From 66a7d965e3b581917a85dac1e0d4b92b0c88f060 Mon Sep 17 00:00:00 2001
From: rchiodo <rchiodo@microsoft.com>
Date: Wed, 24 Jun 2026 12:25:16 -0700
Subject: [PATCH 1/4] Drop Python 3.9/3.8 support and pin secure test
 dependency floors

pytest>=9.0.3, requests>=2.33.0 and urllib3>=2.7.0 all require Python >=3.10, so they have no installable candidate on Python 3.9. Since Python 3.9 and 3.8 are EOL, drop them from the test matrix and bump the minimum supported version to 3.10, and add the CVE-driven dependency floors (supersedes #2043).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 azure-pipelines/pipelines.yaml | 11 +----------
 setup.py                       |  4 +---
 tests/requirements.txt         |  7 +++++--
 tox.ini                        |  4 +---
 4 files changed, 8 insertions(+), 18 deletions(-)

diff --git a/azure-pipelines/pipelines.yaml b/azure-pipelines/pipelines.yaml
index f041cf236..001ce4050 100644
--- a/azure-pipelines/pipelines.yaml
+++ b/azure-pipelines/pipelines.yaml
@@ -29,7 +29,7 @@ stages:
           vmImage: ubuntu-latest
 
         variables:
-          python.version: "3.9"
+          python.version: "3.10"
 
         steps:
 
@@ -125,8 +125,6 @@ stages:
 
       strategy:
         matrix:
-          py39:
-            python.version: 3.9
           py310:
             python.version: 3.10
           py311:
@@ -170,8 +168,6 @@ stages:
 
       strategy:
         matrix:
-          py39:
-            python.version: 3.9
           py310:
             python.version: 3.10
           py311:
@@ -215,11 +211,6 @@ stages:
 
       strategy:
         matrix:
-          py39:
-            python.version: 3.9
-          py39_32:
-            python.version: 3.9
-            architecture: x86
           py310:
             python.version: 3.10
           py311:
diff --git a/setup.py b/setup.py
index e01f675ae..96fd8c53f 100644
--- a/setup.py
+++ b/setup.py
@@ -160,11 +160,9 @@ def tail_is(*suffixes):
         project_urls={
             "Source": "https://github.com/microsoft/debugpy",
         },
-        python_requires=">=3.8",
+        python_requires=">=3.10",
         classifiers=[
             "Development Status :: 5 - Production/Stable",
-            "Programming Language :: Python :: 3.8",
-            "Programming Language :: Python :: 3.9",
             "Programming Language :: Python :: 3.10",
             "Programming Language :: Python :: 3.11",
             "Programming Language :: Python :: 3.12",
diff --git a/tests/requirements.txt b/tests/requirements.txt
index 77fcfbe1e..195e94fba 100644
--- a/tests/requirements.txt
+++ b/tests/requirements.txt
@@ -1,6 +1,6 @@
 ## Used to run the tests:
 
-pytest
+pytest>=9.0.3  # CVE-2025-71176 (vulnerable <= 9.0.2)
 pytest-xdist
 pytest-cov
 pytest-timeout
@@ -18,7 +18,10 @@ django
 flask
 gevent
 numpy
-requests
+requests>=2.33.0  # CVE-2026-25645 (vulnerable < 2.33.0)
+# urllib3 is pulled in transitively by requests; pin a secure floor for
+# CVE-2026-44431 and CVE-2026-44432 (vulnerable 2.6.0 <= x < 2.7.0).
+urllib3>=2.7.0
 typing_extensions
 
 # Used to build pydevd attach to process binaries:
diff --git a/tox.ini b/tox.ini
index 2a5ea04a2..e53b29f07 100644
--- a/tox.ini
+++ b/tox.ini
@@ -1,5 +1,5 @@
 [tox]
-envlist = py{38,39,310,311,312,313,314}{,-cov}
+envlist = py{310,311,312,313,314}{,-cov}
 
