Bump pyjwt from 2.9.0 to 2.10.0 #11280

dependabot · 2024-11-18T12:38:23Z

Bumps pyjwt from 2.9.0 to 2.10.0.

Release notes

2.10.0

What's Changed

chore: use sequence for typing rather than list by @imnotjames in jpadilla/pyjwt#970

Add support for Python 3.13 by @hugovk in jpadilla/pyjwt#972

[pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in jpadilla/pyjwt#971

Add an RTD config file to resolve RTD build failures by @kurtmckee in jpadilla/pyjwt#977

docs: Update iat exception docs by @pachewise in jpadilla/pyjwt#974

Remove algorithm requirement for JWT API by @luhn in jpadilla/pyjwt#975

[pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in jpadilla/pyjwt#978

Create SECURITY.md by @auvipy in jpadilla/pyjwt#973

docs fix: decode_complete scope and algorithms by @RbnRncn in jpadilla/pyjwt#982

fix doctest for docs/usage.rst by @pachewise in jpadilla/pyjwt#986

fix test_utils.py not to xfail by @pachewise in jpadilla/pyjwt#987

Correct jwt.decode audience param doc expression by @peter279k in jpadilla/pyjwt#994

Add PS256 encoding and decoding usage by @peter279k in jpadilla/pyjwt#992

Add API docs for PyJWK by @luhn in jpadilla/pyjwt#980

Refactor project configuration files from setup.cfg to pyproject.toml PEP-518 by @cleder in jpadilla/pyjwt#995

Add JWK support to JWT encode by @luhn in jpadilla/pyjwt#979

Update pre-commit hooks to lint pyproject.toml by @cleder in jpadilla/pyjwt#1002

Add EdDSA algorithm encoding/decoding usage by @peter279k in jpadilla/pyjwt#993

Ruff linter and formatter changes by @gagandeepp in jpadilla/pyjwt#1001

Validate sub and jti claims for the token by @Divan009 in jpadilla/pyjwt#1005

Add ES256 usage by @Gautam-Hegde in jpadilla/pyjwt#1003

Encode EC keys with a fixed bit length by @way-dave in jpadilla/pyjwt#990

[pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in jpadilla/pyjwt#1000

Drop support for Python 3.8 by @kkirsche in jpadilla/pyjwt#1007

Prepare 2.10.0 release by @benvdh in jpadilla/pyjwt#1011

Bump codecov/codecov-action from 4 to 5 by @dependabot in jpadilla/pyjwt#1014

[pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in jpadilla/pyjwt#1006

New Contributors

@imnotjames made their first contribution in jpadilla/pyjwt#970

@kurtmckee made their first contribution in jpadilla/pyjwt#977

@pachewise made their first contribution in jpadilla/pyjwt#974

@RbnRncn made their first contribution in jpadilla/pyjwt#982

@peter279k made their first contribution in jpadilla/pyjwt#994

@cleder made their first contribution in jpadilla/pyjwt#995

@gagandeepp made their first contribution in jpadilla/pyjwt#1001

@Divan009 made their first contribution in jpadilla/pyjwt#1005

@Gautam-Hegde made their first contribution in jpadilla/pyjwt#1003

@way-dave made their first contribution in jpadilla/pyjwt#990

Full Changelog: jpadilla/pyjwt@2.9.0...2.10.0

Changelog

Sourced from pyjwt's changelog.

`v2.10.0 <https://github.com/jpadilla/pyjwt/compare/2.9.0...2.10.0>`__

Changed


- Remove algorithm requirement from JWT API, instead relying on JWS API for enforcement, by @luhn in `[#975](https://github.com/jpadilla/pyjwt/issues/975) <https://github.com/jpadilla/pyjwt/pull/975>`__
- Use ``Sequence`` for parameter types rather than ``List`` where applicable by @imnotjames in `[#970](https://github.com/jpadilla/pyjwt/issues/970) <https://github.com/jpadilla/pyjwt/pull/970>`__
- Add JWK support to JWT encode by @luhn in `[#979](https://github.com/jpadilla/pyjwt/issues/979) <https://github.com/jpadilla/pyjwt/pull/979>`__
- Encoding and decoding payloads using the `none` algorithm by @jpadilla in `#c2629f6 <https://github.com/jpadilla/pyjwt/commit/c2629f66c593459e02616048443231ccbe18be16>`
Before:
.. code-block:: pycon
>>> import jwt
>>> jwt.encode({"payload": "abc"}, key=None, algorithm=None)
After:
.. code-block:: pycon
>>> import jwt
>>> jwt.encode({"payload": "abc"}, key=None, algorithm="none")

Added validation for 'sub' (subject) and 'jti' (JWT ID) claims in tokens by @Divan009 in [#1005](https://github.com/jpadilla/pyjwt/issues/1005) &lt;https://github.com/jpadilla/pyjwt/pull/1005&gt;__
Refactor project configuration files from setup.cfg to pyproject.toml by @cleder in [#995](https://github.com/jpadilla/pyjwt/issues/995) &lt;https://github.com/jpadilla/pyjwt/pull/995&gt;__
Ruff linter and formatter changes by @gagandeepp in [#1001](https://github.com/jpadilla/pyjwt/issues/1001) &lt;https://github.com/jpadilla/pyjwt/pull/1001&gt;__
Drop support for Python 3.8 (EOL) by @kkirsche in [#1007](https://github.com/jpadilla/pyjwt/issues/1007) &lt;https://github.com/jpadilla/pyjwt/pull/1007&gt;__

