saltstack · dependabot · Jun 8, 2026 · Jun 8, 2026 · Jun 8, 2026 · Jun 8, 2026
@@ -203,6 +203,12 @@ jobs:
         run: |
           docker exec ${{ github.run_id }}_salt-test \
             tdnf install -y openssl-fips-provider
+          # openssl-fips-provider <= 3.1.2-3.ph5 disables the OpenSSL default
+          # provider in /etc/ssl/distro.cnf, breaking TLS in curl/git/tdnf.
+          # Re-enable it to mirror the upstream fix in vmware/photon@4610f36756
+          # (openssl-fips-provider 3.1.2-4.ph5). Idempotent on fixed builds.
+          docker exec ${{ github.run_id }}_salt-test \
+            sed -i '/^#\.include \/etc\/ssl\/provider_default.cnf/s/^#//g' /etc/ssl/distro.cnf
 
       - name: "Show container inspect ${{ matrix.container }}"
         run: |
@@ -540,6 +546,12 @@ jobs:
         run: |
           docker exec ${{ github.run_id }}_salt-test \
             tdnf install -y openssl-fips-provider
+          # openssl-fips-provider <= 3.1.2-3.ph5 disables the OpenSSL default
+          # provider in /etc/ssl/distro.cnf, breaking TLS in curl/git/tdnf.
+          # Re-enable it to mirror the upstream fix in vmware/photon@4610f36756
+          # (openssl-fips-provider 3.1.2-4.ph5). Idempotent on fixed builds.
+          docker exec ${{ github.run_id }}_salt-test \
+            sed -i '/^#\.include \/etc\/ssl\/provider_default.cnf/s/^#//g' /etc/ssl/distro.cnf
 
       - name: "Show container inspect ${{ matrix.container }}"
         run: |

@@ -163,6 +163,12 @@ jobs:
         run: |
           docker exec ${{ github.run_id }}_salt-test-pkg \
             tdnf install -y openssl-fips-provider
+          # openssl-fips-provider <= 3.1.2-3.ph5 disables the OpenSSL default
+          # provider in /etc/ssl/distro.cnf, breaking TLS in curl/git/tdnf.
+          # Re-enable it to mirror the upstream fix in vmware/photon@4610f36756
+          # (openssl-fips-provider 3.1.2-4.ph5). Idempotent on fixed builds.
+          docker exec ${{ github.run_id }}_salt-test-pkg \
+            sed -i '/^#\.include \/etc\/ssl\/provider_default.cnf/s/^#//g' /etc/ssl/distro.cnf
 
       - name: Decompress .nox Directory
         run: |

@@ -1,58 +1,79 @@
 # Dependencies are listed alphabetically by package name.
 # Multiple entries for the same package (with different version constraints) are grouped together.
 
