-
Type:
Task
-
Resolution: Unresolved
-
Priority:
Unknown
-
None
-
Affects Version/s: None
-
Component/s: None
-
None
-
None
-
Python Drivers
-
None
-
None
-
None
-
None
-
None
-
None
Summary
Dependabot keeps opening PRs to bump the requests dependency (e.g. PR #2931, which bumps requests>=2.23.0,<3.0 -> requests>=2.34.2,<3.0), but these cannot be adopted while PyMongo still supports Python 3.9.
Root cause
- requests dropped support for Python 3.9 in version 2.33.0 (2026-03-25), following Python 3.9 end-of-life. See the requests changelog: "Dropped support for Python 3.9 following its end of support."
- PyMongo still targets Python 3.9: pyproject.toml sets requires-python = ">=3.9" and lists the Python :: 3.9 classifier.
- requests is pinned in requirements/ocsp.txt as requests>=2.23.0,<3.0.
Because of this, requests 2.33+ will not install on Python 3.9. Any Dependabot PR raising the lower bound to a 2.33+ version cannot be merged until Python 3.9 support is removed.
Action
For now, Dependabot minor updates for requests in this range are being ignored (@dependabot ignore this minor version on PR #2931). Once PyMongo drops Python 3.9 support, we can accept newer requests versions and unpin/raise the lower bound accordingly.
Related: pyproject.toml also has UP045 disabled with the note "Enable when we drop 3.9 support".