chore(deps): bump joserfc from 1.6.5 to 1.6.7 in /envs/julia_env#886
chore(deps): bump joserfc from 1.6.5 to 1.6.7 in /envs/julia_env#886dependabot[bot] wants to merge 1 commit into
Conversation
|
The docs for this PR live here. All of your documentation changes will be reflected on that endpoint. The docs are available until 30 days after the last update. |
There was a problem hiding this comment.
Alignment Review Report
Dependabot bump of joserfc 1.6.5 → 1.6.7 in /envs/julia_env. The diff is a single, lock-only change to envs/julia_env/uv.lock — no Python/source, CI, API, or config changes.
Automated Checks
- Lint: N/A — The repo lint hook (
uv run usort/ruff) couldn't execute here becauseuvisn't installed in the review VM, and the diff contains no Python anyway. CI runs the authoritative lint. The lockfile is internally consistent (see below). - Debug code: CLEAN —
check-debug.shonly flags pre-existing prints/TODOs undersrc/openenv/cli/..., none of which are touched by this PR.
Verification (lockfile bump)
- Transitive dep, lock-only is correct —
joserfcis not inpyproject.toml; it's pulled in transitively viaauthlib(a dependency ofopenenv[core]/mcp). Nopyproject.tomledit is needed. - Lockfile consistency —
version,sdist, andwheelare all updated to1.6.7in thejoserfcblock. - Hashes verified against PyPI ✅
- wheel
sha256:9e51e4a6…be05(70603 B) — matches - sdist
sha256:6999fe89…9fd7(232158 B) — matches yanked: false,0known vulnerabilities on 1.6.7.
- wheel
- Constraints satisfied — joserfc 1.6.7 requires
cryptography>=45.0.1(env lockscryptography 48.0.0✅) andrequires_python >=3.9(env isrequires-python >=3.10✅). - Security fix 🔒 — 1.6.5 carries CVE-2026-48990 / GHSA-wphv-vfrh-23q5 (RFC7797
b64=falseJWS payloads bypassJWSRegistry.max_payload_length, a DoS / resource-exhaustion risk), withfixed_in: 1.6.7. This bump closes it — a positive signal.
Open RFCs Context
Open RFCs (000–005 In Review, 010 Draft) all concern environment abstractions, env-spec, MCP, rubrics/rewards, and harnesses. None relate to a transitive dependency lockfile bump.
Tier 1: Fixes Required
None.
Tier 2: Alignment Discussion
Principle Conflicts
None identified — a transitive lockfile bump doesn't touch the Gymnasium API, reward computation, client/server boundaries, or container/security model.
RFC Conflicts
None identified.
Summary
- 0 mechanical issues to fix
- 0 alignment points for human review
- 0 RFC conflicts to discuss
Clean, low-risk, and security-positive. Recommend merging once CI is green.
Sent by Cursor Automation: Untitled
Bumps [joserfc](https://github.com/authlib/joserfc) from 1.6.5 to 1.6.7. - [Release notes](https://github.com/authlib/joserfc/releases) - [Changelog](https://github.com/authlib/joserfc/blob/main/docs/changelog.rst) - [Commits](authlib/joserfc@1.6.5...1.6.7) --- updated-dependencies: - dependency-name: joserfc dependency-version: 1.6.7 dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]>
455a719 to
7001043
Compare
|
Aggregated into #891 so maintainers can merge the env dependency updates together. |
|
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |


Bumps joserfc from 1.6.5 to 1.6.7.
Release notes
Sourced from joserfc's releases.
Changelog
Sourced from joserfc's changelog.
Commits
1e5b94dchore: release 1.6.775d9f95fix(typing): use cast for type hints6d24037Merge pull request #98 from jonathangreen/algorithms-accept-collection102a7a7fix(typing): accept any Collection for algorithms, not just list8b869e8chore: release 1.6.600d599bchore: update actions9186561Merge pull request #97 from authlib/fix-b644d4ea2efix(jws): validate payload size for b64=falseb6554ccMerge pull request #96 from sebasxsala/fix-p512-fixtureb89eadftest: normalize P-521 private key fixtureNote
Medium Risk
Touches JWT/JWS handling (
joserfcvia Authlib) in a security-adjacent dependency path, though the change is a small patch bump with validation fixes rather than new features.Overview
Updates
envs/julia_env/uv.locksojoserfcmoves from 1.6.5 to 1.6.7 (pulled in via Authlib). The lock revision increments and resolved package registry URLs switch from the Hugging Face PyPI mirror tohttps://pypi.org/simpleacross the file—not only forjoserfc.The newer
joserfcpatch releases add JWS payload-size checks whenb64=false, broader typing for algorithm collections, and minor type-hint fixes; there is no application source change in this PR.Reviewed by Cursor Bugbot for commit 7001043. Bugbot is set up for automated code reviews on this repo. Configure here.