Skip to content

fix: update vulnerable dependencies and drop Python 3.9 (EOL)#206

Merged
b-per merged 1 commit into
mainfrom
fix/dependabot-security-updates
Apr 20, 2026
Merged

fix: update vulnerable dependencies and drop Python 3.9 (EOL)#206
b-per merged 1 commit into
mainfrom
fix/dependabot-security-updates

Conversation

@b-per
Copy link
Copy Markdown
Collaborator

@b-per b-per commented Apr 20, 2026

Summary

Resolves all 22 open Dependabot security alerts by updating vulnerable dependencies. Also drops Python 3.9 (EOL since October 2025) since requests>=2.33.0 requires Python>=3.10.

Package Before After Severity
requests 2.32.5 2.33.1 medium
deepdiff 8.6.1 8.6.2 critical/high
jinja2 constraint tightened to >=3.1.6 (already at 3.1.6) medium
pytest 7.4.4 9.0.3 medium
pygments 2.18.0 2.20.0 low
markdown 3.7 3.10.2 medium
pymdown-extensions 10.14.3 10.21.2 low
filelock 3.19.1 3.29.0 medium
urllib3 2.6.3 2.6.3 (already safe)

Note: urllib3 and jinja2 were already at safe versions in the lockfile — only their pyproject.toml constraints were too loose.

Breaking change

Drops Python 3.9 support — EOL since October 2025, and requests>=2.33.0 requires Python>=3.10. The CI matrix is updated accordingly.

Test plan

  • All 171 tests pass locally with uv run pytest
  • CI passes on Python 3.10–3.14

@b-per
fix: update vulnerable dependencies and drop Python 3.9 (EOL)
a198551 
Addresses all open Dependabot security alerts:
- requests: 2.32.5 -> 2.33.1 (insecure temp file reuse, netrc leak)
- deepdiff: 8.6.1 -> 8.6.2 (memory exhaustion DoS via SAFE_TO_IMPORT)
- jinja2: tighten constraint to >=3.1.6 (sandbox breakout; already at 3.1.6)
- pytest: 7.4.4 -> 9.0.3 (vulnerable tmpdir handling)
- pygments: 2.18.0 -> 2.20.0 (ReDoS via GUID regex)
- markdown: 3.7 -> 3.10.2 (uncaught exception)
- pymdown-extensions: 10.14.3 -> 10.21.2 (ReDoS in figure capture)
- filelock: 3.19.1 -> 3.29.0 (TOCTOU symlink vulnerability)

requests>=2.33.0 requires Python>=3.10, so drop EOL Python 3.9 support
and bump requires-python to >=3.10.
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 20, 2026

Coverage

Coverage Report
FileStmtsMissCoverMissing
src/dbt_jobs_as_code
   main.py31016048%120–123, 129, 168–169, 200–203, 209, 245–329, 400–405, 418–419, 437–438, 442–444, 461–510, 539–597, 628–673, 678–679, 683
src/dbt_jobs_as_code/client
   __init__.py1794674%16, 53–54, 62, 99–100, 119–120, 139–140, 155–156, 170–171, 187–188, 205, 215, 295–310, 333, 349–350, 360–372, 375–386, 391–400
src/dbt_jobs_as_code/cloud_yaml_mapping
   change_set.py2353087%27–29, 59, 65–66, 155, 212, 224, 247, 251–252, 258–260, 275–278, 334–348, 401–423, 459–473
src/dbt_jobs_as_code/importer
   __init__.py27774%14–15, 22–27
src/dbt_jobs_as_code/schemas
   __init__.py23291%68, 78
   common_types.py60395%67–68, 91
   config.py14193%18
   job.py133795%237, 242, 258–268
TOTAL118425678% 

Tests Skipped Failures Errors Time
171 0 💤 0 ❌ 0 🔥 15.640s ⏱️

@b-per b-per merged commit bec5814 into main Apr 20, 2026
6 checks passed
@b-per b-per deleted the fix/dependabot-security-updates branch April 20, 2026 14:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@b-per