Sourced from pyjwt's releases.
2.4.0
Security
- [CVE-2022-29217] Prevent key confusion through non-blocklisted public key formats. https://github.com/jpadilla/pyjwt/security/advisories/GHSA-ffqj-6fqr-9h24
What's Changed
- Add support for Python 3.10 by
@hugovkin jpadilla/pyjwt#699- Don't use implicit optionals by
@rekyungminin jpadilla/pyjwt#705- [pre-commit.ci] pre-commit autoupdate by
@pre-commit-ciin jpadilla/pyjwt#708- [pre-commit.ci] pre-commit autoupdate by
@pre-commit-ciin jpadilla/pyjwt#710- [pre-commit.ci] pre-commit autoupdate by
@pre-commit-ciin jpadilla/pyjwt#711- [pre-commit.ci] pre-commit autoupdate by
@pre-commit-ciin jpadilla/pyjwt#712- documentation fix: show correct scope for decode_complete() by
@sseeringin jpadilla/pyjwt#661- [pre-commit.ci] pre-commit autoupdate by
@pre-commit-ciin jpadilla/pyjwt#716- Explicit check the key for ECAlgorithm by
@estinin jpadilla/pyjwt#713- [pre-commit.ci] pre-commit autoupdate by
@pre-commit-ciin jpadilla/pyjwt#720- api_jwk: Add PyJWKSet.getitem by
@woodruffwin jpadilla/pyjwt#725- Update usage.rst by
@guneybilenin jpadilla/pyjwt#727- [pre-commit.ci] pre-commit autoupdate by
@pre-commit-ciin jpadilla/pyjwt#728- fix: Update copyright information by
@kkirschein jpadilla/pyjwt#729- Docs: mention performance reasons for reusing RSAPrivateKey when encoding by
@dmahr1in jpadilla/pyjwt#734- Fixed typo in usage.rst by
@israelabrahamin jpadilla/pyjwt#738- Add detached payload support for JWS encoding and decoding by
@fviardin jpadilla/pyjwt#723- [pre-commit.ci] pre-commit autoupdate by
@pre-commit-ciin jpadilla/pyjwt#740- Raise DeprecationWarning for jwt.decode(verify=...) by
@akxin jpadilla/pyjwt#742- Don't mutate options dictionary in .decode_complete() by
@akxin jpadilla/pyjwt#743- [pre-commit.ci] pre-commit autoupdate by
@pre-commit-ciin jpadilla/pyjwt#748- Replace various string interpolations with f-strings by
@akxin jpadilla/pyjwt#744- Update CHANGELOG.rst by
@hipertrackerin jpadilla/pyjwt#751New Contributors
@hugovkmade their first contribution in jpadilla/pyjwt#699@rekyungminmade their first contribution in jpadilla/pyjwt#705@sseeringmade their first contribution in jpadilla/pyjwt#661@estinmade their first contribution in jpadilla/pyjwt#713@woodruffwmade their first contribution in jpadilla/pyjwt#725@guneybilenmade their first contribution in jpadilla/pyjwt#727@dmahr1made their first contribution in jpadilla/pyjwt#734@israelabrahammade their first contribution in jpadilla/pyjwt#738@fviardmade their first contribution in jpadilla/pyjwt#723@akxmade their first contribution in jpadilla/pyjwt#742@hipertrackermade their first contribution in jpadilla/pyjwt#751Full Changelog: https://github.com/jpadilla/pyjwt/compare/2.3.0...2.4.0
Sourced from pyjwt's changelog.
