Prepare Python SDK v2 runtime refresh

.github/workflows/ci.yml

@@ -12,23 +12,23 @@ jobs:
     strategy:
       matrix:
         os: [ubuntu-latest, windows-latest]
-        python-version: ['3.9', '3.10', '3.11', '3.12', '3.13']
+        python-version: ['3.12', '3.13', '3.14']
     env:
-      POETRY_VERSION: "1.8.5"
+      POETRY_VERSION: "2.4.1"
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           lfs: true
 
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@v6
         with:
-          node-version: '20'
+          node-version: '24'
       - name: Install Transloadit CLI
         run: npm install -g transloadit
 
       - name: Set up Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v6
         with:
           python-version: ${{ matrix.python-version }}
           architecture: x64
@@ -41,7 +41,7 @@ jobs:
         run: poetry install
 
       - name: Test with coverage
-        if: matrix.os == 'ubuntu-latest' && matrix.python-version == '3.12'
+        if: matrix.os == 'ubuntu-latest' && matrix.python-version == '3.14'
         run: |
           poetry run pytest --cov=transloadit \
                           --cov-report=xml \
@@ -54,13 +54,13 @@ jobs:
           TEST_NODE_PARITY: 1
 
       - name: Test without coverage
-        if: matrix.os != 'ubuntu-latest' || matrix.python-version != '3.12'
+        if: matrix.os != 'ubuntu-latest' || matrix.python-version != '3.14'
         run: poetry run pytest tests
 
       - name: Upload coverage reports
         # Only upload coverage if we have a token (skip for Dependabot PRs)
-        if: matrix.os == 'ubuntu-latest' && matrix.python-version == '3.12' && (github.event_name != 'pull_request' || github.actor != 'dependabot[bot]')
-        uses: codecov/codecov-action@v4
+        if: matrix.os == 'ubuntu-latest' && matrix.python-version == '3.14' && (github.event_name != 'pull_request' || github.actor != 'dependabot[bot]')
+        uses: codecov/codecov-action@v6
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           files: ./coverage.xml
@@ -70,17 +70,17 @@ jobs:
 
       - name: Upload coverage reports (tokenless)
         # Use tokenless upload for Dependabot PRs
-        if: matrix.os == 'ubuntu-latest' && matrix.python-version == '3.12' && github.event_name == 'pull_request' && github.actor == 'dependabot[bot]'
-        uses: codecov/codecov-action@v4
+        if: matrix.os == 'ubuntu-latest' && matrix.python-version == '3.14' && github.event_name == 'pull_request' && github.actor == 'dependabot[bot]'
+        uses: codecov/codecov-action@v6
         with:
           files: ./coverage.xml
           flags: unittests
           name: python-sdk
           fail_ci_if_error: false
 
       - name: Upload coverage artifacts
-        if: matrix.os == 'ubuntu-latest' && matrix.python-version == '3.12'
-        uses: actions/upload-artifact@v4
+        if: matrix.os == 'ubuntu-latest' && matrix.python-version == '3.14'
+        uses: actions/upload-artifact@v7
         with:
           name: coverage-reports
           path: |
@@ -92,25 +92,25 @@ jobs:
     needs: python
     if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
     env:
-      POETRY_VERSION: "1.8.5"
+      POETRY_VERSION: "2.4.1"
       PYTHON_SDK_E2E: "1"
       TRANSLOADIT_KEY: ${{ secrets.TRANSLOADIT_KEY }}
       TRANSLOADIT_SECRET: ${{ secrets.TRANSLOADIT_SECRET }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           lfs: true
 
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@v6
         with:
-          node-version: '20'
+          node-version: '24'
       - name: Install Transloadit CLI
         run: npm install -g transloadit
 
       - name: Set up Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v6
         with:
-          python-version: '3.12'
+          python-version: '3.14'
           architecture: x64
           cache: 'pip'
 

.github/workflows/codeql-analysis.yml

@@ -35,11 +35,11 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v2
+        uses: github/codeql-action/init@v4
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -50,7 +50,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v2
+        uses: github/codeql-action/autobuild@v4
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 https://git.io/JvXDl
@@ -64,4 +64,4 @@ jobs:
       #   make release
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v2
+        uses: github/codeql-action/analyze@v4

