Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: Replace python-jose with PyJWT #3521

Merged
merged 4 commits into from
Apr 29, 2024
Merged

chore: Replace python-jose with PyJWT #3521

merged 4 commits into from
Apr 29, 2024
+30 −65

Conversation

michael-genson
Copy link
Collaborator

@michael-genson michael-genson commented Apr 26, 2024
edited
Loading

What type of PR is this?

(REQUIRED)

  • bug

What this PR does / why we need it:

(REQUIRED)

python-jose has a high-security vulnerability which has been known about for a month, but python-jose hasn't been updated in a year.

PyJWT is much more actively updated and fixed the same issue several versions ago.

I don't think we're actually impacted by this issue because we always specify the algorithm explicitly, but it was such an easy dependency replacement I thought it would be a good idea to take care of it now.

Which issue(s) this PR fixes:

(REQUIRED)

Fixes https://github.com/mealie-recipes/mealie/security/dependabot/194
Fixes https://github.com/mealie-recipes/mealie/security/dependabot/195

Special notes for your reviewer:

(fill-in or delete this section)

Apparently this isn't the first time python-jose has been out of date

@michael-genson michael-genson marked this pull request as draft April 26, 2024 17:57
@michael-genson michael-genson marked this pull request as ready for review April 26, 2024 18:01
boc-the-git
boc-the-git approved these changes Apr 29, 2024
View reviewed changes
Copy link
Collaborator

@boc-the-git boc-the-git left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🚀

@boc-the-git boc-the-git enabled auto-merge (squash) April 29, 2024 09:41
@boc-the-git boc-the-git merged commit 786aa22 into mealie-recipes:mealie-next Apr 29, 2024
10 checks passed
@thebaconfate thebaconfate mentioned this pull request Apr 30, 2024
Closed
anoadragon453 added a commit to anoadragon453/nixpkgs that referenced this pull request May 7, 2024
@anoadragon453
mealie: add authlib, pillow-heif, pydantic-settings, pyjwt deps
8c92b3e 
* authlib was required in v1.4.0
  (mealie-recipes/mealie#3280)
* pillow-heif was required in v1.5.0
  (mealie-recipes/mealie#3409)
* pydantic-settings was required in v1.3.0
  (mealie-recipes/mealie#3134 - same PR as
  pydantic v2 bump)
* pyjwt was required in v1.6.0
  (mealie-recipes/mealie#3521)
anoadragon453 added a commit to anoadragon453/nixpkgs that referenced this pull request May 7, 2024
@anoadragon453
mealie: drop python-jose
193a5fe 
This was replaced by pyjwt.
See mealie-recipes/mealie#3521.
@anoadragon453 anoadragon453 mentioned this pull request May 7, 2024
Closed
13 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@boc-the-git boc-the-git boc-the-git approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@michael-genson @boc-the-git