v2.4.0 <https://github.com/jpadilla/pyjwt/compare/2.3.0...2.4.0>__Security
- [CVE-2022-29217] Prevent key confusion through non-blocklisted public key formats. https://github.com/jpadilla/pyjwt/security/advisories/GHSA-ffqj-6fqr-9h24Changed
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---- Explicit check the key for ECAlgorithm by @estin in https://github.com/jpadilla/pyjwt/pull/713 - Raise DeprecationWarning for jwt.decode(verify=...) by @akx in https://github.com/jpadilla/pyjwt/pull/742 Fixed ~~~~~ - Don't use implicit optionals by @rekyungmin in https://github.com/jpadilla/pyjwt/pull/705 - documentation fix: show correct scope for decode_complete() by @sseering in https://github.com/jpadilla/pyjwt/pull/661 - fix: Update copyright information by @kkirsche in https://github.com/jpadilla/pyjwt/pull/729 - Don't mutate options dictionary in .decode_complete() by @akx in https://github.com/jpadilla/pyjwt/pull/743 Added ~~~~~ - Add support for Python 3.10 by @hugovk in https://github.com/jpadilla/pyjwt/pull/699 - api_jwk: Add PyJWKSet.__getitem__ by @woodruffw in https://github.com/jpadilla/pyjwt/pull/725 - Update usage.rst by @guneybilen in https://github.com/jpadilla/pyjwt/pull/727 - Docs: mention performance reasons for reusing RSAPrivateKey when encoding by @dmahr1 in https://github.com/jpadilla/pyjwt/pull/734 - Fixed typo in usage.rst by @israelabraham in https://github.com/jpadilla/pyjwt/pull/738 - Add detached payload support for JWS encoding and decoding by @fviard in https://github.com/jpadilla/pyjwt/pull/723 - Replace various string interpolations with f-strings by @akx in https://github.com/jpadilla/pyjwt/pull/744 - Update CHANGELOG.rst by @hipertracker in https://github.com/jpadilla/pyjwt/pull/751 </code></pre> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/jpadilla/pyjwt/commit/83ff831a4d11190e3a0bed781da43f8d84352653"><code>83ff831</code></a> chore: update changelog</li> <li><a href="https://github.com/jpadilla/pyjwt/commit/4c1ce8fd9019dd312ff257b5141cdb6d897379d9"><code>4c1ce8f</code></a> chore: update changelog</li> <li><a href="https://github.com/jpadilla/pyjwt/commit/96f3f0275745c5a455c019a0d3476a054980e8ea"><code>96f3f02</code></a> fix: failing advisory test</li> <li><a href="https://github.com/jpadilla/pyjwt/commit/9c528670c455b8d948aff95ed50e22940d1ad3fc"><code>9c52867</code></a> Merge pull request from GHSA-ffqj-6fqr-9h24</li> <li><a href="https://github.com/jpadilla/pyjwt/commit/24b29adfebcb4f057a3cef5aaf35653bc0c1c8cc"><code>24b29ad</code></a> Update CHANGELOG.rst (<a href="https://github-redirect.dependabot.com/jpadilla/pyjwt/issues/751">#751</a>)</li> <li><a href="https://github.com/jpadilla/pyjwt/commit/31f5acb8fb3ec6cdfe2b1b0a4a8f329b5f3ca67f"><code>31f5acb</code></a> Replace various string interpolations with f-strings (<a href="https://github-redirect.dependabot.com/jpadilla/pyjwt/issues/744">#744</a>)</li> <li><a href="https://github.com/jpadilla/pyjwt/commit/5581a31c21de70444c1162bcfa29f7e0fc86edda"><code>5581a31</code></a> [pre-commit.ci] pre-commit autoupdate (<a href="https://github-redirect.dependabot.com/jpadilla/pyjwt/issues/748">#748</a>)</li> <li><a href="https://github.com/jpadilla/pyjwt/commit/3d4d82248f1120c87f1f4e0e8793eaa1d54843a6"><code>3d4d822</code></a> Don't mutate options dictionary in .decode_complete() (<a href="https://github-redirect.dependabot.com/jpadilla/pyjwt/issues/743">#743</a>)</li> <li><a href="https://github.com/jpadilla/pyjwt/commit/1f1fe15bb41846c602b3e106176b2c692b93a613"><code>1f1fe15</code></a> Add a deprecation warning when jwt.decode() is called with the legacy verify=...</li> <li><a href="https://github.com/jpadilla/pyjwt/commit/35fa28e59d99b99c6a780d2a029a74d6bbba8b1e"><code>35fa28e</code></a> [pre-commit.ci] pre-commit autoupdate (<a href="https://github-redirect.dependabot.com/jpadilla/pyjwt/issues/740">#740</a>)</li> <li>Additional commits viewable in <a href="https://github.com/jpadilla/pyjwt/compare/2.3.0...2.4.0">compare view</a></li> </ul> </details> <br />--- changelogs/unreleased/4241-dependabot.yml | 5 +++++ requirements.txt | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) create mode 100644 changelogs/unreleased/4241-dependabot.yml diff --git a/changelogs/unreleased/4241-dependabot.yml b/changelogs/unreleased/4241-dependabot.yml new file mode 100644 index 0000000000..70cdb151a7 --- /dev/null +++ b/changelogs/unreleased/4241-dependabot.yml @@ -0,0 +1,5 @@ +change-type: patch +description: Bump pyjwt from 2.3.0 to 2.4.0 +destination-branches: +- iso5 +sections: {} diff --git a/requirements.txt b/requirements.txt index f49129fa6a..b2dddab0ed 100644 --- a/requirements.txt +++ b/requirements.txt @@ -16,7 +16,7 @@ pip==22.1 ply==3.11 pydantic==1.9.0 pyformance==0.4 -PyJWT==2.3.0 +PyJWT==2.4.0 python-dateutil==2.8.2 pyyaml==6.0 setuptools==62.2.0Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)