chore(deps): bump joserfc from 1.6.4 to 1.6.7 in /envs/jupyter_env#889
chore(deps): bump joserfc from 1.6.4 to 1.6.7 in /envs/jupyter_env#889dependabot[bot] wants to merge 1 commit into
Conversation
Bumps [joserfc](https://github.com/authlib/joserfc) from 1.6.4 to 1.6.7. - [Release notes](https://github.com/authlib/joserfc/releases) - [Changelog](https://github.com/authlib/joserfc/blob/main/docs/changelog.rst) - [Commits](authlib/joserfc@1.6.4...1.6.7) --- updated-dependencies: - dependency-name: joserfc dependency-version: 1.6.7 dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]>
|
The docs for this PR live here. All of your documentation changes will be reflected on that endpoint. The docs are available until 30 days after the last update. |
There was a problem hiding this comment.
Alignment Review Report
Scope: dependabot[bot] PR bumping joserfc 1.6.4 → 1.6.7 in /envs/jupyter_env. The diff touches a single file — envs/jupyter_env/uv.lock (lockfile only; no source, API, client, or server changes).
Automated Checks
- Lint: N/A —
bash .claude/hooks/lint.shcould not execute in the review environment (uvnot installed). The lint pipeline only targetssrc/andtests/; this PR changes neither, so lint is not impacted by the change. - Debug code: CLEAN (for this PR) —
check-debug.shreports pre-existingprint/TODOoccurrences, but all are insrc/and none are part of this diff. This PR introduces no debug code.
Open RFCs Context
All RFCs are pre-finalization, but none cover dependency management / lockfiles / package indexes, so there is no overlap with this change:
- 000 project-phases — In Review
- 001 abstractions — In Review
- 002 env-spec — In Review
- 003 mcp-support — In Review
- 004 rubrics — In Review
- 005 agentic-harnesses — In Review
- 010 echo-env-token-world-model — Draft
Tier 1: Fixes Required
-
envs/jupyter_env/uv.lock(~130 packages) — unintended registry-source flip. Beyond the intendedjoserfcbump, this regeneration switches thesourceof nearly every package from the repo-standard internal indexhttps://pypi.registries.huggingface.tech/tohttps://pypi.org/simple. The rest of the repo is consistent on the internal index — 33 env lockfiles usepypi.registries.huggingface.tech; onlyopenapp_envandcalendar_env(both previously regenerated by Dependabot rollups) have already drifted topypi.org/simple. This is scope creep relative to the PR's stated purpose and silently diverges from convention. Root cause: Dependabot's resolver environment isn't configured with the internal index, so re-locking re-points every package. Fix: regenerate the lock against the canonical internal index so the diff is limited to thejoserfcentry (plus the benignrevision = 2 → 3bump) — or, if migrating to public PyPI is genuinely intended, do it deliberately and consistently across all envs in a dedicated PR. -
.github/dependabot.yml— ineffectiveenvs/**exclusion (this PR arguably should not have been generated). Commit5f499da9("chore: stop dependabot in envs", @burtenshaw) addedexclude-paths: ["envs/**"], butexclude-pathsis not a recognized Dependabot configuration key, so it is silently ignored — which is why a/envs/jupyter_envPR was opened despite the intent to exclude envs. Fix: use a supported mechanism (e.g.directorieswith a negation such asdirectories: ["/", "!/envs/**"], or otherwise scope theuvecosystem to root only), then close/supersede env PRs if envs are meant to stay maintainer-managed.
Tier 2: Alignment Discussion
Principle Conflicts
None identified. This is a dependency lockfile bump; it does not touch the Gymnasium-style API, client/server separation, reward placement, the MCP/Gym dual boundary, or any other principle in PRINCIPLES.md / INVARIANTS.md.
RFC Conflicts
None identified. No open RFC covers dependency or package-index management.