 [testenv]
 deps = -rtests/requirements.txt
@@ -8,7 +8,5 @@ setenv =
     DEBUGPY_TEST=1
 commands_pre = python build_attach_binaries.py
 commands =
-    py{38,39}-!cov: python -m pytest {posargs}
-    py{38,39}-cov: python -m pytest --cov --cov-append --cov-config=.coveragerc {posargs}
     py{310,311,312,313,314}-!cov: python -Xfrozen_modules=off -m pytest {posargs}
     py{310,311,312,313,314}-cov: python -Xfrozen_modules=off -m pytest --cov --cov-append --cov-config=.coveragerc {posargs}

From 804b4639856440c61220525a0e58369e36f3b512 Mon Sep 17 00:00:00 2001
From: Rich Chiodo false <rchiodo@microsoft.com>
Date: Wed, 24 Jun 2026 12:46:47 -0700
Subject: [PATCH 2/4] ci: restore x86 Windows leg on Python 3.10

---
 azure-pipelines/pipelines.yaml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/azure-pipelines/pipelines.yaml b/azure-pipelines/pipelines.yaml
index 001ce4050..2830d6116 100644
--- a/azure-pipelines/pipelines.yaml
+++ b/azure-pipelines/pipelines.yaml
@@ -213,6 +213,9 @@ stages:
         matrix:
           py310:
             python.version: 3.10
+          py310_32:
+            python.version: 3.10
+            architecture: x86
           py311:
             python.version: 3.11
           py312:

From d2c3ac40a29e6bdb600ed84833a6faf229272833 Mon Sep 17 00:00:00 2001
From: Rich Chiodo false <rchiodo@microsoft.com>
Date: Wed, 24 Jun 2026 13:12:03 -0700
Subject: [PATCH 3/4] ci: drop x86 Windows leg (gevent has no cp310-win32
 wheel)

The previously re-added py310_32 (32-bit Windows) leg runs
`pip install -r tests/requirements.txt` on win32 CPython 3.10. gevent
publishes no cp310-win32 wheel (only win_amd64), so pip would fall back
to a source build of gevent/greenlet/libev/c-ares and risk failing the
leg at install -- the same install-failure class this PR removes. numpy
and Cython do ship cp310-win32 wheels, but there is no reliable PEP 508
marker to drop only gevent for a 32-bit interpreter on 64-bit Windows,
so the leg is removed to keep CI green and consistent with the PR intent.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 azure-pipelines/pipelines.yaml | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/azure-pipelines/pipelines.yaml b/azure-pipelines/pipelines.yaml
index 2830d6116..001ce4050 100644
--- a/azure-pipelines/pipelines.yaml
+++ b/azure-pipelines/pipelines.yaml
@@ -213,9 +213,6 @@ stages:
         matrix:
           py310:
             python.version: 3.10
-          py310_32:
-            python.version: 3.10
-            architecture: x86
           py311:
             python.version: 3.11
           py312:

From e87f214e44b86f134acb1695c0d2e3c17b8cfa44 Mon Sep 17 00:00:00 2001
From: Rich Chiodo false <rchiodo@microsoft.com>
Date: Wed, 24 Jun 2026 13:27:50 -0700
Subject: [PATCH 4/4] Align pyproject.toml lint/type targets with Python 3.10
 floor

Bump [tool.pyright] pythonVersion and [tool.ruff] target-version from
3.8/py38 to 3.10/py310 (and update the comment) so the Lint stage and
pyright validate against the supported floor this PR converges on.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 pyproject.toml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/pyproject.toml b/pyproject.toml
index 3ad327ef0..bbba5ea32 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -14,7 +14,7 @@ exclude = '''
 '''
 
 [tool.pyright]
-pythonVersion = "3.8"
+pythonVersion = "3.10"
 include = ["src/**", "tests/**" ]
 extraPaths = ["src/debugpy/_vendored/pydevd", "src/debugpy/_vendored/pydevd/pydevd_attach_to_process"]
 ignore = ["src/debugpy/_vendored/pydevd", "src/debugpy/_version.py"]
@@ -71,8 +71,8 @@ line-length = 88
 # Allow unused variables when underscore-prefixed.
 dummy-variable-rgx = "^(_+|(_+[a-zA-Z0-9_]*[a-zA-Z0-9]+?))$"
 
-# Assume Python 3.8
-target-version = "py38"
+# Assume Python 3.10
+target-version = "py310"
 
 [tool.ruff.per-file-ignores]
 "tests/debugpy/test_breakpoints.py" = ["F841"]