chore(sec): bump deps + drop Python 3.9 to clear all OSV findings (5.0.0)

Clears 25 OSV-Scanner findings (1 CRITICAL cryptography, 13 HIGH across
cryptography/urllib3/pyjwt/pyarrow/black, 10 MED, 1 UNKNOWN) by bumping
direct dependency floors and regenerating the lockfile. Forces a major
version bump because the new dependency constraints will conflict with
customers' transitive-dep pins on the older majors of urllib3 (1.x → 2.x),
pyarrow (14/18/22 → 23), pytest (7 → 9), and black (22 → 26).

Drops Python 3.8/3.9 from supported floors. Python 3.8 is 20 months past
upstream EOL (2024-10), Python 3.9 is 7 months past (2025-10). The patched
versions of urllib3 / pyarrow / requests / pytest / black all declare
requires_python>=3.10, so keeping 3.9 in the matrix would silently
downgrade these to CVE-vulnerable versions for 3.9 customers — defeating
the entire purpose of the PR.

Direct runtime bumps:
- urllib3:  >=1.26      -> >=2.7.0,<3.0.0   (urllib3 1.x -> 2.x major)
- requests: ^2.18.1     -> ^2.33.0
- pyjwt:    ^2.0.0      -> ^2.12.0
- pyarrow:  14/18/22+   -> >=23.0.1 (all three Python-version-gated blocks)

Direct dev bumps:
- pytest:   ^7.1.2      -> ^9.0.3
- black:    ^22.3.0     -> ^26.3.1  (reformats 13 src files in a follow-up commit)

Transitive cleanups via lockfile (no pyproject change):
- cryptography  43.0.3/45.0.6 -> 48.0.0   (clears CRITICAL PYSEC-2026-36 9.8)
- idna          3.10          -> 3.16
- python-dotenv 1.0.1         -> 1.2.2

Verification:
- OSV-Scanner v2.3.8 against new poetry.lock: 25 findings -> 0
- Unit tests (Python 3.10.18, default deps):     765 passed, 4 skipped
- Unit tests (Python 3.10.18, min deps):         765 passed, 4 skipped
- mypy:   same 11 pre-existing errors on main; unchanged
- black:  applied separately in next commit

Co-authored-by: Isaac
Signed-off-by: Vikrant Puppala <vikrant.puppala@databricks.com>

Author: vikrantpuppala

.github/workflows/code-quality-checks.yml

@@ -13,7 +13,7 @@ jobs:
       labels: linux-ubuntu-latest
     strategy:
       matrix:
-        python-version: ["3.9", "3.10", "3.11", "3.12", "3.13", "3.14"]
+        python-version: ["3.10", "3.11", "3.12", "3.13", "3.14"]
         dependency-version: ["default", "min"]
         exclude:
           - python-version: "3.12"
@@ -56,7 +56,7 @@ jobs:
       labels: linux-ubuntu-latest
     strategy:
       matrix:
-        python-version: ["3.9", "3.10", "3.11", "3.12", "3.13", "3.14"]
+        python-version: ["3.10", "3.11", "3.12", "3.13", "3.14"]
         dependency-version: ["default", "min"]
         exclude:
           - python-version: "3.12"
@@ -104,7 +104,7 @@ jobs:
       labels: linux-ubuntu-latest
     strategy:
       matrix:
-        python-version: ["3.9", "3.10", "3.11", "3.12", "3.13", "3.14"]
+        python-version: ["3.10", "3.11", "3.12", "3.13", "3.14"]
     steps:
       - name: Check out repository
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
@@ -121,7 +121,7 @@ jobs:
       labels: linux-ubuntu-latest
     strategy:
       matrix:
-        python-version: ["3.9", "3.10", "3.11", "3.12", "3.13", "3.14"]
+        python-version: ["3.10", "3.11", "3.12", "3.13", "3.14"]
     steps:
       - name: Check out repository
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4

CHANGELOG.md

@@ -1,5 +1,28 @@
 # Release History
 
+# 5.0.0 (TBD)
+
+**Breaking changes — security & language-version cleanup.**
+
+- Minimum Python is now **3.10** (was 3.8). Python 3.8 (EOL 2024-10) and 3.9 (EOL 2025-10) are no longer supported. Users on these versions should stay on the 4.x line.
+- Bumped `urllib3` to the **2.x** series (was `>=1.26`). Customers pinning `urllib3<2` must either lift the pin or stay on the 4.x line. urllib3 2.x requires Python 3.10+.
+- Bumped several other runtime dependency floors to versions that clear all open CVEs in `poetry.lock`:
+  - `requests`: `>=2.18.1` → `>=2.33.0`
+  - `pyjwt`: `>=2.0` → `>=2.12.0`
+  - `pyarrow`: `>=14.0.1` / `>=18.0.0` / `>=22.0.0` (Python-version-gated blocks) → `>=23.0.1` everywhere
+  - `urllib3`: `>=1.26` → `>=2.7.0,<3.0.0`
+- Bumped dev dependencies for the same reason:
+  - `pytest`: `^7.1.2` → `^9.0.3`
+  - `black`: `^22.3.0` → `^26.3.1` (codebase has been reformatted in a single commit; downstream forks should expect to reformat once on the merge)
+- Transitive cleanups (no `pyproject.toml` change, lockfile only):
+  - `cryptography` 45.0.6 → 48.0.0
+  - `idna` 3.10 → 3.16
+  - `python-dotenv` 1.0.1 → 1.2.2
+
+**Migration**: For most users, `pip install -U databricks-sql-connector` is the only required change. Users on Python 3.9 must update their interpreter before upgrading. Users with hard pins on `urllib3<2` must lift the pin before upgrading.
+
+**OSV-Scanner status**: 25 → 0 advisories on `poetry.lock`.
+
 # 4.2.6 (2026-04-22)
 - Add SPOG routing support for account-level vanity URLs (databricks/databricks-sql-python#767 by @msrathore-db)
 - Fix dependency_manager: handle PEP 440 ~= compatible release syntax (databricks/databricks-sql-python#776 by @vikrantpuppala)