Deprecate the support for python 3.9 in Software Composition Analysis (Dependency Scanninga and License Scanning)
For guidance on the overall deprecations, removals and breaking changes workflow, please visit Breaking changes, deprecations, and removing features
Deprecation Summary
In GitLab 17.0 python 3.10 is the default version for the Dependency Scanning CI job. As a result, the Dependency Scanning and License Scanning features no longer support projects that require python 3.9 and do not have a compatible lockfile.
See previous proposal
- In 17.0 the default version of python supported by the Dependency Scanning CI job will be ??? (3.10, 3.11, or 3.12). There will be no other container images for other versions of python.
- all python projects that generate a lockfile will be supported, whatever the version of python they use:
- Pipfile.lock
- poetry.lock
- TBD: requirements.txt (used as lockfile) once Handle requirements.txt files produced by pip-c... (#418321) is done
- python project which do not have a lockfile will only be supported if their dependency tree can be built with python ??? (3.10, 3.11, or 3.12) using any of these packge manager:
- pip
- pipenv
- setuptools
The current images of dependency scanning for python registry.gitlab.com/security-products/gemnasium-python:4 and registry.gitlab.com/security-products/gemnasium-python:4-python-3.10 are deprecated and will no longer be supported starting with GitLab 17.0
If a customer is using any setup that does not fall within these supported cases, they will be asked to generate a lockfile that can be parsed by the implementation of Handle requirements.txt files produced by pip-c... (#418321) or an SBOM (solution TBD).
Breaking Change
Affected Topology
Affected Tier
Checklists
Labels
-
This issue is labeled deprecation, and with the relevant ~devops::
,~group::
, and~Category:
labels. -
This issue is labeled breaking change if the removal of the deprecated item will be a breaking change.
Timeline
Please add links to the relevant merge requests.
- As soon as possible, but no later than the third milestone preceding the major release (for example, given the following release schedule:
14.8, 14.9, 14.10, 15.0
–14.8
is the third milestone preceding the major release):-
A deprecation announcement entry has been created so the deprecation will appear in release posts and on the general deprecation page. -
Documentation has been updated to mark the feature as deprecated.
-
-
On or before the major milestone: A removal entry has been created so the removal will appear on the removals by milestones page and be announced in the release post. - On the major milestone:
-
The deprecated item has been removed. -
If the removal of the deprecated item is a breaking change, the merge request is labeled breaking change.
-
Mentions
-
Your stage's stable counterparts have been @mentioned
on this issue. For example, Customer Support, Customer Success (Technical Account Manager), Product Marketing Manager.- To see who the stable counterparts are for a product team visit product categories
- If there is no stable counterpart listed for Sales/CS please mention
@timtams
- If there is no stable counterpart listed for Support please mention
@gitlab-com/support/managers
- If there is no stable counterpart listed for Marketing please mention
@cfoster3
- If there is no stable counterpart listed for Sales/CS please mention
- To see who the stable counterparts are for a product team visit product categories
-
Your GPM has been @mentioned
so that they are aware of planned deprecations. The goal is to have reviews happen at least two releases before the final removal of the feature or introduction of a breaking change.