Patch dependency CVEs, drop Python 3.9, add Python 3.10–3.14 support

[andystaples]

Summary

This PR started as a Dependabot CVE remediation and grew to cover the Python support matrix and the dev toolchain needed to build/test on current Python versions. The on-the-wire format and runtime behavior of the library are unchanged.

What changed

Security: patch Dependabot CVEs

Bumped vulnerable dependencies to patched versions (resolves all 13 Dependabot findings — 9 moderate, 4 low):

Package	Old	New	CVEs
aiohttp	3.13.4	3.14.1	11 (runtime)
requests	2.32.4	2.33.0	1 (runtime)
pytest	7.1.2	9.0.3	1 (test-only)

• setup.py install_requires now uses aiohttp>=3.14.1 and requests>=2.33.0,<3 (replacing the loose requests==2.*).

Drop Python 3.9 (EOL / unsupported in Azure Functions)

• python_requires raised to >=3.10,<4.
• Updated all CI/build configs off 3.9: azure-pipelines.yml, azure-pipelines-release.yml, eng/templates/build.yml, .github/workflows/validate.yml, .github/workflows/durable_python_action.yml, noxfile.py, and CONTRIBUTING.md.
• The legacy serialization fallback path (previously exercised only because 3.9 couldn't install the SDK serializers) is now covered explicitly by pinning an older azure-functions<1.26.0 on the floor CI leg, so both serialization branches remain tested.

Add Python 3.10–3.14 support

• Added 3.10–3.14 classifiers in setup.py.
• Expanded the validate.yml lint/test matrix to 3.10, 3.11, 3.12, 3.13, 3.14, preserving both serialization-path legs (legacy fallback on the 3.10 floor; SDK-delegated path on 3.13).
• Mirrored the supported range in noxfile.py (tests/typecheck across 3.10–3.14; lint/autopep kept on the canonical 3.10 to avoid PEP 701 f-string false positives).

Modernize the dev toolchain for Python 3.14

Building on a fresh 3.14 venv reproduced two failures that traced back to stale, under-constrained dev tooling:

• Wheel build failure (AttributeError: 'Constant' object has no attribute 's'): the unpinned autopep8 was backtracked by pip to a 2020-era sdist whose setup.py uses ast.Constant.s (removed in 3.14). Root cause: flake8==3.7.8 capped pycodestyle<2.6, which conflicted with modern autopep8. Fixed by bumping flake8 3.7.8 → 7.1.1, flake8-docstrings 1.5.0 → 1.7.0, and pinning autopep8==2.3.2.
• ~9,700 test warnings on 3.14: pytest-asyncio==0.20.2 calls asyncio.iscoroutinefunction() (deprecated in 3.14, removed in 3.16). Bumped to pytest-asyncio==1.4.0, dropping warnings from ~9,746 to 12.

Validation

• Full requirements.txt installs cleanly on a fresh Python 3.14 venv (all wheels, no source build).
• flake8 7.1.1 reports 0 findings on azure/.
• Test suite passes on 3.13 (dev venv) and 3.14: 309 passed.
• pip check reports no broken requirements; pip-audit reports no known vulnerabilities.

Notes / follow-ups (out of scope for this PR)

• The flat requirements.txt mixes runtime, test, and lint deps and partially duplicates setup.py. A future cleanup could split runtime vs. dev requirements, switch setup.py dev extras to compatible ranges (and fix the extra_requires → extras_require key), and add a lockfile for reproducible CI.
• Upgrading flake8 also unblocks a previously-deferred match/case modernization in DurableOrchestrationClient.py, if desired later.