Skip to content

chore(deps): bump joserfc from 1.6.5 to 1.6.7 in /envs/finqa_env#893

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/envs/finqa_env/joserfc-1.6.7
Open

chore(deps): bump joserfc from 1.6.5 to 1.6.7 in /envs/finqa_env#893
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/envs/finqa_env/joserfc-1.6.7

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 1, 2026

Copy link
Copy Markdown
Contributor

Bumps joserfc from 1.6.5 to 1.6.7.

Release notes

Sourced from joserfc's releases.

1.6.7

   🐞 Bug Fixes

    View changes on GitHub
Changelog

Sourced from joserfc's changelog.

1.6.7

Released on May 23, 2026

  • Update for type hints.

1.6.6

Released on May 18, 2026

  • JWS: validate payload size when b64=false.
Commits
  • 1e5b94d chore: release 1.6.7
  • 75d9f95 fix(typing): use cast for type hints
  • 6d24037 Merge pull request #98 from jonathangreen/algorithms-accept-collection
  • 102a7a7 fix(typing): accept any Collection for algorithms, not just list
  • 8b869e8 chore: release 1.6.6
  • 00d599b chore: update actions
  • 9186561 Merge pull request #97 from authlib/fix-b64
  • 4d4ea2e fix(jws): validate payload size for b64=false
  • b6554cc Merge pull request #96 from sebasxsala/fix-p512-fixture
  • b89eadf test: normalize P-521 private key fixture
  • See full diff in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Note

Low Risk
Patch-level transitive JWT/JOSE library update with a small security-hardening fix; lockfile-only change with no app code touched.

Overview
Updates envs/finqa_env/uv.lock so joserfc moves from 1.6.5 to 1.6.7 (still resolved via Authlib’s dependency chain). Lock revision increments to 3, and package source.registry entries are rewritten from the Hugging Face PyPI mirror to https://pypi.org/simple across the lockfile as part of the refresh—not a separate application change.

The new joserfc release adds JWS payload size checks when b64=false (1.6.6) and typing adjustments for algorithm collections (1.6.7); no direct edits to finqa env source beyond the lock.

Reviewed by Cursor Bugbot for commit 52fc03b. Bugbot is set up for automated code reviews on this repo. Configure here.

Bumps [joserfc](https://github.com/authlib/joserfc) from 1.6.5 to 1.6.7.
- [Release notes](https://github.com/authlib/joserfc/releases)
- [Changelog](https://github.com/authlib/joserfc/blob/main/docs/changelog.rst)
- [Commits](authlib/joserfc@1.6.5...1.6.7)

---
updated-dependencies:
- dependency-name: joserfc
  dependency-version: 1.6.7
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot Bot added Dependencies python:uv Pull requests that update python:uv code labels Jul 1, 2026
@bot-ci-comment

bot-ci-comment Bot commented Jul 1, 2026

Copy link
Copy Markdown

The docs for this PR live here. All of your documentation changes will be reflected on that endpoint. The docs are available until 30 days after the last update.

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Alignment Review Report

TL;DR: The joserfc 1.6.5 → 1.6.7 bump is correct and is a security fix (CVE-2026-48990). No mechanical (Tier 1) issues. But this PR does more than the title implies: it also rewrites every package's index source from the internal pypi.registries.huggingface.tech mirror to public pypi.org/simple and bumps the lock revision 2 → 3. Flagging that for awareness (Tier 2) — likely benign, but it widens an existing cross-env split.

Automated Checks

  • Lint: N/A — uv isn't available in the review sandbox, and the diff is lockfile-only (no Python source), so ruff/usort don't apply. Defer to CI.
  • Debug code: CLEAN — check-debug.sh only matches pre-existing print/TODO lines in src/openenv/auto/* and src/openenv/cli/*; none are in this diff.

joserfc bump verification (correct)

Re-verified 1.6.7 live against PyPI:

  • Wheel sha256 9e51e4a6…fbe05 (70603 B) and sdist sha256 6999fe89…79fd7 (232158 B) match the lock exactly.
  • requires-python >=3.9 (finqa is >=3.10), requires cryptography>=45.0.1 (finqa locks 48.0.0). Not yanked, no known vulns.
  • Transitive via authlib (unpinned) → lock-only change is correct; no pyproject.toml edit needed.
  • Security: 1.6.5 carries CVE-2026-48990 / GHSA-wphv-vfrh-23q5 (RFC7797 b64=false payloads bypass max_payload_length → DoS/resource exhaustion), fixed_in: 1.6.7. Strong positive signal.

