Upgrade to Python 3.13.1 (#17447)

* Upgrade to Python 3.13.1

* add a diaper test to ensure we don't regress on passlib funcitonality

* recompile dependencies

Author: ewdurbin

.python-version

@@ -1 +1 @@
-3.12.7
+3.13.1

.readthedocs.yml

@@ -8,6 +8,6 @@ version: 2
 build:
   os: ubuntu-24.04
   tools:
-    python: "3.12"
+    python: "3.13"
   commands:
     - ./bin/rtd-docs

Dockerfile

@@ -38,7 +38,7 @@ RUN NODE_ENV=production npm run build
 
 
 # We'll build a light-weight layer along the way with just docs stuff
-FROM python:3.12.7-slim-bookworm AS docs
+FROM python:3.13.1-slim-bookworm AS docs
 
 # By default, Docker has special steps to avoid keeping APT caches in the layers, which
 # is good, but in our case, we're going to mount a special cache volume (kept between
@@ -107,7 +107,7 @@ USER docs
 
 # Now we're going to build our actual application, but not the actual production
 # image that it gets deployed into.
-FROM python:3.12.7-slim-bookworm AS build
+FROM python:3.13.1-slim-bookworm AS build
 
 # Define whether we're building a production or a development image. This will
 # generally be used to control whether or not we install our development and
@@ -191,7 +191,7 @@ RUN --mount=type=cache,target=/root/.cache/pip \
 
 # Now we're going to build our actual application image, which will eventually
 # pull in the static files that were built above.
-FROM python:3.12.7-slim-bookworm
+FROM python:3.13.1-slim-bookworm
 
 # Setup some basic environment variables that are ~never going to change.
 ENV PYTHONUNBUFFERED 1

bin/lint

@@ -11,7 +11,7 @@ export LANG="${ENCODING:-en_US.UTF-8}"
 set -x
 
 # Actually run our tests.
-find . -name '*.py' -exec python -m pyupgrade --py312-plus {} +
+find . -name '*.py' -exec python -m pyupgrade --py313-plus {} +
 python -m flake8 .
 python -m black --check --diff *.py warehouse/ tests/
 python -m isort --check *.py warehouse/ tests/

bin/reformat

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 set -ex
 
-find . -name '*.py' -exec python -m pyupgrade --py312-plus {} +
+find . -name '*.py' -exec python -m pyupgrade --py313-plus {} +
 python -m isort *.py warehouse/ tests/
 python -m black *.py warehouse/ tests/

dev/flake8/checkers.py

@@ -87,7 +87,7 @@ def __init__(self, tree: ast.AST, filename: str) -> None:
         self.tree = tree
         self.filename = filename
 
-    def run(self) -> Generator[tuple[int, int, str, type[Any]], None, None]:
+    def run(self) -> Generator[tuple[int, int, str, type[Any]]]:
         visitor = WarehouseVisitor(self.filename)
         visitor.visit(self.tree)
 

requirements/deploy.txt

@@ -1,5 +1,5 @@
 #
-# This file is autogenerated by pip-compile with Python 3.12
+# This file is autogenerated by pip-compile with Python 3.13
 # by the following command:
 #
 #    pip-compile --allow-unsafe --generate-hashes --output-file=requirements/deploy.txt requirements/deploy.in
@@ -94,6 +94,10 @@ importlib-metadata==8.5.0 \
     --hash=sha256:45e54197d28b7a7f1559e60b95e7c567032b602131fbd588f1497f47880aa68b \
     --hash=sha256:71522656f0abace1d072b9e5481a48f07c138e00f079c38c8f883823f9c26bd7
     # via opentelemetry-api
+legacy-cgi==2.6.2 \
+    --hash=sha256:9952471ceb304043b104c22d00b4f333cac27a6abe446d8a528fc437cf13c85f \
+    --hash=sha256:a7b83afb1baf6ebeb56522537c5943ef9813cf933f6715e88a803f7edbce0bff
+    # via ddtrace
 opentelemetry-api==1.29.0 \
     --hash=sha256:5fcd94c4141cc49c736271f3e1efb777bebe9cc535759c54c936cca4f1b312b8 \
     --hash=sha256:d04a6cf78aad09614f52964ecb38021e248f5714dc32c2e0d8fd99517b4d69cf

