Sync uv Dockerfile Python versions with python ecosystem

[kbukum1]

What are you trying to accomplish?

Sync the uv ecosystem with the Python version and dependency upgrades from #15058. The uv ecosystem aliases the Python Language class, so the code expects the updated versions when extracting compressed Python runtimes. Without this sync, the uv updater fails with tar: Cannot open: No such file or directory errors.

Python runtime updates (uv/Dockerfile):

• 3.14.2 → 3.14.5
• 3.13.11 → 3.13.13
• 3.12.12 → 3.12.13
• 3.11.14 → 3.11.15
• 3.10.19 → 3.10.20
• 3.9.24 → 3.9.25

Helper dependency updates (uv/helpers/requirements.txt, Python ≥3.10):

• pip 24.0 → 26.1.1
• pip-tools 7.4.1 → 7.5.3
• flake8 7.1.0 → 7.3.0
• hashin 1.0.3 → 1.0.5
• pipenv 2024.0.2 → 2024.4.1
• plette 2.1.0 → 2.2.1
• poetry 1.8.5 → 2.3.4
• tomli 2.0.1 → 2.4.1
• Cython 3.0.10 → 3.2.4

Anything you want to highlight for special attention from reviewers?

Same approach as #15058: Several updated packages (pip 26.x, poetry 2.x) dropped Python 3.9 support. We introduced a separate requirements-3.9.txt pinned to the last known 3.9-compatible versions, and updated the build script to conditionally select the right file based on the target Python version.

Poetry version: Pinned to 2.3.4 — the minimum version that fixes both CVE-2026-34591 (GHSA-2599-h6xx-hpxp, high severity wheel path traversal) and CVE-2026-41140 (GHSA-73h3-mf4w-8647, low severity tar extraction path traversal). Poetry 2.4.1 was avoided as it introduces additional behavioral changes.

Fixture and spec sync: The poetry.lock fixture was upgraded from Poetry v1 format (using category field) to v2 format (using groups and files fields), synced from the python ecosystem. Poetry 2.3.4 cannot properly parse v1 lockfiles for production dependency classification. The spec was updated to use click as the dev sub-dependency (matching the python spec) since atomicwrites is not in the v2 fixture.

Other updates: The Dockerfile comment now correctly references python/lib/dependabot/python/language.rb since the uv language class is an alias. The language_spec.rb deprecated test version was updated from 3.8.1 to 3.9.1 to match the new DEPRECATED_VERSIONS.

How will you know you have accomplished your goal?

• The uv updater Docker image builds successfully with the new Python versions
• The tar: Cannot open errors are resolved for uv ecosystem jobs
• CI dependency-review passes with no vulnerable packages
• All uv specs pass

Checklist

• I have run the complete test suite to ensure all tests and linters pass.
• I have thoroughly tested my code changes to ensure they work as expected, including adding additional tests for new functionality.
• I have written clear and descriptive commit messages.
• I have provided a detailed description of the changes in the pull request, including the problem it addresses, how it fixes the problem, and any relevant details about the implementation.
• I have ensured that the code is well-documented and easy to understand.

[Copilot]

Pull request overview

Updates the uv ecosystem’s Docker image build to use the same pinned preinstalled Python patch versions as the shared Dependabot::Python::Language (which uv aliases), preventing runtime tarball mismatches during extraction.

Changes:

• Bump pinned Python ARG versions in uv/Dockerfile to match the Python ecosystem’s preinstalled runtime list (3.14.5, 3.13.13, 3.12.13, 3.11.15, 3.10.20, 3.9.25).

Show a summary per file

File	Description
uv/Dockerfile	Updates Python version ARG pins to align with the shared Python language version list used by uv.

Copilot's findings

• Files reviewed: 4/4 changed files
• Comments generated: 1

[Copilot]

Copilot's findings

• Files reviewed: 5/5 changed files
• Comments generated: 1

[Copilot]

Copilot's findings

• Files reviewed: 5/5 changed files
• Comments generated: 0 new

[AbhishekBhaskar]

LGTM

[kbukum1]

synced the spec with the python (pip) one.