Python security patches: using system Python 3.13.5 vs uv-managed 3.12.x with Plone 6.1.4

RenteriaMX · April 17, 2026, 10:35pm

Hi everyone,

I successfully installed Plone 6.1.4 Classic UI using Cookieplone on Debian 13
(Trixie). The installation works correctly.

My question is about production security.

Current situation:

System Python (managed by apt): 3.13.5
Plone virtualenv (managed by uv/Cookieplone): 3.12.13

uv downloads and manages its own Python independently of the OS.
This means apt security updates do NOT patch the Python used by Plone.

The concern:
CVEs fixed in Python 3.13.x are not automatically applied to the
uv-managed 3.12.13 environment. In a production server, this is
a security gap.

I noticed that Plone 6.1.4 setup.cfg declares:
python_requires >= 3.10
classifiers: 3.10, 3.11, 3.12, 3.13

Questions:

Is it safe to force Plone 6.1.4 to use system Python 3.13.5
(Debian) in production instead of uv-managed 3.12.x?
How does the Plone community recommend handling Python security
patches when using uv for installation?
Is there a known issue with 3.13.5 specifically?

Thanks!

1letter · April 18, 2026, 9:44am

uv venv --python 3.13

davisagli · April 18, 2026, 6:15pm

Plone 6.1.4 supports Python 3.10 through 3.13.

Cookieplone’s defaults are oriented toward creating a controlled environment with minimal OS dependencies. But you can configure uv to use a system Python if that meets your needs better: Installing and managing Python | uv

Note: The Python development team plans to also continue maintaining Python 3.12 with security updates until October 2028: Status of Python versions