CHANGELOG.md

@@ -1,3 +1,11 @@
+### 2.0.0 / 2026-05-20 ###
+* **Breaking Change**: Raised the supported Python runtime floor from 3.9+ to 3.12+ so the SDK no longer has to retain vulnerable locked dependency versions for EOL Python 3.9 or depend on tooling lines that are already dropping older runtime support.
+* Raised the runtime HTTP stack to patched versions by requiring `requests` 2.33+ and adding an explicit `urllib3` 2.7+ floor.
+* Updated development and documentation tooling, including `pytest` 9.0.3, `Sphinx` 9.1, `sphinx-autobuild` 2025.8, `coverage` 7.14, `tox` 4.54, and `requests-mock` 1.12.
+* Updated CI and local Docker test coverage to a representative Python 3.12, 3.13, and 3.14 matrix.
+* Migrated package metadata to the modern `[project]` format used by Poetry 2.
+* Refreshed GitHub Actions, release documentation, and Sphinx docs that still referenced older runtime/tooling assumptions.
+
 ### 1.0.4 / 2026-05-20 ###
 * Refreshed locked runtime and development dependencies, including `aiohttp` 3.13.5, `idna` 3.15, `pygments` 2.20.0, Python-version-specific `requests` updates, and `tuspy` 1.1.0.
 * Updated development tooling to Python 3.9-compatible majors: `pytest` 8.4, `pytest-cov` 7.1, `Sphinx` 7.4, and `sphinx-autobuild` 2024.10.

CONTRIBUTING.md

@@ -7,17 +7,17 @@
 - Push access to `transloadit/python-sdk`
 - PyPI API token with publish rights (`PYPI_TOKEN`), exported or stored in `.env`
 
-**Steps for version `1.0.3` (example)**
+**Steps for version `2.0.0` (example)**
 1. Bump version in `pyproject.toml`, `transloadit/__init__.py`, and `tests/test_request.py`.
-2. Add the `### 1.0.3 / YYYY-MM-DD ###` entry to `CHANGELOG.md`.
+2. Add the `### 2.0.0 / YYYY-MM-DD ###` entry to `CHANGELOG.md`.
 3. Run the matrix (add `PYTHON_SDK_E2E=1` if you want the live upload):
    ```bash
-   ./scripts/test-in-docker.sh --python 3.12
+   ./scripts/test-in-docker.sh --python 3.14
    ```
-4. Commit on `main`: `git commit -am "Release v1.0.3"`
+4. Commit on `main`: `git commit -am "Release v2.0.0"`
 5. Tag & push:
    ```bash
-   git tag v1.0.3
+   git tag v2.0.0
    git push origin main --tags
    ```
 6. Publish to PyPI via Docker helper (ensures clean tree & version alignment):
@@ -26,17 +26,22 @@
    ```
 7. Publish the GitHub release (pulls notes from the changelog section):
    ```bash
-   NOTES=$(python - <<'PY'
+   NOTES=$(python3 - <<'PY'
 import pathlib, re
-version = "1.0.3"
+version = "2.0.0"
 text = pathlib.Path("CHANGELOG.md").read_text()
 pattern = rf"^### {re.escape(version)}.*?(?=^### |\Z)"
 match = re.search(pattern, text, flags=re.MULTILINE | re.DOTALL)
 print(match.group(0).strip() if match else "")
 PY
 )
-   gh release create v1.0.3 --title "v1.0.3" --notes "$NOTES"
+   gh release create v2.0.0 --title "v2.0.0" --notes "$NOTES"
    ```
 8. Verify the Read the Docs build kicked off: <https://transloadit.readthedocs.io/en/latest/>
+9. Verify the published package and the security posture:
+   ```bash
+   python3 -m pip index versions pytransloadit | head
+   gh api repos/transloadit/python-sdk/dependabot/alerts --jq 'map(select(.state == "open")) | length'
+   ```
 
 Additional background lives here: <https://github.com/transloadit/team-internals/blob/HEAD/_howtos/2020-12-14-maintain-python-sdk.md>.

Dockerfile

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1
 
-ARG PYTHON_VERSION=3.12
+ARG PYTHON_VERSION=3.14
 FROM python:${PYTHON_VERSION}-slim AS base
 
 ENV DEBIAN_FRONTEND=noninteractive \
@@ -20,15 +20,15 @@ RUN apt-get update \
 
 RUN git lfs install --system
 
-# Install Node.js 20 (for Smart CDN parity tests) and supporting CLI tooling
-RUN curl -fsSL https://deb.nodesource.com/setup_20.x | bash - \
+# Install Node.js 24 (for Smart CDN parity tests) and supporting CLI tooling
+RUN curl -fsSL https://deb.nodesource.com/setup_24.x | bash - \
     && apt-get update \
     && apt-get install -y --no-install-recommends nodejs \
     && npm install -g transloadit \
     && rm -rf /var/lib/apt/lists/*
 
 # Install Poetry so we match the GitHub Actions toolchain
 RUN pip install --no-cache-dir --upgrade pip \
-    && pip install --no-cache-dir poetry
+    && pip install --no-cache-dir poetry==2.4.1
 
 WORKDIR /workspace

README.md

@@ -11,7 +11,7 @@ A **Python** Integration for [Transloadit](https://transloadit.com)'s file uploa
 
 This is a **Python** SDK to make it easy to talk to the [Transloadit](https://transloadit.com) REST API.
 
