Skip to content

Commit 10518e1

Browse files
chore(sec): bump deps + drop Python 3.9 to clear all OSV findings (5.0.0)
Clears 25 OSV-Scanner findings (1 CRITICAL cryptography, 13 HIGH across cryptography/urllib3/pyjwt/pyarrow/black, 10 MED, 1 UNKNOWN) by bumping direct dependency floors and regenerating the lockfile. Forces a major version bump because the new dependency constraints will conflict with customers' transitive-dep pins on the older majors of urllib3 (1.x → 2.x), pyarrow (14/18/22 → 23), pytest (7 → 9), and black (22 → 26). Drops Python 3.8/3.9 from supported floors. Python 3.8 is 20 months past upstream EOL (2024-10), Python 3.9 is 7 months past (2025-10). The patched versions of urllib3 / pyarrow / requests / pytest / black all declare requires_python>=3.10, so keeping 3.9 in the matrix would silently downgrade these to CVE-vulnerable versions for 3.9 customers — defeating the entire purpose of the PR. Direct runtime bumps: - urllib3: >=1.26 -> >=2.7.0,<3.0.0 (urllib3 1.x -> 2.x major) - requests: ^2.18.1 -> ^2.33.0 - pyjwt: ^2.0.0 -> ^2.12.0 - pyarrow: 14/18/22+ -> >=23.0.1 (all three Python-version-gated blocks) Direct dev bumps: - pytest: ^7.1.2 -> ^9.0.3 - black: ^22.3.0 -> ^26.3.1 (reformats 13 src files in a follow-up commit) Transitive cleanups via lockfile (no pyproject change): - cryptography 43.0.3/45.0.6 -> 48.0.0 (clears CRITICAL PYSEC-2026-36 9.8) - idna 3.10 -> 3.16 - python-dotenv 1.0.1 -> 1.2.2 Verification: - OSV-Scanner v2.3.8 against new poetry.lock: 25 findings -> 0 - Unit tests (Python 3.10.18, default deps): 765 passed, 4 skipped - Unit tests (Python 3.10.18, min deps): 765 passed, 4 skipped - mypy: same 11 pre-existing errors on main; unchanged - black: applied separately in next commit Co-authored-by: Isaac Signed-off-by: Vikrant Puppala <vikrant.puppala@databricks.com>
1 parent 8a62208 commit 10518e1

4 files changed

Lines changed: 438 additions & 724 deletions

File tree

.github/workflows/code-quality-checks.yml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -34,7 +34,7 @@ jobs:
3434
labels: linux-ubuntu-latest
3535
strategy:
3636
matrix:
37-
python-version: ["3.9", "3.10", "3.11", "3.12", "3.13", "3.14"]
37+
python-version: ["3.10", "3.11", "3.12", "3.13", "3.14"]
3838
dependency-version: ["default", "min"]
3939
exclude:
4040
- python-version: "3.12"
@@ -96,7 +96,7 @@ jobs:
9696
labels: linux-ubuntu-latest
9797
strategy:
9898
matrix:
99-
python-version: ["3.9", "3.10", "3.11", "3.12", "3.13", "3.14"]
99+
python-version: ["3.10", "3.11", "3.12", "3.13", "3.14"]
100100
dependency-version: ["default", "min"]
101101
exclude:
102102
- python-version: "3.12"
@@ -246,7 +246,7 @@ jobs:
246246
labels: linux-ubuntu-latest
247247
strategy:
248248
matrix:
249-
python-version: ["3.9", "3.10", "3.11", "3.12", "3.13", "3.14"]
249+
python-version: ["3.10", "3.11", "3.12", "3.13", "3.14"]
250250
steps:
251251
- name: Check out repository
252252
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
@@ -273,7 +273,7 @@ jobs:
273273
labels: linux-ubuntu-latest
274274
strategy:
275275
matrix:
276-
python-version: ["3.9", "3.10", "3.11", "3.12", "3.13", "3.14"]
276+
python-version: ["3.10", "3.11", "3.12", "3.13", "3.14"]
277277
steps:
278278
- name: Check out repository
279279
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4

CHANGELOG.md

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,29 @@
11
# Release History
22

3+
# 5.0.0 (TBD)
4+
5+
**Breaking changes — security & language-version cleanup.**
6+
7+
- Minimum Python is now **3.10** (was 3.8). Python 3.8 (EOL 2024-10) and 3.9 (EOL 2025-10) are no longer supported. Users on these versions should stay on the 4.x line.
8+
- Bumped `urllib3` to the **2.x** series (was `>=1.26`). Customers pinning `urllib3<2` must either lift the pin or stay on the 4.x line. urllib3 2.x requires Python 3.10+.
9+
- Bumped several other runtime dependency floors to versions that clear all open CVEs in `poetry.lock`:
10+
- `requests`: `>=2.18.1``>=2.33.0`
11+
- `pyjwt`: `>=2.0``>=2.12.0`
12+
- `pyarrow`: `>=14.0.1` / `>=18.0.0` / `>=22.0.0` (Python-version-gated blocks) → `>=23.0.1` everywhere
13+
- `urllib3`: `>=1.26``>=2.7.0,<3.0.0`
14+
- Bumped dev dependencies for the same reason:
15+
- `pytest`: `^7.1.2``^9.0.3`
16+
- `black`: `^22.3.0``^26.3.1` (codebase has been reformatted in a single commit; downstream forks should expect to reformat once on the merge)
17+
- Transitive cleanups (no `pyproject.toml` change, lockfile only):
18+
- `cryptography` 45.0.6 → 48.0.0
19+
- `idna` 3.10 → 3.16
20+
- `python-dotenv` 1.0.1 → 1.2.2
21+
- **`thrift` stays pinned at `~=0.22.0`** (not re-widened). thrift 0.23.0 ships sdist-only and breaks `pip install` on the old setuptools bundled by DBR LTS (the SEV0 ES-1960554 incident, PR #840). It will be re-widened on a fixed thrift release (THRIFT-6067 / apache/thrift#3584). As a result the one thrift advisory (and the disputed pyjwt PYSEC-2025-183, which has no upstream fix) remain until that lands.
22+
23+
**Migration**: For most users, `pip install -U databricks-sql-connector` is the only required change. Users on Python 3.9 must update their interpreter before upgrading. Users with hard pins on `urllib3<2` must lift the pin before upgrading.
24+
25+
**OSV-Scanner status**: all advisories cleared on `poetry.lock` except the two noted above (thrift, blocked upstream; and the disputed pyjwt PYSEC-2025-183).
26+
327
# Unreleased
428
- Fix: `REMOVE` staging operations no longer require `staging_allowed_local_path` to be set, since removing a remote file does not touch the local filesystem (databricks/databricks-sql-python#726)
529
- Report `cursor.rowcount` for DML on the Thrift backend: INSERT/UPDATE/DELETE/MERGE now set `rowcount` to the server's affected-row count instead of the hardcoded `-1`; SELECT (and statements the server does not report a count for) still return `-1`. `executemany` aggregates the count across all parameter sets per PEP 249 ([#784](https://github.com/databricks/databricks-sql-python/issues/784))

0 commit comments

Comments
 (0)