Description:
This repo currently supports Python 3.6, but this support should be dropped for a higher minimum version. Python 3.9 is the default version on the Rocky DataGateway machines. As per https://endoflife.date/python, security support for 3.9 ends October 2025. If Python 3.10 is easily installable for the production machines, I'd recommend targeting that version as it would buy an extra year of security support (which ends October 2026).
Once 3.6-3.8 support is dropped, the dependencies can be updated. Update to the latest possible dependencies - you may have to re-specify the version constraints in pyproject.toml as some dependencies will have released new major versions, which a poetry update won't catch. The safety check in noxfile.py has a large amount of vulnerabilities that it is ignoring because we haven't been able to upgrade dependencies due to Python 3.6 support. We shouldn't be ignoring any vulnerabilities, except for possibly the werkzeug one if a fix hasn't been found (it was a controversial vulnerability).
Description:
This repo currently supports Python 3.6, but this support should be dropped for a higher minimum version. Python 3.9 is the default version on the Rocky DataGateway machines. As per https://endoflife.date/python, security support for 3.9 ends October 2025. If Python 3.10 is easily installable for the production machines, I'd recommend targeting that version as it would buy an extra year of security support (which ends October 2026).
Once 3.6-3.8 support is dropped, the dependencies can be updated. Update to the latest possible dependencies - you may have to re-specify the version constraints in
pyproject.tomlas some dependencies will have released new major versions, which apoetry updatewon't catch. Thesafetycheck innoxfile.pyhas a large amount of vulnerabilities that it is ignoring because we haven't been able to upgrade dependencies due to Python 3.6 support. We shouldn't be ignoring any vulnerabilities, except for possibly thewerkzeugone if a fix hasn't been found (it was a controversial vulnerability).