Fixed

- Encode EC keys with a fixed bit length by @etianen in `[#990](https://github.com/jpadilla/pyjwt/issues/990) &lt;https://github.com/jpadilla/pyjwt/pull/990&gt;`__
- Add an RTD config file to resolve Read the Docs build failures by @kurtmckee in `[#977](https://github.com/jpadilla/pyjwt/issues/977) &lt;https://github.com/jpadilla/pyjwt/pull/977&gt;`__
- Docs: Update ``iat`` exception docs by @pachewise in `[#974](https://github.com/jpadilla/pyjwt/issues/974) &lt;https://github.com/jpadilla/pyjwt/pull/974&gt;`__
- Docs: Fix ``decode_complete`` scope and algorithms by @RbnRncn in `[#982](https://github.com/jpadilla/pyjwt/issues/982) &lt;https://github.com/jpadilla/pyjwt/pull/982&gt;`__
- Fix doctest for ``docs/usage.rst`` by @pachewise in `[#986](https://github.com/jpadilla/pyjwt/issues/986) &lt;https://github.com/jpadilla/pyjwt/pull/986&gt;`__
- Fix ``test_utils.py`` not to xfail by @pachewise in `[#987](https://github.com/jpadilla/pyjwt/issues/987) &lt;https://github.com/jpadilla/pyjwt/pull/987&gt;`__
- Docs: Correct `jwt.decode` audience param doc expression by @peter279k in `[#994](https://github.com/jpadilla/pyjwt/issues/994) &lt;https://github.com/jpadilla/pyjwt/pull/994&gt;`__
Added



Add support for python 3.13 by @hugovk in [#972](https://github.com/jpadilla/pyjwt/issues/972) &lt;https://github.com/jpadilla/pyjwt/pull/972&gt;__
Create SECURITY.md by @auvipy and @jpadilla in [#973](https://github.com/jpadilla/pyjwt/issues/973) &lt;https://github.com/jpadilla/pyjwt/pull/973&gt;__
Docs: Add PS256 encoding and decoding usage by @peter279k in [#992](https://github.com/jpadilla/pyjwt/issues/992) &lt;https://github.com/jpadilla/pyjwt/pull/992&gt;__
</tr></table>

... (truncated)

Commits

783f324 [pre-commit.ci] pre-commit autoupdate (#1006)
0116fc6 Bump codecov/codecov-action from 4 to 5 (#1014)
b032353 feat: surface jwt.decode_complete(...)
a759c45 Prepare 2.10.0 release (#1011)
b6b8bce Drop support for Python 3.8 (#1007)
189c256 Update index.rst
1900857 Update index.rst
8fe9eab Update README.rst
6f73f6f [pre-commit.ci] pre-commit autoupdate (#1000)
c2629f6 update changelog
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [pyjwt](https://github.com/jpadilla/pyjwt) from 2.9.0 to 2.10.0. - [Release notes](https://github.com/jpadilla/pyjwt/releases) - [Changelog](https://github.com/jpadilla/pyjwt/blob/master/CHANGELOG.rst) - [Commits](jpadilla/pyjwt@2.9.0...2.10.0) --- updated-dependencies: - dependency-name: pyjwt dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>

dryrunsecurity · 2024-11-18T12:38:39Z

DryRun Security Summary

The provided code change updates the version of the PyJWT library from 2.9.0 to 2.10.0, addressing known security vulnerabilities and improving the overall security of the JWT handling process in the application.

Expand for full summary

Summary:

The code change in the provided requirements.txt file updates the version of the PyJWT library from 2.9.0 to 2.10.0. This is generally a positive change from an application security perspective, as the PyJWT library has had several security vulnerabilities reported in the past, such as the ability to bypass signature verification and perform JWT forgery attacks. By updating to the latest version, 2.10.0, the application is likely addressing these known security issues and improving the overall security of the JWT handling process.

It's worth noting that the requirements.txt file also includes several other library updates, which should also be reviewed for any potential security implications. However, the update to PyJWT is the most relevant change from an application security standpoint. Overall, this code change appears to be a security-focused update that should improve the security posture of the application.

Files Changed:

requirements.txt: The code change in this file updates the version of the PyJWT library from 2.9.0 to 2.10.0. This is a positive change, as it addresses known security vulnerabilities in the library and improves the overall security of the JWT handling process in the application.

Code Analysis

We ran 9 analyzers against 1 file and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer	Findings
Sensitive Files Analyzer	1 finding

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

mtesauro

Approved

dependabot bot added dependencies Pull requests that update a dependency file python Pull requests that update Python code labels Nov 18, 2024

mtesauro approved these changes Nov 18, 2024

View reviewed changes

cneill approved these changes Nov 18, 2024

View reviewed changes

mtesauro merged commit 26c622f into dev Nov 18, 2024
73 checks passed

dependabot bot deleted the dependabot/pip/dev/pyjwt-2.10.0 branch November 18, 2024 20:58

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump pyjwt from 2.9.0 to 2.10.0 #11280

Bump pyjwt from 2.9.0 to 2.10.0 #11280

dependabot bot commented on behalf of github Nov 18, 2024

dryrunsecurity bot commented Nov 18, 2024

mtesauro left a comment

Bump pyjwt from 2.9.0 to 2.10.0 #11280

Bump pyjwt from 2.9.0 to 2.10.0 #11280

Conversation

dependabot bot commented on behalf of github Nov 18, 2024

2.10.0

What's Changed

New Contributors

v2.10.0 <https://github.com/jpadilla/pyjwt/compare/2.9.0...2.10.0>__

dryrunsecurity bot commented Nov 18, 2024

DryRun Security Summary

Code Analysis

Riskiness

mtesauro left a comment

Choose a reason for hiding this comment

`v2.10.0 <https://github.com/jpadilla/pyjwt/compare/2.9.0...2.10.0>`__