chore: poetry update python deps

[chenba]

Closes the Python half of STOR-436

[taddes]

Thanks for working on this @chenba .

If you run poetry update, it'll just update based on the constraints of the pyproject.toml. Sometimes these are very out of date and still need a bump, so running poetry show --outdated is a good way to find them. In this branch, it yields:

bandit         1.8.6   1.9.3  Security oriented static analyser for python code.
black          25.11.0 26.1.0 The uncompromising code formatter.
click          8.1.8   8.3.1  Composable command line interface toolkit
cryptography   44.0.2  46.0.5 cryptography is a package which provides cryptographic recipes and primitives to Python de...
iniconfig      2.1.0   2.3.0  brain-dead simple config-ini parsing
isort          6.1.0   7.0.0  A Python utility / library to sort Python imports.
markdown-it-py 3.0.0   4.0.0  Python port of markdown-it. Markdown parsing, done right!
mysqlclient    2.2.7   2.2.8  Python interface to MySQL
platformdirs   4.4.0   4.7.0  A small Python package for determining appropriate platform-specific dirs, e.g. a `user da...
pycparser      2.23    3.0    C parser in Python
pyramid        1.10.8  2.0.2  The Pyramid Web Framework, a Pylons project
pytest         8.4.2   9.0.2  pytest: simple powerful testing with Python
ruff           0.12.12 0.15.1 An extremely fast Python linter and code formatter, written in Rust.
sqlalchemy     1.4.54  2.0.46 Database Abstraction Library
stevedore      5.5.0   5.6.0  Manage dynamic plugins for Python applications
zope-interface 8.0.1   8.2    Interfaces for Python

What's often better is to run poetry show --latest --top-level, which will compare your locked dependencies against the latest releases on PyPI :

bandit              1.8.6    1.9.3    Security oriented static analyser for python code.
black               25.11.0  26.1.0   The uncompromising code formatter.
cryptography        44.0.2   46.0.5   cryptography is a package which provides cryptographic recipes and primitives to P...
hawkauthlib         2.0.0    2.0.0    Hawk Access Authentication protocol
isort               6.1.0    7.0.0    A Python utility / library to sort Python imports.
konfig              1.1      1.1      Yet Another Config Parser.
mypy                1.19.1   1.19.1   Optional static typing for Python
mysqlclient         2.2.7    2.2.8    Python interface to MySQL
psutil              7.2.2    7.2.2    Cross-platform lib for process and system monitoring.
pydocstyle          6.3.0    6.3.0    Python docstring style checker
pyfxa               0.8.1    0.8.1    Firefox Accounts client library for Python
pyjwt               2.11.0   2.11.0   JSON Web Token implementation in Python
pyramid             1.10.8   2.0.2    The Pyramid Web Framework, a Pylons project
pyramid-hawkauth    2.0.0    2.0.0    A Pyramid authentication plugin for HAWK
pytest              8.4.2    9.0.2    pytest: simple powerful testing with Python
requests            2.32.5   2.32.5   Python HTTP for Humans.
ruff                0.12.12  0.15.1   An extremely fast Python linter and code formatter, written in Rust.
simplejson          3.20.2   3.20.2   Simple, fast, extensible JSON encoder/decoder for Python
sqlalchemy          1.4.54   2.0.46   Database Abstraction Library
tokenlib            2.0.0    2.0.0    Generic library for managing signed authentication tokens.
webtest             3.0.7    3.0.7    Helper to test WSGI applications
wsgiproxy2          0.5.1    0.5.1    A WSGI Proxy with various http client backends

There are probably some here that we can bump up in the definitions. Some versions may not be compatible or give us issues, notably pyramid which we can keep as-is, since the lift of updating the API is significant. Many can be bumped up in the pyproject.toml files. You just manually enter the version number that matches the latest PyPI release, or simply run something like poetry add pycparser^3.0 or just @latest.

I also like using the --dry-run flag when running poetry update since it can alleviate some headaches if there's incompatibility. This way, if we have the pyproject.toml more closely resemble the most up to date versions, it's easier to maintain overall.

[chenba]

Thanks, @taddes. I think that was a result of requires-python = ">=3.9.2" in pyproject.toml. I didn't go through each package and verify. But using the first one on the list, bandit 1.9.3, that requires Python >= 3.10.

[chenba]

If we want to bump the minimum supported Python version we can file a jira for that. I don't think I actually know why we are on 3.9.x.

[taddes]

Ok, sounds good to me @chenba . I believe it may have been due to some version constraints, however our move away from CircleCI may give us more flexibility, since we'd had problems with layer caching and python version problems between the tool crates and building with pip and poetry. Let's revisit upgrading Python in another version and I'll approve this 👍