This repository has been archived by the owner on May 1, 2018. It is now read-only.
Insecure version pf PyJWT is used. #7
Comments
|
I don't disagree. I didn't have it pinned prior to the upgrade of PyJWT to 0.4.x and the transition from 0.2.x -> 0.4.x in PyJWT changed the API which broken pyramid_jwtauth. Once I'd sorted that out, I left it pinned at 0.4 whilst I was dealing with some other stuff. Thus, it's a good catch. I'll unpin it and and check it. |
|
Okay, I've updated it so that PyJWT is no longer pinned. I've also updated the repo so that you can optionally use Vagrant to do dev on it (My mac broke my setup after an os upgrade). |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
pyramid_jwtauth pins PyJWT to an old version. This has two problems: 1) pinning to an exact version makes it impossible to use another version in a deployment and should generally never be done in setup.py, and 2) this is especially bad here since PyJWT has a known security problem (see jpadilla/pyjwt#109 and jpadilla/pyjwt#110).
The text was updated successfully, but these errors were encountered: