Bump Python 3.10+ dependencies to resolve known vulnerabilities (v3.3.4)#250
Open
Keith-wright wants to merge 4 commits intomasterfrom
Open
Bump Python 3.10+ dependencies to resolve known vulnerabilities (v3.3.4)#250Keith-wright wants to merge 4 commits intomasterfrom
Keith-wright wants to merge 4 commits intomasterfrom
Conversation
- cryptography: 41.0.0 -> 46.0.5 - requests: 2.27.1 -> 2.32.4 - urllib3: 1.26.9 -> 2.6.3 (major version bump, tested compatible) - aiohttp: 3.8.1 -> 3.13.3 - pynacl: 1.5.0 -> 1.6.2 - Updated transitive deps: aiosignal, async-timeout, attrs, certifi, charset-normalizer, frozenlist, idna, multidict, propcache, pycparser, six, yarl Python < 3.10 pinned versions unchanged.
aonemd
reviewed
Mar 18, 2026
Member
aonemd
left a comment
aonemd
left a comment
There was a problem hiding this comment.
Tests are not running. Could you update the GH workflows
…est command ubuntu-20.04 runners were retired from GitHub Actions, causing jobs to be permanently stuck in queued state. Python 3.6, 3.7, and 3.8 are EOL and have unfixed vulnerabilities in the locked deps. Updated to currently supported Python versions (3.10, 3.11, 3.12) which align with the 3.10+ dependency bumps in this PR. Replaced deprecated 'python setup.py test' with 'python -m unittest discover' since setup.py test was removed in modern setuptools.
The test_aiohttp_adapter module uses a relative import (.aio.aiohttp_adapter_test). Without --top-level-directory ., unittest discover imports test files as top-level modules rather than as members of the pusher_tests package, breaking relative imports.
… backend asyncio.coroutine was removed in Python 3.11. Convert to native async/await syntax which has been supported since Python 3.5.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Consolidates and supersedes dependabot PRs #242, #246, #247, #248, #249, bumping all vulnerable Python 3.10+ pinned dependencies in
requirements.txt.Changes
requirements.txt(Python 3.10+ entries only — older pinned versions unchanged)cryptography:41.0.0→46.0.5requests:2.27.1→2.32.4urllib3:1.26.9→2.6.3aiohttp:3.8.1→3.13.3pynacl:1.5.0→1.6.2aiosignal,async-timeout,attrs,certifi,charset-normalizer,frozenlist,idna,multidict,propcache,pycparser,six,yarlaiohappyeyeballs(required by aiohttp 3.13.x)pusher/version.py/CHANGELOG.md3.3.3→3.3.4Supersedes
#242, #246, #247, #248, #249