chore(deps): bump joserfc from 1.6.5 to 1.6.7 in /envs/finqa_env#893
chore(deps): bump joserfc from 1.6.5 to 1.6.7 in /envs/finqa_env#893dependabot[bot] wants to merge 1 commit into
Conversation
Bumps [joserfc](https://github.com/authlib/joserfc) from 1.6.5 to 1.6.7. - [Release notes](https://github.com/authlib/joserfc/releases) - [Changelog](https://github.com/authlib/joserfc/blob/main/docs/changelog.rst) - [Commits](authlib/joserfc@1.6.5...1.6.7) --- updated-dependencies: - dependency-name: joserfc dependency-version: 1.6.7 dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]>
|
The docs for this PR live here. All of your documentation changes will be reflected on that endpoint. The docs are available until 30 days after the last update. |
There was a problem hiding this comment.
Alignment Review Report
TL;DR: The joserfc 1.6.5 → 1.6.7 bump is correct and is a security fix (CVE-2026-48990). No mechanical (Tier 1) issues. But this PR does more than the title implies: it also rewrites every package's index source from the internal pypi.registries.huggingface.tech mirror to public pypi.org/simple and bumps the lock revision 2 → 3. Flagging that for awareness (Tier 2) — likely benign, but it widens an existing cross-env split.
Automated Checks
- Lint: N/A —
uvisn't available in the review sandbox, and the diff is lockfile-only (no Python source), soruff/usortdon't apply. Defer to CI. - Debug code: CLEAN —
check-debug.shonly matches pre-existingprint/TODO lines insrc/openenv/auto/*andsrc/openenv/cli/*; none are in this diff.
joserfc bump verification (correct)
Re-verified 1.6.7 live against PyPI:
- Wheel
sha256 9e51e4a6…fbe05(70603 B) and sdistsha256 6999fe89…79fd7(232158 B) match the lock exactly. requires-python >=3.9(finqa is>=3.10),requires cryptography>=45.0.1(finqa locks48.0.0). Not yanked, no known vulns.- Transitive via
authlib(unpinned) → lock-only change is correct; nopyproject.tomledit needed. - Security:
1.6.5carries CVE-2026-48990 / GHSA-wphv-vfrh-23q5 (RFC7797b64=falsepayloads bypassmax_payload_length→ DoS/resource exhaustion),fixed_in: 1.6.7. Strong positive signal.
Open RFCs Context
All RFCs (000–005 In Review, 010 Draft) concern env abstractions / spec / MCP / rubrics / harnesses / token world-model. None touch Python packaging, dependency management, or package indexes → no RFC relevance to this change.
Tier 1: Fixes Required
None.
Tier 2: Alignment Discussion
Principle Conflicts
ALIGNMENT FLAG: Lockfile index source flipped internal mirror → public PyPI for all packages (+ revision 2→3)
- Principle at stake: "Docker overhead is acceptable for reproducibility" / "Container isolation for reproducibility" (
.claude/docs/PRINCIPLES.md). - The concern: Beyond
joserfc, ~123 packages hadsource = { registry = "https://pypi.registries.huggingface.tech/" }rewritten tohttps://pypi.org/simple, andrevisionwent 2 → 3. This is the signature of Dependabot regenerating the lock without the internal index configured — no committed config pins that mirror (it appears only in lockfiles). It's likely benign (artifact URLs remainfiles.pythonhosted.org, hashes unchanged, and public PyPI is appropriate for a public repo), but it widens an existing split: 30 env locks are on the internal mirror +revision 2; finqa now joins the 5 (openapp/jupyter/julia/calendar/finqa) on PyPI +revision 3. The Dockerfile installs viauv sync --frozen, so the recordedsourceandrevision 3are what the base image'suvmust resolve/parse at build time. Worth a deliberate decision on the canonical index rather than letting it drift per-env via Dependabot. - Suggested reviewer: @Darktex
Process note (config mismatch) — .github/dependabot.yml configures the uv updater with directory: "/" and exclude-paths: ["envs/**"], yet this PR modifies envs/finqa_env/uv.lock. Worth confirming whether env-lockfile bumps should still flow through native Dependabot, or exclusively via the aggregation workflow (cf. #891 "aggregate envs dependabot updates"). Suggested reviewer: @burtenshaw
RFC Conflicts
None identified.
