Upgrade Python versions and deprecate Python 3.9

[kbukum1]

What are you trying to accomplish?

Upgrade all pre-installed Python runtime versions to their latest patch releases and deprecate Python 3.9, which reached end-of-life on 2025-10-31. Users on Python 3.9 will now receive a deprecation warning recommending they upgrade to a supported Python release.

Python runtime updates:

• 3.14.2 → 3.14.5
• 3.13.11 → 3.13.13
• 3.12.12 → 3.12.13
• 3.11.14 → 3.11.15
• 3.10.19 → 3.10.20
• 3.9.24 → 3.9.25

Helper dependency updates (Python ≥3.10):

• pip 24.2 → 26.1.1
• plette 2.1.0 → 2.2.1
• poetry 2.2.1 → 2.4.1
• pytest 8.3.5 → 9.0.3
• tomli 2.2.1 → 2.4.1

Not upgraded in this PR (deferred to follow-up):

• pipenv — kept at 2024.4.1 because 2026.x introduces behavioral changes that require separate test updates

Anything you want to highlight for special attention from reviewers?

Python 3.9 deprecation: The Language class sets NON_SUPPORTED_HIGHEST_VERSION = "3.9" which populates DEPRECATED_VERSIONS. Since detected_version is normalized to major.minor format, this correctly triggers deprecated? == true for Python 3.9 users — producing a deprecation warning, not an unsupported error. Python 3.9 remains in PRE_INSTALLED_PYTHON_VERSIONS_RAW and SUPPORTED_VERSIONS. The uv ecosystem aliases this class, so these changes apply to both ecosystems automatically.

Split requirements for Python 3.9 compatibility: Several updated helper packages (pip 26.x, poetry 2.x, pytest 9.x) dropped Python 3.9 support and require Python ≥3.10. Since the build script installs the same requirements into every Python runtime, we introduced a separate requirements-3.9.txt that pins the previous working versions for the deprecated 3.9 environment. The build script conditionally selects the right requirements file based on the target Python version. This also resolves the CI dependency-review failure, since the main requirements.txt now uses pip 26.1.1 which fixes CVE-2026-3219 (GHSA-58qw-9mgm-455v) and CVE-2026-6357 (GHSA-jp4c-xjxw-mgf9).

How will you know you have accomplished your goal?

• Python 3.9 users receive a deprecation warning (not an unsupported error)
• Python 3.8 and below users receive an unsupported error
• Python 3.10+ users are unaffected
• Docker build succeeds for all Python versions including 3.9
• CI dependency-review passes with no vulnerable packages

Checklist

• I have run the complete test suite to ensure all tests and linters pass.
• I have thoroughly tested my code changes to ensure they work as expected, including adding additional tests for new functionality.
• I have written clear and descriptive commit messages.
• I have provided a detailed description of the changes in the pull request, including the problem it addresses, how it fixes the problem, and any relevant details about the implementation.
• I have ensured that the code is well-documented and easy to understand.

[Copilot]

Pull request overview

Updates Dependabot’s Python ecosystem runtime/tooling to newer patch releases and changes the version gating logic so Python 3.9 is treated as deprecated (warning) rather than unsupported (error), aligning with upstream EOL.

Changes:

• Bump preinstalled Python runtimes (3.14/3.13/3.12/3.11/3.10/3.9) to newer patch versions in both Language and the Docker image build args.
• Deprecate Python 3.9 by updating NON_SUPPORTED_HIGHEST_VERSION (feeding DEPRECATED_VERSIONS) and adjusting the language spec accordingly.
• Update Python helper tool dependencies (pip/pipenv/poetry/pytest/plette/tomli) in python/helpers/requirements.txt.

Show a summary per file

File	Description
python/spec/dependabot/python/language_spec.rb	Adjusts deprecation spec coverage to target Python 3.9.
python/lib/dependabot/python/language.rb	Updates preinstalled versions list and sets Python 3.9 as the deprecated version threshold.
python/helpers/requirements.txt	Bumps pinned helper tool dependencies used in the Python helpers environment.
python/Dockerfile	Updates pinned Python runtime build args to match the new preinstalled patch versions.

Copilot's findings

Comments suppressed due to low confidence (1)

python/spec/dependabot/python/language_spec.rb:29

• This spec stubs unsupported? to false, which can hide regressions in the actual supported-vs-deprecated interaction. Since 3.9 is now intended to be deprecated while still supported, prefer asserting the real behavior (i.e., don’t stub unsupported?, and/or explicitly expect unsupported? to be false) so the test validates the deprecation mechanism end-to-end.

      let(:detected_version) { "3.9.1" }

      before do
        allow(language).to receive(:unsupported?).and_return(false)
      end

• Files reviewed: 4/4 changed files
• Comments generated: 1

[Copilot]

Copilot's findings

• Files reviewed: 6/6 changed files
• Comments generated: 3

[Copilot]

Copilot's findings

• Files reviewed: 6/6 changed files
• Comments generated: 0 new

[Copilot]

Copilot's findings

• Files reviewed: 6/6 changed files
• Comments generated: 1