Skip to content

chore(deps): bump joserfc from 1.6.4 to 1.6.7 in /envs/jupyter_env#889

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/envs/jupyter_env/joserfc-1.6.7
Closed

chore(deps): bump joserfc from 1.6.4 to 1.6.7 in /envs/jupyter_env#889
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/envs/jupyter_env/joserfc-1.6.7

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 30, 2026

Copy link
Copy Markdown
Contributor

Bumps joserfc from 1.6.4 to 1.6.7.

Release notes

Sourced from joserfc's releases.

1.6.7

   🐞 Bug Fixes

    View changes on GitHub

1.6.5

No significant changes

    View changes on GitHub
Changelog

Sourced from joserfc's changelog.

1.6.7

Released on May 23, 2026

  • Update for type hints.

1.6.6

Released on May 18, 2026

  • JWS: validate payload size when b64=false.

1.6.5

Released on May 3, 2026

  • JWS: increase registry's payload max size.
Commits
  • 1e5b94d chore: release 1.6.7
  • 75d9f95 fix(typing): use cast for type hints
  • 6d24037 Merge pull request #98 from jonathangreen/algorithms-accept-collection
  • 102a7a7 fix(typing): accept any Collection for algorithms, not just list
  • 8b869e8 chore: release 1.6.6
  • 00d599b chore: update actions
  • 9186561 Merge pull request #97 from authlib/fix-b64
  • 4d4ea2e fix(jws): validate payload size for b64=false
  • b6554cc Merge pull request #96 from sebasxsala/fix-p512-fixture
  • b89eadf test: normalize P-521 private key fixture
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Note

Low Risk
Lockfile-only change with a patch-level JWT/JWS library update; risk is limited to auth-related transitive behavior unless installs diverge from the new index.

Overview
Refreshes envs/jupyter_env/uv.lock (revision 2 → 3), switching every locked package’s registry from the Hugging Face PyPI mirror to public PyPI (pypi.org/simple) without changing resolved versions for most dependencies.

The functional dependency change is joserfc 1.6.4 → 1.6.7, pulled in via authlib (used on the MCP/auth stack in this env). That patch line adds JWS payload-size checks when b64=false, registry payload limits, and typing fixes—no direct application code edits in this PR.

Reviewed by Cursor Bugbot for commit eaa12f3. Bugbot is set up for automated code reviews on this repo. Configure here.

Bumps [joserfc](https://github.com/authlib/joserfc) from 1.6.4 to 1.6.7.
- [Release notes](https://github.com/authlib/joserfc/releases)
- [Changelog](https://github.com/authlib/joserfc/blob/main/docs/changelog.rst)
- [Commits](authlib/joserfc@1.6.4...1.6.7)

---
updated-dependencies:
- dependency-name: joserfc
  dependency-version: 1.6.7
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot Bot added Dependencies python:uv Pull requests that update python:uv code labels Jun 30, 2026
@bot-ci-comment

Copy link
Copy Markdown

The docs for this PR live here. All of your documentation changes will be reflected on that endpoint. The docs are available until 30 days after the last update.

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Alignment Review Report

Scope: dependabot[bot] PR bumping joserfc 1.6.4 → 1.6.7 in /envs/jupyter_env. The diff touches a single file — envs/jupyter_env/uv.lock (lockfile only; no source, API, client, or server changes).

Automated Checks

  • Lint: N/A — bash .claude/hooks/lint.sh could not execute in the review environment (uv not installed). The lint pipeline only targets src/ and tests/; this PR changes neither, so lint is not impacted by the change.
  • Debug code: CLEAN (for this PR) — check-debug.sh reports pre-existing print/TODO occurrences, but all are in src/ and none are part of this diff. This PR introduces no debug code.

Open RFCs Context

All RFCs are pre-finalization, but none cover dependency management / lockfiles / package indexes, so there is no overlap with this change:

  • 000 project-phases — In Review
  • 001 abstractions — In Review
  • 002 env-spec — In Review
  • 003 mcp-support — In Review
  • 004 rubrics — In Review
  • 005 agentic-harnesses — In Review
  • 010 echo-env-token-world-model — Draft

