Problem
Python 3.9 reached end-of-life on 2025-10-05 (7+ months ago). Continuing to support it blocks security fixes in transitive dependencies:
These are currently ignored in pip-audit because bumping them would break the 3.9 resolution. They're dev-only transitive deps today, but urllib3 could become a runtime transitive dep through httpx at any point.
Scope
pyproject.toml: change requires-python = ">=3.9" to ">=3.10"- Remove
3.9 from CI matrix and classifiers
- Remove
from __future__ import annotations where no longer needed (optional cleanup)
- Bump constraint-dependencies to require patched versions of pip, urllib3
- Remove pip-audit
--ignore-vuln flags for the 3 CVEs that now have available fixes
- Update docs (getting-started, README) to reflect 3.10+ requirement
Why now
- 3.9 has been EOL for 7 months — no security patches from CPython
- 3 CVEs are actively being ignored because of 3.9 compatibility
- pip-audit, requests, and other dev ecosystem packages are dropping 3.9
- PyPI stats show <5% of Python downloads are 3.9 (and shrinking)
- This is a greenfield project with no legacy users on 3.9
Impact
This is a feat: change that triggers a minor version bump via release-please (0.7.0).
Problem
Python 3.9 reached end-of-life on 2025-10-05 (7+ months ago). Continuing to support it blocks security fixes in transitive dependencies:
These are currently ignored in pip-audit because bumping them would break the 3.9 resolution. They're dev-only transitive deps today, but urllib3 could become a runtime transitive dep through httpx at any point.
Scope
pyproject.toml: changerequires-python = ">=3.9"to">=3.10"3.9from CI matrix and classifiersfrom __future__ import annotationswhere no longer needed (optional cleanup)--ignore-vulnflags for the 3 CVEs that now have available fixesWhy now
Impact
This is a
feat:change that triggers a minor version bump via release-please (0.7.0).