-aiohttp>=3.13.3
-apache-libcloud>=3.8.0
-certifi>=2024.7.4
+aiohttp>=3.13.5,<3.14.0; python_version < '3.10'
+aiohttp>=3.14.1; python_version >= '3.10'
+apache-libcloud>=3.8.0,<3.9.1; python_version < '3.10'
+apache-libcloud>=3.9.1; python_version >= '3.10'
+certifi>=2026.5.20
 cffi>=2.0.0
 # cheroot 8.5.2 fails to build with modern setuptools due to setuptools_scm_git_archive dependency
-cheroot>=10.0.1
-cherrypy>=18.6.1
+cheroot>=11.1.2
+cherrypy>=18.10.0
 # We need contextvars for salt-ssh
 contextvars
-croniter>=0.3.0,!=0.3.22; sys_platform != 'win32'
-cryptography>=46.0.7
-distro>=1.0.1
-frozenlist>=1.3.0; python_version < '3.11'
+croniter!=0.3.22,>=6.2.2; sys_platform != 'win32'
+# cryptography 48.0.0 drops support for Python 3.9.0 and 3.9.1
+# (only >3.9.1 is accepted), but the py3.9 lock files are compiled
+# with --python-version=3.9 which includes those releases. Cap at the
+# last 46.x release for Python 3.9 so uv pip compile can still resolve.
+cryptography>=46.0.7,<48.0.0; python_version < '3.10'
+cryptography>=48.0.0; python_version >= '3.10'
+distro>=1.9.0
+frozenlist>=1.8.0; python_version < '3.11'
 frozenlist>=1.5.0; python_version >= '3.11'
 gitpython>=3.1.50
 immutables>=0.21
-importlib-metadata>=8.7.0
-jaraco.functools>=4.1.0
-jaraco.context>=6.1.0
-jaraco.text>=4.0.0
-Jinja2>=3.1.5
+importlib-metadata>=8.7.0,<9.0.0; python_version < '3.10'
+importlib-metadata>=9.0.0; python_version >= '3.10'
+jaraco.functools>=4.4.0
+jaraco.context>=6.1.1
+jaraco.text>=4.2.0
+Jinja2>=3.1.6
 jmespath>=1.1.0
 looseversion
-lxml>=6.1.0; sys_platform == 'win32'
-MarkupSafe<3.0.0
-more-itertools>=9.1.0
-msgpack>=1.0.0
+lxml>=6.1.1; sys_platform == 'win32'
+MarkupSafe<4.0.0
+more-itertools>=10.8.0,<11.0.0; python_version < '3.10'
+more-itertools>=10.8.0; python_version >= '3.10'
+msgpack>=1.1.2
 # Packaging 24.1 imports annotations from __future__ which breaks salt ssh
 # tests on target hosts with older python versions.
-packaging==24.0
+packaging==26.2
 psutil<6.0.0; python_version <= '3.9'
 psutil>=5.0.0; python_version >= '3.10'
 pyasn1>=0.6.3
-pycparser>=2.21
+pycparser>=2.23; python_version < '3.10'
+pycparser>=3.0; python_version >= '3.10'
+# pymssql 2.3.12+ dropped win32 (32-bit Windows) wheels; salt 3007.x
+# still builds a Windows x86 onedir, so pin to the last release that
+# ships cp3X-win32 wheels.
 pymssql==2.3.11; sys_platform == 'win32'
-pymysql>=1.0.2; sys_platform == 'win32'
-pyopenssl>=26.0.0
-python-dateutil>=2.8.1
-python-gnupg>=0.4.7
