdk>=1.32.1'
     ],
     extra_requires=[
-        'flake8==3.7.8',
-        'flake8-docstrings==1.5.0',
-        'pytest==7.1.2',
+        'flake8==7.1.1',
+        'flake8-docstrings==1.7.0',
+        'pytest==9.0.3',
         'python-dateutil==2.8.0',
-        'requests==2.22.0',
+        'requests==2.33.0',
         'jsonschema==4.25.1',
         'azure-functions>=1.2.0',
         'nox==2019.11.9',
         'furl==2.1.0',
-        'pytest-asyncio==0.20.2'
+        'pytest-asyncio==1.4.0'
     ],
     include_package_data=True,
     data_files= [
