Remove Python 3.9 support

Python 3.9 reached upstream EOL on 31st October 2025:
https://devguide.python.org/versions/#supported-versions

The Python version support policy is that supported versions follows
the upstream EOL lifecycle:
https://devcenter.heroku.com/articles/python-support#python-version-support-policy

And Python 3.9 support has been deprecated since 8th January 2025:
https://devcenter.heroku.com/changelog-items/3095

As such, builds of apps using Python 3.9 will now fail with an error
message explaining they must be upgraded to a newer/supported Python
version.

Apps using Python 3.9 that aren't able to upgrade immediately will need
to pin to an older buildpack version temporarily.

GUS-W-17595553.

Author: edmorley

CHANGELOG.md

@@ -2,6 +2,7 @@
 
 ## [Unreleased]
 
+- Removed support for Python 3.9. ([#2005](https://github.com/heroku/heroku-buildpack-python/pull/2005))
 - Adjusted the error message shown if SQLite headers aren't found during package installation. ([#2006](https://github.com/heroku/heroku-buildpack-python/pull/2006))
 
 ## [v326] - 2026-01-05

README.md

@@ -51,11 +51,10 @@ The supported Python versions are:
 - Python 3.13
 - Python 3.12
 - Python 3.11
-- Python 3.10
 
 These Python versions are deprecated on Heroku:
 
-- Python 3.9
+- Python 3.10
 
 Python versions older than those listed above are no longer supported, since they have reached
 end-of-life [upstream](https://devguide.python.org/versions/#supported-versions).

builds/build_python_runtime.sh

@@ -27,7 +27,6 @@ function abort() {
 case "${STACK:?}" in
 	heroku-22 | heroku-24)
 		SUPPORTED_PYTHON_VERSIONS=(
-			"3.9"
 			"3.10"
 			"3.11"
 			"3.12"
@@ -58,10 +57,6 @@ case "${PYTHON_MAJOR_VERSION}" in
 		SIGSTORE_IDENTITY='pablogsal@python.org'
 		SIGSTORE_ISSUER='https://accounts.google.com'
 		;;
-	3.9)
-		SIGSTORE_IDENTITY='lukasz@langa.pl'
-		SIGSTORE_ISSUER='https://github.com/login/oauth'
-		;;
 	*)
 		abort "Unsupported Python version '${PYTHON_MAJOR_VERSION}'!"
 		;;
@@ -102,42 +97,34 @@ CONFIGURE_OPTS=(
 	"--enable-optimizations"
 	# Make autoconf's configure option validation more strict.
 	"--enable-option-checking=fatal"
+	# Shared builds are beneficial for a number of reasons:
+	# - Reduces the size of the build, since it avoids the duplication between
+	#   the Python binary and the static library.
+	# - Permits use-cases that only work with the shared Python library,
+	#   and not the static library (such as `pycall.rb` or `PyO3`).
+	# - More consistent with the official Python Docker images and other distributions.
+	#
+	# Shared builds are slower unless `no-semantic-interposition`and LTO is used,
+	# however, as of Python 3.10 `no-semantic-interposition` is enabled by default:
+	# https://fedoraproject.org/wiki/Changes/PythonNoSemanticInterpositionSpeedup
+	# https://github.com/python/cpython/issues/83161
+	"--enable-shared"
 	# Install Python into `/tmp/python` rather than the default of `/usr/local`.
 	"--prefix=${INSTALL_DIR}"
 	# Skip running `ensurepip` as part of install, since the buildpack installs a curated
 	# version of pip itself (which ensures it's consistent across Python patch releases).
 	"--with-ensurepip=no"
+	"--with-lto"
+	# Counter-intuitively, the static library is still generated by default even when
+	# the shared library is enabled, so we disable it to reduce the build size.
+	# This option only exists for Python 3.10+.
+	"--without-static-libpython"
 )
 