-pythonnet>=3.0.1; sys_platform == 'win32'
-pywin32>=305; sys_platform == 'win32'
-pycryptodomex>=3.9.8
-PyYAML
-requests>=2.32.0 ; python_version < '3.10'
+pymysql>=1.2.0; sys_platform == 'win32'
+pyopenssl>=26.2.0
+python-dateutil>=2.9.0.post0
+python-gnupg>=0.5.6
+pythonnet>=3.0.5; sys_platform == 'win32'
+pywin32>=312; sys_platform == 'win32'
+pycryptodomex>=3.23.0
+PyYAML>=6.0.3
+requests>=2.32.5 ; python_version < '3.10'
 requests>=2.33.1 ; python_version >= '3.10'
 rpm-vercmp; sys_platform == 'linux'
-setproctitle>=1.2.3
-tornado>=6.5.5
+setproctitle>=1.3.7
+tornado>=6.5.6
+# Python 3.9 stays on urllib3 1.26.x because botocore on py3.9 hard
+# requires urllib3 < 2 and Salt 3007.x still builds a py3.9 onedir.
+# The Python 3.10+ floor carries the urllib3 2.6.3 CVE backports
+# (CVE-2025-66418, CVE-2026-21441).
 urllib3>=1.26.20,<2.0.0; python_version < '3.10'
 urllib3>=2.7.0; python_version >= '3.10'
-virtualenv
+virtualenv>=21.4.2
+# Transitive of virtualenv; some uv resolver caches pin a stale 3.25
+# version that conflicts with the CI floor of 3.29.1 on Python 3.10+.
+filelock>=3.29.1; python_version >= '3.10'
+filelock>=3.19.1,<3.29.0; python_version < '3.10'
 vultr>=1.0.1
 wmi>=1.5.1; sys_platform == 'win32'
-xmltodict>=0.13.0; sys_platform == 'win32'
-zipp>=3.19.1
+xmltodict>=1.0.4; sys_platform == 'win32'
+zipp>=3.23.1
@@ -1,2 +1,2 @@
 twine
-build>=0.7.0
+build>=1.4.4
@@ -1,7 +1,11 @@
 # IMPORTANT: The versions here must be compatible with the environment where
 # uv-pre-commit hooks run. We do not pin setuptools in .pre-commit-config.yaml
 # to allow uv to resolve a version that satisfies these constraints.
-wheel >= 0.46.3
+wheel >= 0.47.0
 setuptools >= 80.10.2
-pip == 25.2
+pip == 26.0.1
 markdown-it-py < 3.0.0; python_version == "3.9"
+# myst-docutils 4.x (the latest supporting Python 3.10) requires
+# markdown-it-py ~=3.0; the 5.x line that pairs with markdown-it-py 4.x
+# only supports Python >=3.11.
+markdown-it-py < 4.0.0; python_version == "3.10"
@@ -1 +1 @@
-pycryptodomex>=3.9.8
+pycryptodomex>=3.23.0
@@ -1,12 +1,12 @@
-mock >= 3.0.0
+mock >= 5.2.0
 # PyTest
 docker >= 7.1.0; python_version >= '3.8'
 docker < 7.1.0; python_version < '3.8'
-pytest >= 7.2.0
-pytest-salt-factories >= 1.0.3
-pytest-helpers-namespace >= 2019.1.8
+pytest >= 8.4.2, <9
+pytest-salt-factories >= 1.0.5
+pytest-helpers-namespace >= 2021.12.29
 pytest-subtests
-pytest-timeout >= 2.3.1
+pytest-timeout >= 2.4.0
 pytest-httpserver
 pytest-custom-exit-code >= 0.3
 flaky

