Pre-Report Checklist
Issue Description
After a few package updates, osv-scanner picks up the following vulnerabilities which can only be addressed by dropping Python 3.9 support:
╭─────────────────────────────────────┬──────┬───────────┬──────────┬─────────┬─────────────╮
│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE │
├─────────────────────────────────────┼──────┼───────────┼──────────┼─────────┼─────────────┤
│ https://osv.dev/GHSA-5xmw-vc9v-4wf2 │ 5.5 │ PyPI │ pillow │ 11.3.0 │ poetry.lock │
│ https://osv.dev/GHSA-cfh3-3jmp-rvhc │ 8.6 │ PyPI │ pillow │ 11.3.0 │ poetry.lock │
│ https://osv.dev/GHSA-pwv6-vv43-88gr │ 8.6 │ PyPI │ pillow │ 11.3.0 │ poetry.lock │
│ https://osv.dev/GHSA-r73j-pqj5-w3x7 │ 5.5 │ PyPI │ pillow │ 11.3.0 │ poetry.lock │
│ https://osv.dev/GHSA-whj4-6x5x-4v2j │ 8.7 │ PyPI │ pillow │ 11.3.0 │ poetry.lock │
│ https://osv.dev/PYSEC-2026-165 │ 5.5 │ PyPI │ pillow │ 11.3.0 │ poetry.lock │
│ https://osv.dev/GHSA-wjx4-4jcj-g98j │ │ │ │ │ │
│ https://osv.dev/GHSA-6w46-j5rx-g56g │ 6.8 │ PyPI │ pytest │ 8.4.2 │ poetry.lock │
│ https://osv.dev/GHSA-gc5v-m9x4-r6x2 │ 4.4 │ PyPI │ requests │ 2.32.5 │ poetry.lock │
│ https://osv.dev/PYSEC-2026-142 │ 8.9 │ PyPI │ urllib3 │ 2.6.3 │ poetry.lock │
│ https://osv.dev/GHSA-mf9v-mfxr-j63j │ │ │ │ │ │
│ https://osv.dev/PYSEC-2026-141 │ 8.2 │ PyPI │ urllib3 │ 2.6.3 │ poetry.lock │
│ https://osv.dev/GHSA-qccp-gfcp-xxvc │ │ │ │ │ │
See this job, for instance, https://github.com/rigetti/pyquil/actions/runs/27442372273/job/81119286715?pr=1851. After making this update we should update .osv-scanner.toml configuration accordingly.
Pre-Report Checklist
Issue Description
After a few package updates, osv-scanner picks up the following vulnerabilities which can only be addressed by dropping Python 3.9 support:
╭─────────────────────────────────────┬──────┬───────────┬──────────┬─────────┬─────────────╮
│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE │
├─────────────────────────────────────┼──────┼───────────┼──────────┼─────────┼─────────────┤
│ https://osv.dev/GHSA-5xmw-vc9v-4wf2 │ 5.5 │ PyPI │ pillow │ 11.3.0 │ poetry.lock │
│ https://osv.dev/GHSA-cfh3-3jmp-rvhc │ 8.6 │ PyPI │ pillow │ 11.3.0 │ poetry.lock │
│ https://osv.dev/GHSA-pwv6-vv43-88gr │ 8.6 │ PyPI │ pillow │ 11.3.0 │ poetry.lock │
│ https://osv.dev/GHSA-r73j-pqj5-w3x7 │ 5.5 │ PyPI │ pillow │ 11.3.0 │ poetry.lock │
│ https://osv.dev/GHSA-whj4-6x5x-4v2j │ 8.7 │ PyPI │ pillow │ 11.3.0 │ poetry.lock │
│ https://osv.dev/PYSEC-2026-165 │ 5.5 │ PyPI │ pillow │ 11.3.0 │ poetry.lock │
│ https://osv.dev/GHSA-wjx4-4jcj-g98j │ │ │ │ │ │
│ https://osv.dev/GHSA-6w46-j5rx-g56g │ 6.8 │ PyPI │ pytest │ 8.4.2 │ poetry.lock │
│ https://osv.dev/GHSA-gc5v-m9x4-r6x2 │ 4.4 │ PyPI │ requests │ 2.32.5 │ poetry.lock │
│ https://osv.dev/PYSEC-2026-142 │ 8.9 │ PyPI │ urllib3 │ 2.6.3 │ poetry.lock │
│ https://osv.dev/GHSA-mf9v-mfxr-j63j │ │ │ │ │ │
│ https://osv.dev/PYSEC-2026-141 │ 8.2 │ PyPI │ urllib3 │ 2.6.3 │ poetry.lock │
│ https://osv.dev/GHSA-qccp-gfcp-xxvc │ │ │ │ │ │
See this job, for instance, https://github.com/rigetti/pyquil/actions/runs/27442372273/job/81119286715?pr=1851. After making this update we should update .osv-scanner.toml configuration accordingly.