Skip to content

fix(security): bump pyjwt to 2.13.0#677

Open
langwatch-agent wants to merge 2 commits into
mainfrom
dependabot-scout/pyjwt-security
Open

fix(security): bump pyjwt to 2.13.0#677
langwatch-agent wants to merge 2 commits into
mainfrom
dependabot-scout/pyjwt-security

Conversation

@langwatch-agent

Copy link
Copy Markdown
Contributor

What

Surgical lock-only bump of pyjwt 2.12.1 -> 2.13.0 in python/uv.lock (uv lock --upgrade-package pyjwt).

Why

pyjwt <= 2.12.1 is affected by GHSA-fhv5-28vv-h8m8 (LOW): PyJWKClient makes unbounded requests to the JWKS endpoint for attacker-controlled kid values, enabling denial of service. Patched in 2.13.0.

Resolves Dependabot alert #416.

Verification

  • Only pyjwt moves (the self-version 0.7.30 -> 0.7.31 is pre-existing lock staleness).
  • uv lock --check passes.
  • 2.13.0 published 2026-05-21, well outside any cooldown.

pyjwt <= 2.12.1 is affected by GHSA-fhv5-28vv-h8m8 (LOW): PyJWKClient makes
unbounded requests to the JWKS endpoint for attacker-controlled kid values,
enabling denial of service. Patched in 2.13.0.

Surgical lock-only bump (uv lock --upgrade-package pyjwt); only pyjwt moves.
uv lock --check passes.

Resolves #416.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jun 16, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 6ccf1a66-29ae-4e7f-986c-69a4fbd1a97d

📥 Commits

Reviewing files that changed from the base of the PR and between 21226c0 and 09d1d7a.

⛔ Files ignored due to path filters (1)
  • python/uv.lock is excluded by !**/*.lock
📒 Files selected for processing (1)
  • specs/voice-agents.feature

Walkthrough

The Gherkin scenario "Capability matrix is rendered into adapter docs" in specs/voice-agents.feature has the @unit tag added alongside the pre-existing @docs tag. No step text, assertions, or other content was modified.

Changes

Scenario Tag Update

Layer / File(s) Summary
Add @unit tag to capability matrix scenario
specs/voice-agents.feature
The scenario tag line is updated from @docs alone to @docs @unit``; all steps remain unchanged.

A rabbit hopped through the spec one day,
And found a scenario tagged just @docs that way.
"It runs like a unit," the rabbit declared,
So @unit was added — and the tag was repaired!
🐇✨

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name Status Explanation Resolution
Title check ⚠️ Warning The PR title references a pyjwt security bump, but the actual changeset involves Gherkin feature file tagging in specs/voice-agents.feature with no pyjwt or lock file changes visible. Update the title to accurately reflect the actual change: something like 'test(voice-agents): add @unit tag to capability matrix scenario'.
Description check ⚠️ Warning The PR description discusses pyjwt dependency updates and security vulnerabilities, but the visible changeset only modifies Gherkin feature file tags with no lock file changes. Update the description to match the actual changeset: the Gherkin feature file tagging modification, or clarify if lock files are excluded from the summary.
✅ Passed checks (3 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch dependabot-scout/pyjwt-security

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Pre-existing main breakage unrelated to the pyjwt bump: the 'Capability matrix
is rendered into adapter docs' scenario carried only @docs, failing
test_every_scenario_is_tagged_unit_integration_or_e2e and
test_tag_split_matches_prove_it_report (the prove-it report already counts it
as the 79th @Unit). It is a static docs-rendering assertion, so @Unit is the
correct tier.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@langwatch-agent

Copy link
Copy Markdown
Contributor Author

CI fully green. The pyjwt 2.13.0 bump is clean; the one CI failure on the first run was the same pre-existing voice BDD contract breakage as #671 (a scenario tagged only @docs), fixed here with the identical validated @Unit tag. Closes #416. Ready for human review.

@drewdrewthis

Copy link
Copy Markdown
Collaborator

@langwatch-agent Only the lockfile changing is suspect?

@langwatch-agent langwatch-agent added dependabot-scout Opened by the dependabot-scout security-triage agent (shared langwatch-agent bot identity) hound-checked Triaged by the pr-hound agent at the current head SHA labels Jul 2, 2026
@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Automated low-risk assessment

This PR was evaluated against the repository's Low-Risk Pull Requests procedure and does not qualify as low risk.

The PR updates the pyjwt dependency in python/uv.lock (2.12.1 → 2.13.0), which is a security-sensitive dependency that can affect authentication/verification behavior; dependency/crypto library changes are not covered by the low-risk categories. Although it also adds a test tag, the lockfile dependency bump disqualifies the PR from being treated as low risk.

This PR requires a manual review before merging.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependabot-scout Opened by the dependabot-scout security-triage agent (shared langwatch-agent bot identity) hound-checked Triaged by the pr-hound agent at the current head SHA

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants