chore: Update ruff, aiohttp, cryptography, urllib3, codecov-action; drop Python 3.8; replace Snyk with SCA scan (#808)

kishore7snehil · web-flow · commit 7a2b8a269519 · 2026-03-30T16:14:22.000+05:30
## Changes ### Python 3.8 Support Dropped Python 3.8 reached end-of-life in October 2024. Several security-patched dependency versions (`aiohttp`, `cryptography`, `urllib3`) require Python >=3.9, making it impossible to keep 3.8 support while applying security fixes. The previous minimum (`>=3.8`) allowed installation on Python versions that can only resolve to **vulnerable** dependency versions. - Changed `python` from `^3.8` to `>=3.9.2,<4.0` (3.9.0 and 3.9.1 are excluded by `cryptography` due to known bugs in those patch releases) - Removed `Programming Language :: Python :: 3.8` classifier from `pyproject.toml` - Updated `README.md`, `v5_MIGRATION_GUIDE.md`, and `github_discussion_v5_announcement.md` to reflect Python >=3.9 ### Dependency Updates #### Python Dependencies - From Dependabot PRs - Bump `ruff` from `0.11.5` to `0.15.8` ([#806](#806)) - Bump `responses` upper bound from `<0.26.0` to `<0.28.0` ([#786](#786)) #### Python Dependencies - From Security Review - Update `aiohttp` from `>=3.10.11` to `>=3.11.18` - fixes multiple CVEs; previous minimum resolved to versions with known vulnerabilities on Python 3.8 - Update `cryptography` from `>=43.0.1` to `>=44.0.0` - fixes known vulnerabilities in older versions - Update `urllib3` from `>=2.2.3` to `>=2.3.0` - fixes known vulnerabilities; requires Python >=3.9 #### GitHub Actions - Bump `codecov/codecov-action` from `5.5.1` to `6.0.0` (SHA pin updated) ([#805](#805)) #### CI Workflow Changes - Added `sca_scan.yml` - new SCA scan using `auth0/devsecops-tooling` reusable workflow with `requirements.txt` - Removed `snyk.yml` - replaced by the new `sca_scan.yml` reusable workflow - Removed `docs.yml` - documentation build workflow removed - Added `.claude/` to `.gitignore`
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
diff --git a/.github/workflows/sca_scan.yml b/.github/workflows/sca_scan.yml
@@ -0,0 +1,16 @@
+name: SCA
+on:
+  push:
+    branches: ["master"]
+  pull_request:
+    branches: ["master"]
+jobs:
+  snyk-cli:
+    uses: auth0/devsecops-tooling/.github/workflows/sca-scan.yml@main
+    with:
+      additional-arguments: "--exclude=README.md,.jfrog --command=./venv/bin/python3"
+      python-version: "3.11"
+      pre-scan-commands: |
+        python3 -m venv venv --upgrade-deps
+        ./venv/bin/pip3 install -r requirements.txt
+    secrets: inherit
diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -80,6 +80,6 @@ jobs:
 
       - if: ${{ matrix.python-version == '3.10' }}
         name: Upload coverage
-        uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # pin@5.5.1
+        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # pin@6.0.0
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
diff --git a/.gitignore b/.gitignore
@@ -62,4 +62,7 @@ docs/build/
 .vscode/
 
 # OS-specific files
-.DS_Store
+.DS_Store
+
+# AI tools
+.claude/
diff --git a/README.md b/README.md
@@ -34,7 +34,7 @@ pip install auth0-python
 ```
 
 **Requirements:**
-- Python ≥3.8 (Python 3.7 support has been dropped)
+- Python ≥3.9 (Python 3.8 support has been dropped)
 
 ## Reference
 
diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -14,7 +14,6 @@ classifiers = [
     "Intended Audience :: Developers",
     "Programming Language :: Python",
     "Programming Language :: Python :: 3",
-    "Programming Language :: Python :: 3.8",
     "Programming Language :: Python :: 3.9",
     "Programming Language :: Python :: 3.10",
     "Programming Language :: Python :: 3.11",
@@ -36,17 +35,17 @@ Repository = 'https://github.com/auth0/auth0-python'
 Homepage = 'https://auth0.com'
 
 [tool.poetry.dependencies]
-python = "^3.8"
+python = ">=3.9.2,<4.0"
 httpx = ">=0.21.2"
 pydantic = ">= 1.9.2"
 pydantic-core = ">=2.18.2"
 typing_extensions = ">= 4.0.0"
 # Authentication API dependencies
-aiohttp = ">=3.10.11"
-cryptography = ">=43.0.1"
+aiohttp = ">=3.11.18"
+cryptography = ">=44.0.0"
 pyjwt = ">=2.8.0"
 requests = ">=2.32.3"
-urllib3 = ">=2.2.3"
+urllib3 = ">=2.3.0"
 
 [tool.poetry.group.dev.dependencies]
 mypy = "==1.13.0"
@@ -56,13 +55,13 @@ pytest-xdist = "^3.6.1"
 python-dateutil = "^2.9.0"
 types-python-dateutil = "^2.9.0.20240316"
 types-requests = "^2.31.0"
-ruff = "==0.11.5"
+ruff = "==0.15.8"
 # Authentication API test dependencies
 aioresponses = "^0.7.8"
 mock = "^5.1.0"
 pytest-aiohttp = "^1.0.4"
 pytest-cov = "^4.1.0"
-responses = ">=0.23.3,<0.26.0"
+responses = ">=0.23.3,<0.28.0"
 
 [tool.pytest.ini_options]
 asyncio_mode = "auto"
diff --git a/requirements.txt b/requirements.txt
@@ -5,8 +5,8 @@ pydantic-core>=2.18.2
 typing_extensions>=4.0.0
 
 # Authentication API dependencies
-aiohttp>=3.10.11
-cryptography>=43.0.1
+aiohttp>=3.11.18
+cryptography>=44.0.0
 pyjwt>=2.8.0
 requests>=2.32.3
-urllib3>=2.2.3
+urllib3>=2.3.0
diff --git a/v5_MIGRATION_GUIDE.md b/v5_MIGRATION_GUIDE.md
@@ -15,7 +15,7 @@ A guide to migrating the Auth0 Python SDK from v4 to v5.
 
 ### Python versions
 
-v5 supports Python 3.8 and above.
+v5 supports Python 3.9 and above.
 
 ### Authentication API
 