Open RFCs Context

All RFCs (000–005 In Review, 010 Draft) concern env abstractions / spec / MCP / rubrics / harnesses / token world-model. None touch Python packaging, dependency management, or package indexes → no RFC relevance to this change.

Tier 1: Fixes Required

None.

Tier 2: Alignment Discussion

Principle Conflicts

ALIGNMENT FLAG: Lockfile index source flipped internal mirror → public PyPI for all packages (+ revision 2→3)

  • Principle at stake: "Docker overhead is acceptable for reproducibility" / "Container isolation for reproducibility" (.claude/docs/PRINCIPLES.md).
  • The concern: Beyond joserfc, ~123 packages had source = { registry = "https://pypi.registries.huggingface.tech/" } rewritten to https://pypi.org/simple, and revision went 2 → 3. This is the signature of Dependabot regenerating the lock without the internal index configured — no committed config pins that mirror (it appears only in lockfiles). It's likely benign (artifact URLs remain files.pythonhosted.org, hashes unchanged, and public PyPI is appropriate for a public repo), but it widens an existing split: 30 env locks are on the internal mirror + revision 2; finqa now joins the 5 (openapp/jupyter/julia/calendar/finqa) on PyPI + revision 3. The Dockerfile installs via uv sync --frozen, so the recorded source and revision 3 are what the base image's uv must resolve/parse at build time. Worth a deliberate decision on the canonical index rather than letting it drift per-env via Dependabot.
  • Suggested reviewer: @Darktex

Process note (config mismatch).github/dependabot.yml configures the uv updater with directory: "/" and exclude-paths: ["envs/**"], yet this PR modifies envs/finqa_env/uv.lock. Worth confirming whether env-lockfile bumps should still flow through native Dependabot, or exclusively via the aggregation workflow (cf. #891 "aggregate envs dependabot updates"). Suggested reviewer: @burtenshaw

RFC Conflicts

None identified.

Summary

  • 0 mechanical issues to fix
  • 2 points for human review (index-source flip + revision bump; Dependabot exclude-paths mismatch)
  • 0 RFC conflicts

Net: the security bump itself is safe to take; the flagged items are about repo-wide consistency/process, not this dependency.

Open in Web View Automation 

Sent by Cursor Automation: Untitled

Comment thread envs/finqa_env/uv.lock
name = "joserfc"
version = "1.6.5"
source = { registry = "https://pypi.registries.huggingface.tech/" }
version = "1.6.7"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Verified against PyPI: joserfc 1.6.7 wheel sha256 9e51e4a6…fbe05 (70603 B) and sdist 6999fe89…79fd7 (232158 B) match this lock. This is a security fix1.6.5 carries CVE-2026-48990 / GHSA-wphv-vfrh-23q5: RFC7797 b64=false JWS payloads bypass JWSRegistry.max_payload_length (resource-exhaustion / DoS), fixed in 1.6.7. requires cryptography>=45.0.1 is satisfied by the locked 48.0.0, and requires-python >=3.9 by finqa's >=3.10. joserfc is transitive via authlib (unpinned), so a lock-only bump is correct.

Comment thread envs/finqa_env/uv.lock
version = "1.6.5"
source = { registry = "https://pypi.registries.huggingface.tech/" }
version = "1.6.7"
source = { registry = "https://pypi.org/simple" }

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ALIGNMENT FLAG (Tier 2): this PR rewrote the index source from https://pypi.registries.huggingface.tech/https://pypi.org/simple for ~123 packages (not just joserfc), alongside the revision 2→3 bump on line 2. No committed config pins the internal mirror (it appears only in lockfiles), so this is Dependabot regenerating against public PyPI. Likely benign — hashes and files.pythonhosted.org artifact URLs are unchanged — but it moves finqa into the minority of 5 envs on PyPI while 30 stay on the internal mirror. Flagging for a deliberate decision on the canonical package index. cc @Darktex

@burtenshaw burtenshaw added enhancement New feature or request size: medium Medium pull request labels Jul 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Dependencies enhancement New feature or request python:uv Pull requests that update python:uv code size: medium Medium pull request

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant