Dependabot, the automated dependency management tool used by millions of developers, stopped supporting Python 3.9 on June 23, 2026. The move comes after the Python Software Foundation officially declared the language version end-of-life (EOL) last year.
Why Dependabot pulled support
Python 3.9 reached its end-of-life in October 2025, meaning it no longer receives security patches or bug fixes. Dependabot’s decision follows a standard policy: once a language version is EOL, the tool stops scanning for outdated dependencies in projects that use it. Projects still on Python 3.9 will no longer get automated pull requests for updates or vulnerability alerts from Dependabot.
The cutoff affects repositories hosted on GitHub that rely on Dependabot to keep dependencies current. Developers can still manually update their Python version, but the automated safety net is gone.
The security cost of staying on Python 3.9
Organizations that delay upgrading from Python 3.9 face increased security risks, according to the notice. Without official support, any newly discovered vulnerabilities in the runtime or in third-party packages built for Python 3.9 will go unpatched. The risk compounds as more libraries drop compatibility with older versions.
Cybersecurity teams inside companies still running Python 3.9 now have to either allocate resources for manual patching or accelerate migration plans. Smaller teams without dedicated security staff may find themselves exposed.
Dependabot’s move is not unusual — similar cuts have happened for Python 2.7 and 3.4 in the past. But the timing matters: many enterprises have been slow to move off Python 3.9, partly because their own internal tools or third-party packages haven’t been updated for newer versions.
What developers should do now
The fix is straightforward but not always easy: upgrade to Python 3.10, 3.11, or 3.12. Each newer version includes performance improvements and security fixes. The Python Software Foundation provides migration guides, and most popular libraries already support later versions.
For teams with large codebases, the upgrade may require testing and refactoring. But with Dependabot’s support gone, the window for a smooth transition is closing. The alternative — running unsupported software with no automated dependency monitoring — is a gamble that few organizations can afford.
No further announcements from Dependabot about future version cutoffs have been made, but the pattern suggests Python 3.10 support could end once it reaches its own EOL in October 2026.
