Google Git
Sign in
gerrit/jgit/e6789e5096587cbc036a1f6187a6bd6cc9c8aaf9^1..e6789e5096587cbc036a1f6187a6bd6cc9c8aaf9/.
commit
e6789e5096587cbc036a1f6187a6bd6cc9c8aaf9
[log]
author
Matthias Sohn <matthias.sohn@sap.com>
Tue May 12 20:28:15 2026 +0000
committer
Gerrit Code Review <support@gerrithub.io>
Tue May 12 20:28:15 2026 +0000
tree
c1538cabd2346e79d20bf3f05c76ffe95c5419eb
parent
ebb620938605780e61835d7e2826993d8122f59e [diff]
parent
87b09ec388f056c8b4ed9708d0713808511c83ef [diff]
Merge changes I7293790f,I589c2aca

* changes:
  Update urllib3 to at least 2.7.0 to fix CVE-2026-44432
  Update python used to deploy release to maven central to 3.14

diff --git a/tools/maven-central/Pipfile b/tools/maven-central/Pipfile
index cffba46..e34443d 100644
--- a/tools/maven-central/Pipfile
+++ b/tools/maven-central/Pipfile

@@ -7,11 +7,11 @@
 requests = "*"
 argparse = "*"
 pyyaml = "*"
+urllib3 = ">=2.7.0"
 
 [dev-packages]
 flake8 = "*"
 black = "*"
 
 [requires]
-python_version = "3.12"
-python_full_version = "3.12.9"
+python_version = "3.14"

diff --git a/tools/maven-central/Pipfile.lock b/tools/maven-central/Pipfile.lock
index e566398..5839d92 100644
--- a/tools/maven-central/Pipfile.lock
+++ b/tools/maven-central/Pipfile.lock

@@ -1,12 +1,11 @@
 {
     "_meta": {
         "hash": {
-            "sha256": "096165cac35064650a41e592a40a9d1e13ae4022a1f6d43582534f1c3bf0dbf9"
+            "sha256": "28027cc52a42a1b801f3df250feac187373bed2c18fa6ddb4415dd6436ea4f2f"
         },
         "pipfile-spec": 6,
         "requires": {
-            "python_full_version": "3.12.9",
-            "python_version": "3.12"
+            "python_version": "3.14"
         },
         "sources": [
             {
@@ -251,11 +250,12 @@
         },
         "urllib3": {
             "hashes": [
-                "sha256:1b62b6884944a57dbe321509ab94fd4d3b307075e0c2eae991ac71ee15ad38ed",
-                "sha256:bf272323e553dfb2e87d9bfd225ca7b0f467b919d7bbd355436d3fd37cb0acd4"
+                "sha256:231e0ec3b63ceb14667c67be60f2f2c40a518cb38b03af60abc813da26505f4c",
+                "sha256:9fb4c81ebbb1ce9531cce37674bbc6f1360472bc18ca9a553ede278ef7276897"
             ],
-            "markers": "python_version >= '3.9'",
-            "version": "==2.6.3"
+            "index": "pypi",
+            "markers": "python_version >= '3.10'",
+            "version": "==2.7.0"
         }
     },
     "develop": {

diff --git a/tools/maven-central/README.md b/tools/maven-central/README.md
index 0c40598..821a61c 100644
--- a/tools/maven-central/README.md
+++ b/tools/maven-central/README.md

@@ -4,7 +4,7 @@
 
 - you need to be a Eclipse JGit committer
 - install [jreleaser CLI](https://jreleaser.org/guide/latest/install.html)
-- install [python 3.12](https://www.python.org/)
+- install [python 3.14](https://www.python.org/)
 - install [pipenv](https://pipenv.pypa.io/en/latest/installation.html) we use below to setup a python virtualenv
 - we sign release tags and Maven artifacts using GPG.
   Follow [Git Tools - Signing Your Work](https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work)
@@ -61,7 +61,7 @@
 - prepare virtualenv for `download_release.py`:
   ```
   $ cd tools/maven-central
-  $ pipenv --python 3.12
+  $ pipenv --python 3.14
   $ pipenv sync
   ```
 - download a JGit release from repo.eclipse.org and create artifact signature files (`.asc`)