fix(security): bump pyjwt to 2.13.0#677
Conversation
pyjwt <= 2.12.1 is affected by GHSA-fhv5-28vv-h8m8 (LOW): PyJWKClient makes unbounded requests to the JWKS endpoint for attacker-controlled kid values, enabling denial of service. Patched in 2.13.0. Surgical lock-only bump (uv lock --upgrade-package pyjwt); only pyjwt moves. uv lock --check passes. Resolves #416. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (1)
WalkthroughThe Gherkin scenario "Capability matrix is rendered into adapter docs" in ChangesScenario Tag Update
🚥 Pre-merge checks | ✅ 3 | ❌ 2❌ Failed checks (2 warnings)
✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Pre-existing main breakage unrelated to the pyjwt bump: the 'Capability matrix is rendered into adapter docs' scenario carried only @docs, failing test_every_scenario_is_tagged_unit_integration_or_e2e and test_tag_split_matches_prove_it_report (the prove-it report already counts it as the 79th @Unit). It is a static docs-rendering assertion, so @Unit is the correct tier. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
@langwatch-agent Only the lockfile changing is suspect? |
|
Automated low-risk assessment This PR was evaluated against the repository's Low-Risk Pull Requests procedure and does not qualify as low risk.
This PR requires a manual review before merging. |
What
Surgical lock-only bump of
pyjwt2.12.1 -> 2.13.0 inpython/uv.lock(uv lock --upgrade-package pyjwt).Why
pyjwt
<= 2.12.1is affected by GHSA-fhv5-28vv-h8m8 (LOW):PyJWKClientmakes unbounded requests to the JWKS endpoint for attacker-controlledkidvalues, enabling denial of service. Patched in 2.13.0.Resolves Dependabot alert #416.
Verification
uv lock --checkpasses.