@@ -1,3 +1,3 @@
-towncrier==24.8.0
+towncrier==25.8.0
 looseversion
 packaging
@@ -1,5 +1,6 @@
 # Cloud tests requirements
-apache-libcloud>=3.8.0
+apache-libcloud>=3.8.0,<3.9.1; python_version < '3.10'
+apache-libcloud>=3.9.1; python_version >= '3.10'
 netaddr
 profitbricks
 pypsexec

@@ -3,61 +3,75 @@
 # to a particular platform, please add it to the corresponding `<platform>.txt` file in this directory.
 
 # aiohttp is a dependency of etcd3-py
-aiohttp>=3.10.2
-apache-libcloud>=3.8.0; sys_platform != 'win32'
+aiohttp>=3.13.5,<3.14.0; python_version < '3.10'
+aiohttp>=3.14.1; python_version >= '3.10'
+apache-libcloud>=3.8.0,<3.9.1; sys_platform != 'win32' and python_version < '3.10'
+apache-libcloud>=3.9.1; sys_platform != 'win32' and python_version >= '3.10'
 # bcrypt is an extra requirement for passlib, and we shouldn't use extras, like, passlib[bcrypt]
 # since that will break using the compiled static requirements files as contraints file
 bcrypt
-boto3>=1.30.0
-boto>=2.47.0
-botocore>=1.30.0
-cryptography>=46.0.5
-cffi>=1.14.6
-cherrypy>=17.4.1
+# boto3 on Python 3.9 transitively requires urllib3 < 2.x via botocore;
+# our urllib3 floor is 2.6.3 so we skip the boto3 cloud module tests on
+# 3.9 by not pinning it here. The bare `boto3` package is still
+# available transitively for any tool that needs it.
+boto3>=1.43.24; python_version >= '3.10'
+boto>=2.49.0
+# botocore 1.43.24 requires Python>=3.10. The only versions available on
+# 3.9 (botocore<1.43) hard-pin urllib3<1.27, which conflicts with our
+# urllib3>=2.6.3 floor. Drop botocore on 3.9 like boto3.
+botocore>=1.43.24; python_version >= '3.10'
+cryptography>=46.0.7,<48.0.0; python_version < '3.10'
+cryptography>=48.0.0; python_version >= '3.10'
+cffi>=2.0.0
+cherrypy>=18.10.0
 clustershell
 dnspython
 etcd3-py==0.1.6
 filelock>=3.19.1 ; python_version < '3.10'
-filelock>=3.20.3 ; python_version >= '3.10'
-gitpython>=3.1.37
+filelock>=3.29.1 ; python_version >= '3.10'
+gitpython>=3.1.50
 google-auth==2.35.0; python_version == '3.9'
 jmespath>=1.1.0
 jsonschema
 junos-eznc; sys_platform != 'win32'
 junit-xml>=1.9
 jxmlease; sys_platform != 'win32'
 kazoo; sys_platform != 'win32' and sys_platform != 'darwin'
-keyring==5.7.1
+keyring==25.7.0
 pyasn1-modules==0.4.0; python_version == '3.9'
-kubernetes>=24.0.0
-libnacl>=1.7.1; sys_platform != 'win32' and sys_platform != 'darwin'
+kubernetes>=35.0.0,<36.0.0; python_version < '3.10'
+kubernetes>=36.0.2; python_version >= '3.10'
+libnacl>=2.1.0; sys_platform != 'win32' and sys_platform != 'darwin'
 # markdown-it-py constraint for py3.9: myst-docutils (docs requirement) needs <3.0.0,
 # but netmiko (from napalm, only in py3.9) pulls in rich which wants 3.0.0+
 markdown-it-py<3.0.0; python_version == '3.9'
-moto>=5.0.0
+moto>=5.1.8,<5.2.0; python_version < '3.10'
+moto>=5.2.2; python_version >= '3.10'
 # Napalm pulls in pyeapi which does not work on Py3.10
 napalm; sys_platform != 'win32' and python_version < '3.10'
-paramiko>=2.10.1; sys_platform != 'win32' and sys_platform != 'darwin'
+paramiko>=5.0.0; sys_platform != 'win32' and sys_platform != 'darwin'
 passlib>=1.7.4
 pycryptodomex
 pynacl>=1.5.0
 pyinotify>=0.9.6; sys_platform != 'win32' and sys_platform != 'darwin' and platform_system != "openbsd"
-python-etcd>0.4.2
+python-etcd>=0.4.5
 pyvmomi
 rfc3987
-sqlparse>=0.5.4
+sqlparse>=0.5.5
 strict_rfc3339>=0.7
 textfsm
 toml
+# vcert 0.18.x adds hard pins on cryptography, pynacl, and six that
+# conflict with every other CI requirement; stay on 0.9.x.
 vcert~=0.9.0; sys_platform != 'win32'
-virtualenv>=20.36.1
-watchdog>=0.9.0
-websocket-client>=1.3.3
+virtualenv>=21.4.2
+watchdog>=6.0.0
+websocket-client>=1.9.0
 # werkzeug is a dependency of moto
-werkzeug>=3.1.6
-xmldiff>=2.4
+werkzeug>=3.1.8
+xmldiff>=2.7.0
 # Available template libraries that can be used
-genshi>=0.7.3
-cheetah3>=3.2.2
+genshi>=0.7.11
+cheetah3>=3.2.6.post1
 mako
 wempy
@@ -1,7 +1,9 @@
-pygit2>=1.10.1
+pygit2>=1.13.1,<1.18.0; python_version < '3.11'
+pygit2>=1.19.2; python_version >= '3.11'
 yamllint
-mercurial>=7.1.2
+mercurial>=7.2.2
 hglib
 # Pin versions to match 3007.x
-apache-libcloud>=3.8.0
-gitpython>=3.1.46
+apache-libcloud>=3.8.0,<3.9.1; python_version < '3.10'
+apache-libcloud>=3.9.1; python_version >= '3.10'
+gitpython>=3.1.50
@@ -1,9 +1,11 @@
 sphinx>=3.5.1; python_version < '3.9'
-sphinx>=6.1.0; python_version >= '3.9'
+sphinx>=7.0.0,<9.0.0; python_version >= '3.9' and python_version < '3.12'
+sphinx>=9.1.0; python_version >= '3.12'
 myst-docutils[linkify]
-sphinxcontrib-httpdomain>=1.8.0
+sphinxcontrib-httpdomain>=1.8.1,<2.0.0; python_version < '3.10'
+sphinxcontrib-httpdomain>=2.0.0; python_version >= '3.10'
 sphinxcontrib-spelling
 cherrypy
 jinja2
 pydata-sphinx-theme
-MarkupSafe<3.0.0
+MarkupSafe<4.0.0
@@ -1,5 +1,5 @@
 # FreeBSD static CI requirements
 