-Only Python 3.9+ versions are supported.
+Only Python 3.12+ versions are supported.
 
 ## Install
 
@@ -56,18 +56,18 @@ scripts/test-in-docker.sh
 
 This script will:
 
-- build images for the Python versions we test in CI (3.9–3.13)
-- install Poetry, Node.js 20, and the Transloadit CLI
+- build images for the Python versions we test in CI (3.12, 3.13, and 3.14)
+- install Poetry, Node.js 24, and the Transloadit CLI
 - pass credentials from `.env` (if present) so end-to-end tests can run against real Transloadit accounts
 
-Signature parity tests use `npx transloadit smart_sig` under the hood, matching the reference implementation used by our other SDKs. Our GitHub Actions workflow also runs the E2E upload against Python 3.12 on every push/PR using a dedicated Transloadit test account (wired through the `TRANSLOADIT_KEY` and `TRANSLOADIT_SECRET` secrets).
+Signature parity tests use `npx transloadit smart_sig` under the hood, matching the reference implementation used by our other SDKs. Our GitHub Actions workflow also runs the E2E upload against Python 3.14 on every push/PR using a dedicated Transloadit test account (wired through the `TRANSLOADIT_KEY` and `TRANSLOADIT_SECRET` secrets).
 
-Pass `--python 3.12` (or set `PYTHON_VERSIONS`) to restrict the matrix, or append a custom command after `--`, for example `scripts/test-in-docker.sh -- pytest -k smartcdn`.
+Pass `--python 3.14` (or set `PYTHON_VERSIONS`) to restrict the matrix, or append a custom command after `--`, for example `scripts/test-in-docker.sh -- pytest -k smartcdn`.
 
 To exercise the optional end-to-end upload against a real Transloadit account, provide `TRANSLOADIT_KEY` and `TRANSLOADIT_SECRET` (via environment variables or `.env`) and set `PYTHON_SDK_E2E=1`:
 
 ```bash
-PYTHON_SDK_E2E=1 scripts/test-in-docker.sh --python 3.12 -- pytest tests/test_e2e_upload.py
+PYTHON_SDK_E2E=1 scripts/test-in-docker.sh --python 3.14 -- pytest tests/test_e2e_upload.py
 ```
 
 The test uploads `chameleon.jpg`, resizes it, and asserts on the live assembly results.

docs/source/conf.py

@@ -72,9 +72,9 @@ def __getattr__(cls, name):
 # built documents.
 #
 # The short X.Y version.
-version = u'0.0.1'
+version = '2.0'
 # The full version, including alpha/beta/rc tags.
-release = u'0.0.1'
+release = '2.0.0'
 
 # The language for content autogenerated by Sphinx. Refer to documentation
 # for a list of supported languages.
@@ -185,4 +185,3 @@ def __getattr__(cls, name):
      'Miscellaneous'),
 ]
 
-

docs/source/index.rst

@@ -8,8 +8,8 @@ Welcome to transloadit's Python SDK documentation!
 
 |Build Status|
 
-.. |Build Status| image:: https://travis-ci.org/transloadit/python-sdk.svg?branch=main
-   :target: https://travis-ci.org/transloadit/python-sdk
+.. |Build Status| image:: https://github.com/transloadit/python-sdk/actions/workflows/ci.yml/badge.svg
+   :target: https://github.com/transloadit/python-sdk/actions/workflows/ci.yml
 
 `Transloadit`_ is a service that helps you handle file uploads, resize,
 crop and watermark your images, make GIFs, transcode your videos,
@@ -19,6 +19,8 @@ short, `Transloadit`_ is the Swiss Army Knife for your files.
 This is a **Python** SDK to make it easy to talk to the `Transloadit`_
 REST API.
 
+Only Python 3.12+ versions are supported.
+
 .. _Transloadit: https://transloadit.com
 
 .. toctree::
@@ -59,10 +61,10 @@ Usage
     assembly.add_step('resize', '/image/resize', {'width': 70, 'height': 70})
     assembly_response = assembly.create(retries=5, wait=True)
 
-    print assembly_response.data.get('assembly_id')
+    print(assembly_response.data.get('assembly_id'))
 
     # or
-    print assembly_response.data['assembly_id']
+    print(assembly_response.data['assembly_id'])
 
 Example
 -------

docs/source/requirements.txt

@@ -1,2 +1,2 @@
 pypandoc==1.17
-Sphinx==7.4.7
+Sphinx==9.1.0