The Tier 1 items are mechanical/process issues rather than principle or RFC conflicts, but they do warrant an owner decision:
ALIGNMENT FLAG: Lockfile index drift + ineffective Dependabot env exclusion
- Principle/RFC at stake: None directly — repo convention and supply-chain/index consistency
- The concern: the PR re-points ~130 packages to public PyPI (away from the internal index used by 33 other envs) and was generated against
envs/**despite an exclusion rule that doesn't actually work - Suggested reviewer: @burtenshaw (owns
.github/dependabot.yml; authored the envs exclusion in #566) — cc @sergiopaniego (last regenerated this lock on the internal index in #882)
Summary
- 2 mechanical issues to fix — unintended registry flip in
uv.lock; invalidexclude-pathsindependabot.yml - 1 process point for human review — confirm internal-index policy vs. an intentional PyPI migration, and whether envs should be Dependabot-managed at all
- 0 RFC conflicts
The joserfc 1.6.4 → 1.6.7 bump itself is benign (patch release; sdist/wheel URLs remain on files.pythonhosted.org with pinned SHA-256 hashes). The blocking concern is the collateral, repo-wide index change bundled into this otherwise one-line dependency update.
Sent by Cursor Automation: Untitled
| @@ -1,5 +1,5 @@ | |||
| version = 1 | |||
| revision = 2 | |||
| revision = 3 | |||
There was a problem hiding this comment.
Minor/side effect: the lockfile format revision also bumped 2 → 3 here because the file was re-locked with a newer uv. Benign, but it's not part of the stated joserfc change.
| name = "aiofile" | ||
| version = "3.9.0" | ||
| source = { registry = "https://pypi.registries.huggingface.tech/" } | ||
| source = { registry = "https://pypi.org/simple" } |
There was a problem hiding this comment.
Tier 1 — unintended registry flip. This source change (https://pypi.registries.huggingface.tech/ → https://pypi.org/simple) repeats for ~130 packages in this lockfile. It's collateral from Dependabot re-resolving without the internal index configured, not part of the intended joserfc bump. The repo standard is the internal index (33 env lockfiles use it). Please regenerate against the internal index so only the joserfc entry changes.
| version = "1.6.4" | ||
| source = { registry = "https://pypi.registries.huggingface.tech/" } | ||
| version = "1.6.7" | ||
| source = { registry = "https://pypi.org/simple" } |
There was a problem hiding this comment.
The joserfc 1.6.4 → 1.6.7 bump itself is fine (patch release, hash-pinned, files still served from files.pythonhosted.org). The only issue is that this entry — like every other package — also had its source index switched to pypi.org/simple.
|
Aggregated into #891 so maintainers can merge the env dependency updates together. |
|
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |


Bumps joserfc from 1.6.4 to 1.6.7.
Release notes
Sourced from joserfc's releases.
Changelog
Sourced from joserfc's changelog.
Commits
1e5b94dchore: release 1.6.775d9f95fix(typing): use cast for type hints6d24037Merge pull request #98 from jonathangreen/algorithms-accept-collection102a7a7fix(typing): accept any Collection for algorithms, not just list8b869e8chore: release 1.6.600d599bchore: update actions9186561Merge pull request #97 from authlib/fix-b644d4ea2efix(jws): validate payload size for b64=falseb6554ccMerge pull request #96 from sebasxsala/fix-p512-fixtureb89eadftest: normalize P-521 private key fixtureDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.
Note
Low Risk
Lockfile-only change with a patch-level JWT/JWS library update; risk is limited to auth-related transitive behavior unless installs diverge from the new index.
Overview
Refreshes
envs/jupyter_env/uv.lock(revision 2 → 3), switching every locked package’s registry from the Hugging Face PyPI mirror to public PyPI (pypi.org/simple) without changing resolved versions for most dependencies.The functional dependency change is
joserfc1.6.4 → 1.6.7, pulled in viaauthlib(used on the MCP/auth stack in this env). That patch line adds JWS payload-size checks whenb64=false, registry payload limits, and typing fixes—no direct application code edits in this PR.Reviewed by Cursor Bugbot for commit eaa12f3. Bugbot is set up for automated code reviews on this repo. Configure here.