Summary
- 0 mechanical issues to fix
- 2 points for human review (index-source flip +
revisionbump; Dependabotexclude-pathsmismatch) - 0 RFC conflicts
Net: the security bump itself is safe to take; the flagged items are about repo-wide consistency/process, not this dependency.
Sent by Cursor Automation: Untitled
| name = "joserfc" | ||
| version = "1.6.5" | ||
| source = { registry = "https://pypi.registries.huggingface.tech/" } | ||
| version = "1.6.7" |
There was a problem hiding this comment.
Verified against PyPI: joserfc 1.6.7 wheel sha256 9e51e4a6…fbe05 (70603 B) and sdist 6999fe89…79fd7 (232158 B) match this lock. This is a security fix — 1.6.5 carries CVE-2026-48990 / GHSA-wphv-vfrh-23q5: RFC7797 b64=false JWS payloads bypass JWSRegistry.max_payload_length (resource-exhaustion / DoS), fixed in 1.6.7. requires cryptography>=45.0.1 is satisfied by the locked 48.0.0, and requires-python >=3.9 by finqa's >=3.10. joserfc is transitive via authlib (unpinned), so a lock-only bump is correct.
| version = "1.6.5" | ||
| source = { registry = "https://pypi.registries.huggingface.tech/" } | ||
| version = "1.6.7" | ||
| source = { registry = "https://pypi.org/simple" } |
There was a problem hiding this comment.
ALIGNMENT FLAG (Tier 2): this PR rewrote the index source from https://pypi.registries.huggingface.tech/ → https://pypi.org/simple for ~123 packages (not just joserfc), alongside the revision 2→3 bump on line 2. No committed config pins the internal mirror (it appears only in lockfiles), so this is Dependabot regenerating against public PyPI. Likely benign — hashes and files.pythonhosted.org artifact URLs are unchanged — but it moves finqa into the minority of 5 envs on PyPI while 30 stay on the internal mirror. Flagging for a deliberate decision on the canonical package index. cc @Darktex


Bumps joserfc from 1.6.5 to 1.6.7.
Release notes
Sourced from joserfc's releases.
Changelog
Sourced from joserfc's changelog.
Commits
1e5b94dchore: release 1.6.775d9f95fix(typing): use cast for type hints6d24037Merge pull request #98 from jonathangreen/algorithms-accept-collection102a7a7fix(typing): accept any Collection for algorithms, not just list8b869e8chore: release 1.6.600d599bchore: update actions9186561Merge pull request #97 from authlib/fix-b644d4ea2efix(jws): validate payload size for b64=falseb6554ccMerge pull request #96 from sebasxsala/fix-p512-fixtureb89eadftest: normalize P-521 private key fixtureDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.
Note
Low Risk
Patch-level transitive JWT/JOSE library update with a small security-hardening fix; lockfile-only change with no app code touched.
Overview
Updates
envs/finqa_env/uv.locksojoserfcmoves from 1.6.5 to 1.6.7 (still resolved via Authlib’s dependency chain). Lock revision increments to 3, and packagesource.registryentries are rewritten from the Hugging Face PyPI mirror tohttps://pypi.org/simpleacross the lockfile as part of the refresh—not a separate application change.The new joserfc release adds JWS payload size checks when
b64=false(1.6.6) and typing adjustments for algorithm collections (1.6.7); no direct edits to finqa env source beyond the lock.Reviewed by Cursor Bugbot for commit 52fc03b. Bugbot is set up for automated code reviews on this repo. Configure here.