-if [[ "${PYTHON_MAJOR_VERSION}" != +(3.9) ]]; then
-	CONFIGURE_OPTS+=(
-		# Shared builds are beneficial for a number of reasons:
-		# - Reduces the size of the build, since it avoids the duplication between
-		#   the Python binary and the static library.
-		# - Permits use-cases that only work with the shared Python library,
-		#   and not the static library (such as `pycall.rb` or `PyO3`).
-		# - More consistent with the official Python Docker images and other distributions.
-		#
-		# However, shared builds are slower unless `no-semantic-interposition`and LTO is used:
-		# https://fedoraproject.org/wiki/Changes/PythonNoSemanticInterpositionSpeedup
-		# https://github.com/python/cpython/issues/83161
-		#
-		# It's only as of Python 3.10 that `no-semantic-interposition` is enabled by default,
-		# so we only use shared builds on Python 3.10+ to avoid needing to override the default
-		# compiler flags.
-		"--enable-shared"
-		"--with-lto"
-		# Counter-intuitively, the static library is still generated by default even when
-		# the shared library is enabled, so we disable it to reduce the build size.
-		# This option only exists for Python 3.10+.
-		"--without-static-libpython"
-	)
-fi
-
-if [[ "${PYTHON_MAJOR_VERSION}" != +(3.9|3.10) ]]; then
+if [[ "${PYTHON_MAJOR_VERSION}" != +(3.10) ]]; then
 	CONFIGURE_OPTS+=(
 		# Skip building the test modules, since we remove them after the build anyway.
-		# This feature was added in Python 3.10+, however it wasn't until Python 3.11
+		# This feature was added in Python 3.10, however it wasn't until Python 3.11
 		# that compatibility issues between it and PGO were fixed:
 		# https://github.com/python/cpython/pull/29315
 		"--disable-test-modules"
@@ -155,31 +142,14 @@ fi
 # - https://wiki.ubuntu.com/ToolChain/CompilerFlags
 # - https://wiki.debian.org/Hardening
 # - https://github.com/docker-library/python/issues/810
-# We only use `dpkg-buildflags` for Python versions where we build in shared mode (Python 3.9+),
-# since some of the options it enables interferes with the stripping of static libraries.
-if [[ "${PYTHON_MAJOR_VERSION}" == +(3.9) ]]; then
-	EXTRA_CFLAGS=''
-	LDFLAGS='-Wl,--strip-all'
-else
-	EXTRA_CFLAGS="$(dpkg-buildflags --get CFLAGS)"
-	LDFLAGS="$(dpkg-buildflags --get LDFLAGS) -Wl,--strip-all"
-fi
+EXTRA_CFLAGS="$(dpkg-buildflags --get CFLAGS)"
+LDFLAGS="$(dpkg-buildflags --get LDFLAGS) -Wl,--strip-all"
 
 CPU_COUNT="$(nproc)"
 make -j "${CPU_COUNT}" "EXTRA_CFLAGS=${EXTRA_CFLAGS}" "LDFLAGS=${LDFLAGS}"
 make install
 
-if [[ "${PYTHON_MAJOR_VERSION}" == +(3.9) ]]; then
-	# On older versions of Python we're still building the static library, which has to be
-	# manually stripped since the linker stripping enabled in LDFLAGS doesn't cover them.
-	# We're using `--strip-unneeded` since `--strip-all` would remove the `.symtab` section
-	# that is required for static libraries to be able to be linked.
-	# `find` is used since there are multiple copies of the static library in version-specific
-	# locations, eg:
-	#   - `lib/libpython3.9.a`
-	#   - `lib/python3.9/config-3.9-x86_64-linux-gnu/libpython3.9.a`
-	find "${INSTALL_DIR}" -type f -name '*.a' -print -exec strip --strip-unneeded '{}' +
-elif ! find "${INSTALL_DIR}" -type f -name '*.a' -print -exec false '{}' +; then
+if ! find "${INSTALL_DIR}" -type f -name '*.a' -print -exec false '{}' +; then
 	abort "Unexpected static libraries found!"
 fi
 
@@ -220,7 +190,7 @@ LD_LIBRARY_PATH="${SRC_DIR}" "${SRC_DIR}/python" -m compileall -f --invalidation
 # (e.g. `python -m pydoc`) if needed.
 rm "${INSTALL_DIR}"/bin/{idle,pydoc}*
 # The 2to3 module and entrypoint was removed from the stdlib in Python 3.13.
-if [[ "${PYTHON_MAJOR_VERSION}" == +(3.9|3.10|3.11|3.12) ]]; then
+if [[ "${PYTHON_MAJOR_VERSION}" == +(3.10|3.11|3.12) ]]; then
 	rm "${INSTALL_DIR}"/bin/2to3*
 fi
 

lib/pip.sh

@@ -28,7 +28,7 @@ function pip::install_pip() {
 	#   them installed.
 	# - Most of the Python ecosystem has stopped installing them for Python 3.12+ already.
 	# See the Python CNB's removal for more details: https://github.com/heroku/buildpacks-python/pull/243
-	if [[ "${python_major_version}" == +(3.9|3.10|3.11|3.12) ]]; then
+	if [[ "${python_major_version}" == +(3.10|3.11|3.12) ]]; then
 		build_data::set_string "setuptools_version" "${SETUPTOOLS_VERSION}"
 		build_data::set_string "wheel_version" "${WHEEL_VERSION}"
 		packages_to_install+=(

lib/pipenv.sh

@@ -45,9 +45,6 @@ function pipenv::install_pipenv() {
 		local bundled_pip_module_path
 		bundled_pip_module_path="$(utils::bundled_pip_module_path "${python_home}" "${python_major_version}")"
 
