GeneratorsPython

Changelog

April 20, 2026

5.5.6

(fix): Escape Python reserved keywords (e.g., import, class, from) when used as subpackage names. Previously, a subpackage named after a Python keyword would produce a broken __init__.py (e.g., from .import.client import ImportClient) that fails to parse. Subpackage directories are now generated using the casings-generator’s safe_name (e.g., import_), matching how other identifiers already handle reserved keywords.

5.5.5

(fix): Raise the generated aiohttp optional-dependency lower bound from >=3.10.0,<4 to >=3.13.4,<4 and add a python = ">=3.9" marker on both aiohttp and httpx-aiohttp so the aiohttp extra is only installed on Python 3.9+ while still allowing the SDK itself to support Python 3.8. Enforces the patched minimum version for GHSA-c427-h43c-vf67 (CVE-2026-34525) at the dependency spec level.

5.5.4

(fix): Clamp the minimum Python version produced by the generator to ^3.10. Python 3.8 reached EOL in Oct 2024 and Python 3.9 in Oct 2025; many popular PyPI packages (e.g. requests >=2.33) no longer publish wheels for those versions, which causes dependency resolution to pin older, known-vulnerable releases (GHSA-gc5v-m9x4-r6x2 / CVE-2026-25645). When pyproject_python_version specifies a range that allows a version older than 3.10, the generator now logs a warning and emits python = "^3.10" in the generated pyproject.toml.

(fix): Bump the requests / types-requests dependencies used by the generated wire test suite from ^2.31.0 to ^2.33.0 to pick up the fix for GHSA-gc5v-m9x4-r6x2 (insecure temp file reuse in requests.utils.extract_zipped_paths).

(chore): Add a defensive urllib3 pin to the generated SDK’s dev dependencies that excludes the vulnerable >=2.0.0,<2.2.2 range addressed by CVE-2024-37891 (GHSA-34jh-p97f-mpxf). This prevents poetry lock from resolving to a vulnerable urllib3 even when user-supplied extra_dependencies transitively cap urllib3 (e.g. older boto3 pins whose botocore requires urllib3 < 2.1).

5.5.3

(chore): Bump generated pytest dev dependency from ^8.2.0 to ^9.0.3 for SDKs targeting Python 3.9+. This addresses CVE-2025-71176 (GHSA-6w46-j5rx-g56g), a moderate-severity issue with insecure /tmp/pytest-of-{user} handling on UNIX. Projects that still support Python 3.8 continue to use pytest ^7.4.0 since pytest 9 requires Python 3.9+.