Tier 1: Fixes Required

  • envs/jupyter_env/uv.lock (~130 packages) — unintended registry-source flip. Beyond the intended joserfc bump, this regeneration switches the source of nearly every package from the repo-standard internal index https://pypi.registries.huggingface.tech/ to https://pypi.org/simple. The rest of the repo is consistent on the internal index — 33 env lockfiles use pypi.registries.huggingface.tech; only openapp_env and calendar_env (both previously regenerated by Dependabot rollups) have already drifted to pypi.org/simple. This is scope creep relative to the PR's stated purpose and silently diverges from convention. Root cause: Dependabot's resolver environment isn't configured with the internal index, so re-locking re-points every package. Fix: regenerate the lock against the canonical internal index so the diff is limited to the joserfc entry (plus the benign revision = 2 → 3 bump) — or, if migrating to public PyPI is genuinely intended, do it deliberately and consistently across all envs in a dedicated PR.
  • .github/dependabot.yml — ineffective envs/** exclusion (this PR arguably should not have been generated). Commit 5f499da9 ("chore: stop dependabot in envs", @burtenshaw) added exclude-paths: ["envs/**"], but exclude-paths is not a recognized Dependabot configuration key, so it is silently ignored — which is why a /envs/jupyter_env PR was opened despite the intent to exclude envs. Fix: use a supported mechanism (e.g. directories with a negation such as directories: ["/", "!/envs/**"], or otherwise scope the uv ecosystem to root only), then close/supersede env PRs if envs are meant to stay maintainer-managed.

Tier 2: Alignment Discussion

Principle Conflicts

None identified. This is a dependency lockfile bump; it does not touch the Gymnasium-style API, client/server separation, reward placement, the MCP/Gym dual boundary, or any other principle in PRINCIPLES.md / INVARIANTS.md.

RFC Conflicts

None identified. No open RFC covers dependency or package-index management.

The Tier 1 items are mechanical/process issues rather than principle or RFC conflicts, but they do warrant an owner decision:

ALIGNMENT FLAG: Lockfile index drift + ineffective Dependabot env exclusion

  • Principle/RFC at stake: None directly — repo convention and supply-chain/index consistency
  • The concern: the PR re-points ~130 packages to public PyPI (away from the internal index used by 33 other envs) and was generated against envs/** despite an exclusion rule that doesn't actually work
  • Suggested reviewer: @burtenshaw (owns .github/dependabot.yml; authored the envs exclusion in #566) — cc @sergiopaniego (last regenerated this lock on the internal index in #882)

Summary

  • 2 mechanical issues to fix — unintended registry flip in uv.lock; invalid exclude-paths in dependabot.yml
  • 1 process point for human review — confirm internal-index policy vs. an intentional PyPI migration, and whether envs should be Dependabot-managed at all
  • 0 RFC conflicts

The joserfc 1.6.4 → 1.6.7 bump itself is benign (patch release; sdist/wheel URLs remain on files.pythonhosted.org with pinned SHA-256 hashes). The blocking concern is the collateral, repo-wide index change bundled into this otherwise one-line dependency update.

Open in Web View Automation 

Sent by Cursor Automation: Untitled

Comment thread envs/jupyter_env/uv.lock
@@ -1,5 +1,5 @@
version = 1
revision = 2
revision = 3

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor/side effect: the lockfile format revision also bumped 2 → 3 here because the file was re-locked with a newer uv. Benign, but it's not part of the stated joserfc change.

Comment thread envs/jupyter_env/uv.lock
name = "aiofile"
version = "3.9.0"
source = { registry = "https://pypi.registries.huggingface.tech/" }
source = { registry = "https://pypi.org/simple" }

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tier 1 — unintended registry flip. This source change (https://pypi.registries.huggingface.tech/https://pypi.org/simple) repeats for ~130 packages in this lockfile. It's collateral from Dependabot re-resolving without the internal index configured, not part of the intended joserfc bump. The repo standard is the internal index (33 env lockfiles use it). Please regenerate against the internal index so only the joserfc entry changes.

Comment thread envs/jupyter_env/uv.lock
version = "1.6.4"
source = { registry = "https://pypi.registries.huggingface.tech/" }
version = "1.6.7"
source = { registry = "https://pypi.org/simple" }

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The joserfc 1.6.4 → 1.6.7 bump itself is fine (patch release, hash-pinned, files still served from files.pythonhosted.org). The only issue is that this entry — like every other package — also had its source index switched to pypi.org/simple.

@burtenshaw

Copy link
Copy Markdown
Collaborator

Aggregated into #891 so maintainers can merge the env dependency updates together.

@burtenshaw burtenshaw closed this Jul 1, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jul 1, 2026

Copy link
Copy Markdown
Contributor Author

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@dependabot dependabot Bot deleted the dependabot/uv/envs/jupyter_env/joserfc-1.6.7 branch July 1, 2026 07:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Dependencies python:uv Pull requests that update python:uv code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant