Drop support for Python 3.8 and upgrade urllib3 to fix security vulns

Author: kuan121

.github/workflows/faucet_test.yml

@@ -22,7 +22,7 @@ jobs:
     strategy:
       max-parallel: 1
       matrix:
-        python-version: ["3.8", "3.9", "3.10", "3.11", "3.12", "3.13", "3.14"]
+        python-version: ["3.9", "3.10", "3.11", "3.12", "3.13", "3.14"]
 
     steps:
       - name: Checkout code

.github/workflows/integration_test.yml

@@ -25,7 +25,7 @@ jobs:
     timeout-minutes: 30
     strategy:
       matrix:
-        python-version: ["3.8", "3.9", "3.10", "3.11", "3.12", "3.13", "3.14"]
+        python-version: ["3.9", "3.10", "3.11", "3.12", "3.13", "3.14"]
 
     steps:
       - name: Checkout code

.github/workflows/release.yml

@@ -224,7 +224,7 @@ jobs:
       - name: Install Python + Retrieve Poetry dependencies from cache
         uses: actions/setup-python@v5
         with:
-          python-version: "3.8"
+          python-version: "3.9"
           cache: "poetry"
       - name: Build a binary wheel and a source tarball
         run: poetry build

.github/workflows/unit_test.yml

@@ -23,7 +23,7 @@ jobs:
     runs-on: ubuntu-latest
 
     env:
-      PYTHON_VERSION: "3.8"
+      PYTHON_VERSION: "3.9"
 
     steps:
       - name: Checkout code
@@ -70,7 +70,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        python-version: ["3.8", "3.9", "3.10", "3.11", "3.12", "3.13", "3.14"]
+        python-version: ["3.9", "3.10", "3.11", "3.12", "3.13", "3.14"]
 
     steps:
       - name: Checkout code

CHANGELOG.md

@@ -7,6 +7,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [[Unreleased]]
 
+### Changed
+
+- [Breaking change] Dropped support for Python 3.8 (EOL October 2024). The minimum supported Python version is now 3.9.
+
+### Fixed
+
+- Fixed urllib3 security vulnerabilities (CVE-2025-66418, CVE-2025-66471, CVE-2026-21441) by requiring urllib3 >= 2.6.3.
+
 ## [[4.5.0]]
 
 ### Added

README.md

@@ -63,7 +63,7 @@ The `xrpl-py` library is available on [PyPI](https://pypi.org/). Install with `p
 pip3 install xrpl-py
 ```
 
-The library supports [Python 3.8](https://www.python.org/downloads/) and later.
+The library supports [Python 3.9](https://www.python.org/downloads/) and later.
 
 [![Supported Versions](https://img.shields.io/pypi/pyversions/xrpl-py.svg)](https://pypi.org/project/xrpl-py)
 

docs/index.rst

@@ -15,7 +15,7 @@ See the `project README <https://github.com/XRPLF/xrpl-py/blob/main/README.md>`_
 
 Install
 --------------
-First, ensure that you have `Python 3.8 <https://www.python.org/downloads/>`_ or later.
+First, ensure that you have `Python 3.9 <https://www.python.org/downloads/>`_ or later.
 
 Then, download the package via ``pip``:
 

poetry.lock

@@ -25,7 +25,7 @@ maintainers = [
   { name = "Phu Pham", email = "ppham@ripple.com" },
 ]
 keywords = ["xrp", "xrpl", "cryptocurrency"]
-requires-python = ">=3.8.1"
+requires-python = ">=3.9"
 dynamic = [ "dependencies" ]
 
 [project.urls]
@@ -39,7 +39,7 @@ description = "A complete Python library for interacting with the XRP ledger"
 packages = [{ include = "xrpl" }, { include = "LICENSE" }]
 
 [tool.poetry.dependencies]
-python = ">=3.8.1,<4.0"
+python = ">=3.9,<4.0"
 base58 = "^2.1.0"
 ECPy = "^1.2.5"
 typing-extensions = "^4.13.2"
@@ -50,6 +50,8 @@ types-Deprecated = "^1.2.9"
 pycryptodome = "^3.23.0"
 
 [tool.poetry.group.dev.dependencies]
+# urllib3 >= 2.6.3 fixes CVE-2025-66418, CVE-2025-66471, CVE-2026-21441
+urllib3 = ">=2.6.3"
 flake8 = "^7.1.2"
 black = "24.8.0"
 flake8-black = "^0.3.7"
@@ -59,10 +61,7 @@ isort = "^5.11.5"
 flake8-isort = "^6.0.0"
 flake8-annotations = "^3.1.1"
 flake8-absolute-import = "^1.0"
-pydoclint = [
-    { version = "<=0.5.12", python = "<3.9" },
-    { version = "^0.5.13", python = ">=3.9" }
-]
+pydoclint = "^0.5.13"
 sphinx-rtd-theme = "^3.0.2"
 aiounittest = "^1.4.3"
 coverage = "^7.2.7"