Outdated Dependencies and ANTLR 4.13+ Migration Path

[toliver-hb]

Several core dependencies in stix-shifter are outdated, with some PRs open for 2-3 years:

#767 (Jan 2022): antlr4-python3-runtime 4.8 → 4.9.3 - open 3+ years
#883 (Apr 2022): stix2-patterns 1.3.2 → 2.0.0 - open 2+ years
#1739 (Sep 2024): attrs 23.1.0 → 24.2.0
#1675 (Apr 2024): flask 3.0.0 → 3.0.3
#1764 (Oct 2025): numpy 1.24.4 → 2.3.4
#1766 (Oct 2025): aiomysql 0.2.0 → 0.3.2 - merged #1775

1. What's blocking these dependency updates?

Is the primary blocker still the stix2-patterns/cti-pattern-validator ANTLR incompatibility (issue #104)? Are there other concerns preventing these updates? Is there anything I can assist with in moving these forward?

2. Can we push for cti-pattern-validator 2.1.0 release?

Looking at the upstream repository, it appears most changes for ANTLR 4.13 support have been implemented in the main branch, but no v2.1.0 release has been published. Can the stix-shifter maintainers reach out to OASIS to expedite a release? This would unblock:

• Updating antlr4-python3-runtime to 4.13.2
• Updating stix2-patterns to use the latest validator
• Resolving security vulnerabilities in other dependencies

3. Python 3.11+ requirement acceptable?

Updating to ANTLR 4.13+ and modern dependency versions would likely require bumping minimum Python from 3.10 to 3.11+. Is this acceptable given that:

• Python 3.10 reached end of active support in October 2024
• Python 3.11 offers significant performance improvements
• Security best practices recommend maintaining only actively supported versions

Context

I've tested these updates in a fork by building a 2.1.0 release (pending 2.1.0 release) and can confirm pattern translation works correctly with ANTLR 4.13.2. Happy to share testing results or assist with migration if there's interest in moving forward.

Alpha build https://github.com/toliver-hb/cti-pattern-validator/releases/tag/v2.1.0

Key Dependencies Needing Updates

• antlr4-python3-runtime: 4.8 → 4.13.2
• stix2-patterns/cti-pattern-validator: 1.3.2 → 2.1.0
• attrs: 23.1.0 → 24.2.0
• flask: 3.0.0 → 3.1.2
• numpy: 1.26.x → 2.1.0+
• aiomysql: 0.2.0 → 0.3.2
• urllib3: 2.5.0 → 2.6.3+

[morgan-nolan-ibm]

Thanks for the detailed breakdown and for testing these updates in your fork.

I need to review some of these dependencies. Minor ones are overdue for a bump, but others there would be compatibility concerns. Python 3.10 is still the minimum supported version for accessibility as it is not completely end-of-life yet (i.e., still receiving security updates until October this year), though 3.11+ works and we plan to update the minimum before October 2026.

I will also look into expediting a 2.1.0 release of cti-pattern-validator to unblock the relevant updates. Appreciate your help and the alpha build results.

[toliver-hb]

Makes sense. I figjured 3.11+ might be a blocker.

Any suggestions on how to handle that dependency problem? I suppose I could just maintain a fork for now but I'm sure I'm not the only one with this issue