-		# We must call the venv Python directly here, rather than relying on pip's `--python`
-		# option, since `--python` was only added in pip v22.3, so isn't supported by the older
-		# pip versions bundled with Python 3.9/3.10.
 		# `--isolated`: Prevents any custom pip configuration added by third party buildpacks (via env
 		#               vars or global config files) from breaking package manager bootstrapping.
 		# shellcheck disable=SC2310 # This function is invoked in an 'if' condition so set -e will be disabled.

lib/poetry.sh

@@ -51,13 +51,8 @@ function poetry::install_poetry() {
 		local bundled_pip_module_path
 		bundled_pip_module_path="$(utils::bundled_pip_module_path "${python_home}" "${python_major_version}")"
 
-		# We must call the venv Python directly here, rather than relying on pip's `--python`
-		# option, since `--python` was only added in pip v22.3, so isn't supported by the older
-		# pip versions bundled with Python 3.9/3.10.
 		# `--isolated`: Prevents any custom pip configuration added by third party buildpacks (via env
 		#               vars or global config files) from breaking package manager bootstrapping.
-		# We pin to an older dulwich version to work around https://github.com/jelmer/dulwich/issues/1948
-		# on Python 3.9.0/3.9.1. TODO: Remove this pin when we drop support for Python 3.9 in Jan 2026.
 		# shellcheck disable=SC2310 # This function is invoked in an 'if' condition so set -e will be disabled.
 		if ! {
 			"${poetry_venv_dir}/bin/python" "${bundled_pip_module_path}" \

lib/python_version.sh

@@ -4,14 +4,13 @@
 # however, it helps Shellcheck realise the options under which these functions will run.
 set -euo pipefail
 
-LATEST_PYTHON_3_9="3.9.25"
 LATEST_PYTHON_3_10="3.10.19"
 LATEST_PYTHON_3_11="3.11.14"
 LATEST_PYTHON_3_12="3.12.12"
 LATEST_PYTHON_3_13="3.13.11"
 LATEST_PYTHON_3_14="3.14.2"
 
-OLDEST_SUPPORTED_PYTHON_3_MINOR_VERSION=9
+OLDEST_SUPPORTED_PYTHON_3_MINOR_VERSION=10
 NEWEST_SUPPORTED_PYTHON_3_MINOR_VERSION=14
 
 DEFAULT_PYTHON_FULL_VERSION="${LATEST_PYTHON_3_14}"
@@ -525,7 +524,6 @@ function python_version::resolve_python_version() {
 	# Otherwise map major version specifiers to the latest patch release.
 	case "${requested_python_version}" in
 		*.*.*) echo "${requested_python_version}" ;;
-		3.9) echo "${LATEST_PYTHON_3_9}" ;;
 		3.10) echo "${LATEST_PYTHON_3_10}" ;;
 		3.11) echo "${LATEST_PYTHON_3_11}" ;;
 		3.12) echo "${LATEST_PYTHON_3_12}" ;;
@@ -688,24 +686,7 @@ function python_version::warn_if_deprecated_major_version() {
 	local requested_major_version="${1}"
 	local version_origin="${2}"
 
-	if [[ "${requested_major_version}" == "3.9" ]]; then
-		output::warning <<-EOF
-			Warning: Support for Python 3.9 is ending soon!
-
-			Python 3.9 reached its upstream end-of-life on 31st October 2025,
-			and so no longer receives security updates:
-			https://devguide.python.org/versions/#supported-versions
-
-			As such, support for Python 3.9 will be removed from this
-			buildpack on 7th January 2026.
-
-			Upgrade to a newer Python version as soon as possible, by
-			changing the version in your ${version_origin} file.
-
-			For more information, see:
-			https://devcenter.heroku.com/articles/python-support#supported-python-versions
-		EOF
-	elif [[ "${requested_major_version}" == "3.10" ]]; then
+	if [[ "${requested_major_version}" == "3.10" ]]; then
 		output::warning <<-EOF
 			Warning: Support for Python 3.10 is deprecated!
 

spec/fixtures/django_staticfiles_legacy_django/.python-version

@@ -1 +1 @@
-3.9
+3.10

spec/fixtures/django_staticfiles_legacy_django/requirements.txt

@@ -1,3 +1,2 @@
-# This is the oldest Django version that works on Python 3.9 (which is the
-# oldest Python that is available on all of our supported builders).
-Django==1.8.19
+# This is the oldest Django version that works on Python 3.10 (our oldest supported Python version).
+Django==2.1.15

spec/fixtures/pip_oldest_python/runtime.txt

@@ -1 +1 @@
-python-3.9.0
+python-3.10.0