 yamllint
-mercurial>=7.1.2
+mercurial>=7.2.2
 hglib
@@ -2,6 +2,12 @@
 
 docker >= 7.1.0; python_version >= '3.8'
 docker < 7.1.0; python_version < '3.8'
+# pylint 4 introduces new default-on E0606/E0601/E0602 checks that the
+# Salt 3007.x codebase has not been audited for; the lint job logs are
+# full of pre-existing possibly-used-before-assignment warnings now
+# turning into errors across salt/, tools/, and tests/. Stay on the
+# 3.1.x line for 3007.x. (pylint 4 also requires Python>=3.10, so the
+# 3.x line is the only choice on the py3.9 onedir target anyway.)
 pylint~=3.1.0
-SaltPyLint>=2024.2.2
+SaltPyLint>=2024.2.5
 toml
@@ -1,14 +1,20 @@
 # Linux static CI requirements
 pyiface
-pygit2>=1.10.1
-pymysql>=1.1.1
-ansible>=10.7.0; python_version >= '3.10'
-ansible>=12.3.0; python_version >= '3.11'
-ansible>=13.4.0; python_version >= '3.12'
-twilio>=9.10.3
-python-telegram-bot>=13.7
+pygit2>=1.13.1,<1.18.0; python_version < '3.11'
+pygit2>=1.19.2; python_version >= '3.11'
+pymysql>=1.2.0
+# ansible release lines support different Python versions:
+#   ansible-core / ansible 10.x — Python 3.10+
+#   ansible 12.x — Python 3.11+
+#   ansible 14.x — Python 3.12+
+ansible>=10.7.0,<11.0.0; python_version >= '3.10' and python_version < '3.11'
+ansible>=12.3.0,<13.0.0; python_version >= '3.11' and python_version < '3.12'
+ansible>=14.0.0; python_version >= '3.12'
+twilio>=9.10.9
+python-telegram-bot>=20.3,<22.0; python_version < '3.10'
+python-telegram-bot>=22.7; python_version >= '3.10'
 yamllint
-mercurial>=7.1.2
+mercurial>=7.2.2
 hglib
 redis-py-cluster
 python-consul

@@ -14,13 +14,13 @@ markupsafe==2.1.5
     # via
     #   -c requirements/static/ci/py3.10/linux.lock
     #   jinja2
-packaging==24.0
+packaging==26.2
     # via
     #   -c requirements/static/ci/py3.10/linux.lock
     #   -r requirements/static/ci/changelog.txt
 tomli==2.2.1
     # via
     #   -c requirements/static/ci/py3.10/linux.lock
     #   towncrier
-towncrier==24.8.0
+towncrier==25.8.0
     # via -r requirements/static/ci/changelog.txt