requirements/docs-blog.txt

@@ -1,5 +1,5 @@
 #
-# This file is autogenerated by pip-compile with Python 3.12
+# This file is autogenerated by pip-compile with Python 3.13
 # by the following command:
 #
 #    pip-compile --allow-unsafe --generate-hashes --output-file=requirements/docs-blog.txt requirements/docs-blog.in

requirements/docs-dev.txt

@@ -1,5 +1,5 @@
 #
-# This file is autogenerated by pip-compile with Python 3.12
+# This file is autogenerated by pip-compile with Python 3.13
 # by the following command:
 #
 #    pip-compile --allow-unsafe --generate-hashes --output-file=requirements/docs-dev.txt requirements/docs-dev.in
@@ -404,10 +404,6 @@ starlette==0.45.2 \
     --hash=sha256:4daec3356fb0cb1e723a5235e5beaf375d2259af27532958e2d79df549dad9da \
     --hash=sha256:bba1831d15ae5212b22feab2f218bab6ed3cd0fc2dc1d4442443bb1ee52260e0
     # via sphinx-autobuild
-typing-extensions==4.12.2 \
-    --hash=sha256:04e5ca0351e0f3f85c6853954072df659d0d13fac324d0072316b67d7794700d \
-    --hash=sha256:1a7ead55c7e559dd4dee8856e3a88b41225abfe1ce8df57b7c13915fe121ffb8
-    # via anyio
 urllib3==2.3.0 \
     --hash=sha256:1cee9ad369867bfdbbb48b7dd50374c0967a0bb7710050facf0dd6911440e3df \
     --hash=sha256:f8c5449b3cf0861679ce7e0503c7b44b5ec981bec0d1d3795a07f1ba96f0204d

requirements/docs-user.txt

@@ -1,5 +1,5 @@
 #
-# This file is autogenerated by pip-compile with Python 3.12
+# This file is autogenerated by pip-compile with Python 3.13
 # by the following command:
 #
 #    pip-compile --allow-unsafe --generate-hashes --output-file=requirements/docs-user.txt requirements/docs-user.in

requirements/lint.txt

@@ -1,5 +1,5 @@
 #
-# This file is autogenerated by pip-compile with Python 3.12
+# This file is autogenerated by pip-compile with Python 3.13
 # by the following command:
 #
 #    pip-compile --allow-unsafe --generate-hashes --output-file=requirements/lint.txt requirements/lint.in

requirements/main.txt

@@ -1,5 +1,5 @@
 #
-# This file is autogenerated by pip-compile with Python 3.12
+# This file is autogenerated by pip-compile with Python 3.13
 # by the following command:
 #
 #    pip-compile --allow-unsafe --generate-hashes --output-file=requirements/main.txt requirements/main.in
@@ -994,6 +994,10 @@ lazy-object-proxy==1.10.0 \
     --hash=sha256:edb45bb8278574710e68a6b021599a10ce730d156e5b254941754a9cc0b17d03 \
     --hash=sha256:fec03caabbc6b59ea4a638bee5fce7117be8e99a4103d9d5ad77f15d6f81020c
     # via openapi-spec-validator
+legacy-cgi==2.6.2 \
+    --hash=sha256:9952471ceb304043b104c22d00b4f333cac27a6abe446d8a528fc437cf13c85f \
+    --hash=sha256:a7b83afb1baf6ebeb56522537c5943ef9813cf933f6715e88a803f7edbce0bff
+    # via webob
 limits==4.0.1 \
     --hash=sha256:67667e669f570cf7be4e2c2bc52f763b3f93bdf66ea945584360bc1a3f251901 \
     --hash=sha256:a54f5c058dfc965319ae3ee78faf222294659e371b46d22cd7456761f7e46d5a
@@ -2286,10 +2290,8 @@ typing-extensions==4.12.2 \
     # via
     #   alembic
     #   limits
-    #   psycopg
     #   pydantic
     #   pydantic-core
-    #   pyopenssl
     #   sqlalchemy
     #   stripe
 tzdata==2024.2 \

