Dependabot requests updates (2.33+) blocked by Python 3.9 support

XMLWordPrintableJSON

    • Type: Task
    • Resolution: Unresolved
    • Priority: Unknown
    • None
    • Affects Version/s: None
    • Component/s: None
    • None
    • None
    • Python Drivers
    • None
    • None
    • None
    • None
    • None
    • None

      Summary

      Dependabot keeps opening PRs to bump the requests dependency (e.g. PR #2931, which bumps requests>=2.23.0,<3.0 -> requests>=2.34.2,<3.0), but these cannot be adopted while PyMongo still supports Python 3.9.

      Root cause

      • requests dropped support for Python 3.9 in version 2.33.0 (2026-03-25), following Python 3.9 end-of-life. See the requests changelog: "Dropped support for Python 3.9 following its end of support."
      • PyMongo still targets Python 3.9: pyproject.toml sets requires-python = ">=3.9" and lists the Python :: 3.9 classifier.
      • requests is pinned in requirements/ocsp.txt as requests>=2.23.0,<3.0.

      Because of this, requests 2.33+ will not install on Python 3.9. Any Dependabot PR raising the lower bound to a 2.33+ version cannot be merged until Python 3.9 support is removed.

      Action

      For now, Dependabot minor updates for requests in this range are being ignored (@dependabot ignore this minor version on PR #2931). Once PyMongo drops Python 3.9 support, we can accept newer requests versions and unpin/raise the lower bound accordingly.

      Related: pyproject.toml also has UP045 disabled with the note "Enable when we drop 3.9 support".

            Assignee:
            Unassigned
            Reporter:
            Alex Clark
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated: