From 42170fe020a38f2c225e67d66b010e940679138c Mon Sep 17 00:00:00 2001
From: Andreas Karlsson <andreask@spotify.com>
Date: Thu, 9 Apr 2026 11:36:18 +0200
Subject: [PATCH 1/2] chore!: update requests to >=2.33.1 for CVE-2026-25645

BREAKING CHANGE: Dropped support for Python 3.9

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/workflows/pull-requests.yaml | 4 ++--
 pyproject.toml                       | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/pull-requests.yaml b/.github/workflows/pull-requests.yaml
index 19dfcc3..8cbf550 100644
--- a/.github/workflows/pull-requests.yaml
+++ b/.github/workflows/pull-requests.yaml
@@ -19,7 +19,7 @@ jobs:
     timeout-minutes: 10
     strategy:
       matrix:
-        container: [ "python:3.9", "python:3.10", "python:3.11" ]
+        container: [ "python:3.10", "python:3.11" ]
     container:
       image: ${{ matrix.container }}
 
@@ -107,7 +107,7 @@ jobs:
         if: matrix.installation-type == 'minimal'
         run: |
           pip install --no-deps -e .
-          pip install requests==2.32.4 openfeature-sdk==0.4.2 typing_extensions==4.9.0 httpx==0.27.2
+          pip install "requests>=2.33.1,<3.0.0" openfeature-sdk==0.4.2 typing_extensions==4.9.0 httpx==0.27.2
           pip install pytest==7.4.2 pytest-mock==3.11.1
 
       - name: Test telemetry functionality
diff --git a/pyproject.toml b/pyproject.toml
index 5140aa5..d77d6f0 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -26,13 +26,13 @@ classifiers = [
 ]
 keywords = []
 dependencies = [
-    "requests==2.32.4", 
+    "requests>=2.33.1,<3.0.0",
     "openfeature-sdk==0.4.2", 
     "typing_extensions>=4.9.0,<5.0.0",
     "httpx==0.27.2",
     "protobuf>=5.29.5,<7.0.0"
 ]
-requires-python = ">=3.9"
+requires-python = ">=3.10"
 
 [project.optional-dependencies]
 dev = [

From 037827e3aa6092f24249b074f3fedd1aae63b9fd Mon Sep 17 00:00:00 2001
From: Andreas Karlsson <andreask@spotify.com>
Date: Thu, 9 Apr 2026 11:49:37 +0200
Subject: [PATCH 2/2] ci: fix dubious ownership error in container builds

setuptools_scm runs git during pip install, which fails inside
Docker containers where the checkout user differs from the
container user. Adding safe.directory before install resolves this.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/workflows/pull-requests.yaml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/pull-requests.yaml b/.github/workflows/pull-requests.yaml
index 8cbf550..612425d 100644
--- a/.github/workflows/pull-requests.yaml
+++ b/.github/workflows/pull-requests.yaml
@@ -30,6 +30,9 @@ jobs:
           fetch-depth: 0 # this (and below) is needed to have setuptools_scm report the correct version
           fetch-tags: true
 
+      - name: Mark workspace as safe directory
+        run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
+
       - name: Upgrade pip
         run: pip install --upgrade pip