requirements/tests.txt

@@ -1,5 +1,5 @@
 #
-# This file is autogenerated by pip-compile with Python 3.12
+# This file is autogenerated by pip-compile with Python 3.13
 # by the following command:
 #
 #    pip-compile --allow-unsafe --generate-hashes --output-file=requirements/tests.txt requirements/tests.in
@@ -211,6 +211,10 @@ iniconfig==2.0.0 \
     --hash=sha256:2d91e135bf72d31a410b17c16da610a82cb55f6b0477d1a902134b24a455b8b3 \
     --hash=sha256:b6a85871a79d2e3b22d2d1b94ac2824226a63c6b741c88f7ae975f18b6778374
     # via pytest
+legacy-cgi==2.6.2 \
+    --hash=sha256:9952471ceb304043b104c22d00b4f333cac27a6abe446d8a528fc437cf13c85f \
+    --hash=sha256:a7b83afb1baf6ebeb56522537c5943ef9813cf933f6715e88a803f7edbce0bff
+    # via webob
 mirakuru==2.5.3 \
     --hash=sha256:2fab68356fb98fb5358ea3ab65f5e511f34b5a0b16cfd0a0935ef15a3393f025 \
     --hash=sha256:39b33f8fcdf13764a6cfe936e0feeead3902a161fec438df3be7cce98f7933c6
@@ -383,9 +387,7 @@ termcolor==2.5.0 \
 typing-extensions==4.12.2 \
     --hash=sha256:04e5ca0351e0f3f85c6853954072df659d0d13fac324d0072316b67d7794700d \
     --hash=sha256:1a7ead55c7e559dd4dee8856e3a88b41225abfe1ce8df57b7c13915fe121ffb8
-    # via
-    #   faker
-    #   psycopg
+    # via faker
 urllib3==2.3.0 \
     --hash=sha256:1cee9ad369867bfdbbb48b7dd50374c0967a0bb7710050facf0dd6911440e3df \
     --hash=sha256:f8c5449b3cf0861679ce7e0503c7b44b5ec981bec0d1d3795a07f1ba96f0204d

tests/unit/accounts/test_services.py

@@ -303,7 +303,33 @@ def test_check_password_valid(self, user_service, metrics):
             ),
         ]
 
-    def test_check_password_updates(self, user_service):
+    @pytest.mark.parametrize(
+        "password",
+        [
+            (
+                "$argon2id$v=19$m=8,t=1,p=1$"
+                "w/gfo5QSQihFyHlvDcE4pw$Hd4KENg+xDlq2bfeGUEYSieIXXL/c1NfTr0ZkYueO2Y"
+            ),
+            (
+                "$bcrypt-sha256$v=2,t=2b,r=12$"
+                "DqC0lms6x9Dh6XesvIJvVe$hBbYe9JfdjyorOFcS3rv5BhmuSIyXD6"
+            ),
+            "$2b$12$2t/EVU3H9b3c5iR6GdELZOwCoyrT518DgCpNxHbX.S1IxV6eEEDhC",
+            "bcrypt$$2b$12$EhhZDxGr/7HIKYRGMngC.O4sQx68vkaISSnSGZ6s8iOfaGy6l9cma",
+        ],
+    )
+    def test_check_password_updates(self, user_service, password):
+        """
+        This test confirms passlib is actually working,
+        see https://github.com/pypi/warehouse/issues/15454
+        """
+        user = UserFactory.create(password=password)
+
+        assert user_service.check_password(user.id, "password")
+        assert user.password.startswith("$argon2id$v=19$m=1024,t=6,p=6$")
+        assert user_service.check_password(user.id, "password")
+
+    def test_hash_is_upgraded(self, user_service):
         user = UserFactory.create()
         password = user.password
         user_service.hasher = pretend.stub(