Skip to content

chore(deps): bump joserfc from 1.6.5 to 1.6.7 in /envs/julia_env#886

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/envs/julia_env/joserfc-1.6.7
Closed

chore(deps): bump joserfc from 1.6.5 to 1.6.7 in /envs/julia_env#886
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/envs/julia_env/joserfc-1.6.7

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 30, 2026

Copy link
Copy Markdown
Contributor

Bumps joserfc from 1.6.5 to 1.6.7.

Release notes

Sourced from joserfc's releases.

1.6.7

   🐞 Bug Fixes

    View changes on GitHub
Changelog

Sourced from joserfc's changelog.

1.6.7

Released on May 23, 2026

  • Update for type hints.

1.6.6

Released on May 18, 2026

  • JWS: validate payload size when b64=false.
Commits
  • 1e5b94d chore: release 1.6.7
  • 75d9f95 fix(typing): use cast for type hints
  • 6d24037 Merge pull request #98 from jonathangreen/algorithms-accept-collection
  • 102a7a7 fix(typing): accept any Collection for algorithms, not just list
  • 8b869e8 chore: release 1.6.6
  • 00d599b chore: update actions
  • 9186561 Merge pull request #97 from authlib/fix-b64
  • 4d4ea2e fix(jws): validate payload size for b64=false
  • b6554cc Merge pull request #96 from sebasxsala/fix-p512-fixture
  • b89eadf test: normalize P-521 private key fixture
  • See full diff in compare view


Note

Medium Risk
Touches JWT/JWS handling (joserfc via Authlib) in a security-adjacent dependency path, though the change is a small patch bump with validation fixes rather than new features.

Overview
Updates envs/julia_env/uv.lock so joserfc moves from 1.6.5 to 1.6.7 (pulled in via Authlib). The lock revision increments and resolved package registry URLs switch from the Hugging Face PyPI mirror to https://pypi.org/simple across the file—not only for joserfc.

The newer joserfc patch releases add JWS payload-size checks when b64=false, broader typing for algorithm collections, and minor type-hint fixes; there is no application source change in this PR.

Reviewed by Cursor Bugbot for commit 7001043. Bugbot is set up for automated code reviews on this repo. Configure here.

@dependabot dependabot Bot added Dependencies python:uv Pull requests that update python:uv code labels Jun 30, 2026
@bot-ci-comment

Copy link
Copy Markdown

The docs for this PR live here. All of your documentation changes will be reflected on that endpoint. The docs are available until 30 days after the last update.

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Alignment Review Report

Dependabot bump of joserfc 1.6.5 → 1.6.7 in /envs/julia_env. The diff is a single, lock-only change to envs/julia_env/uv.lock — no Python/source, CI, API, or config changes.

Automated Checks

  • Lint: N/A — The repo lint hook (uv run usort/ruff) couldn't execute here because uv isn't installed in the review VM, and the diff contains no Python anyway. CI runs the authoritative lint. The lockfile is internally consistent (see below).
  • Debug code: CLEANcheck-debug.sh only flags pre-existing prints/TODOs under src/openenv/cli/..., none of which are touched by this PR.

Verification (lockfile bump)

  • Transitive dep, lock-only is correctjoserfc is not in pyproject.toml; it's pulled in transitively via authlib (a dependency of openenv[core]/mcp). No pyproject.toml edit is needed.
  • Lockfile consistencyversion, sdist, and wheel are all updated to 1.6.7 in the joserfc block.
  • Hashes verified against PyPI
    • wheel sha256:9e51e4a6…be05 (70603 B) — matches
    • sdist sha256:6999fe89…9fd7 (232158 B) — matches
    • yanked: false, 0 known vulnerabilities on 1.6.7.
  • Constraints satisfied — joserfc 1.6.7 requires cryptography>=45.0.1 (env locks cryptography 48.0.0 ✅) and requires_python >=3.9 (env is requires-python >=3.10 ✅).
  • Security fix 🔒 — 1.6.5 carries CVE-2026-48990 / GHSA-wphv-vfrh-23q5 (RFC7797 b64=false JWS payloads bypass JWSRegistry.max_payload_length, a DoS / resource-exhaustion risk), with fixed_in: 1.6.7. This bump closes it — a positive signal.

Open RFCs Context

Open RFCs (000–005 In Review, 010 Draft) all concern environment abstractions, env-spec, MCP, rubrics/rewards, and harnesses. None relate to a transitive dependency lockfile bump.

Tier 1: Fixes Required

None.

Tier 2: Alignment Discussion

Principle Conflicts

None identified — a transitive lockfile bump doesn't touch the Gymnasium API, reward computation, client/server boundaries, or container/security model.

RFC Conflicts

None identified.

Summary

  • 0 mechanical issues to fix
  • 0 alignment points for human review
  • 0 RFC conflicts to discuss

Clean, low-risk, and security-positive. Recommend merging once CI is green.

Open in Web View Automation 

Sent by Cursor Automation: Untitled

Bumps [joserfc](https://github.com/authlib/joserfc) from 1.6.5 to 1.6.7.
- [Release notes](https://github.com/authlib/joserfc/releases)
- [Changelog](https://github.com/authlib/joserfc/blob/main/docs/changelog.rst)
- [Commits](authlib/joserfc@1.6.5...1.6.7)

---
updated-dependencies:
- dependency-name: joserfc
  dependency-version: 1.6.7
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot Bot force-pushed the dependabot/uv/envs/julia_env/joserfc-1.6.7 branch from 455a719 to 7001043 Compare June 30, 2026 09:13
@burtenshaw

Copy link
Copy Markdown
Collaborator

Aggregated into #891 so maintainers can merge the env dependency updates together.

@burtenshaw burtenshaw closed this Jul 1, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jul 1, 2026

Copy link
Copy Markdown
Contributor Author

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@dependabot dependabot Bot deleted the dependabot/uv/envs/julia_env/joserfc-1.6.7 branch July 1, 2026 07:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Dependencies python:uv Pull requests that update python:uv code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant