chore(deps): update dependency pyjwt to v2.12.0 [security]#27
Merged
renovate[bot] merged 1 commit intodevelopfrom Mar 15, 2026
Merged
chore(deps): update dependency pyjwt to v2.12.0 [security]#27renovate[bot] merged 1 commit intodevelopfrom
renovate[bot] merged 1 commit intodevelopfrom
Conversation
4 tasks
NiklasRosenstein
added a commit
that referenced
this pull request
Mar 15, 2026
## Summary This PR wires up fully-automatic maintenance for the repo so that open security PRs merge themselves and a new PyPI release follows automatically. ### 1. `renovate.json` — automerge for Renovate PRs - **Security updates** (`matchCategories: ["security"]`): automerged immediately with highest priority. This will finally close the 4 long-standing security PRs (#21, #24, #25, #27). - **Minor/patch updates**: automerged after a 3-day stabilisation period (grouped). - `platformAutomerge: true` — uses GitHub's native auto-merge so it respects branch protection rules. - Adds a `dependencies` label to all Renovate PRs for easy filtering. ### 2. `pyproject.toml` — loosen overly tight dependency pins The previous constraints had patch-level upper bounds that directly blocked the open Renovate PRs: | Dep | Before | After | |---|---|---| | `cryptography` | `>=44.0.0,<44.0.1` | `>=44.0.0` | | `urllib3` | `>=2.6.3,<2.6.4` | `>=2.6.3` | `PyJWT<3.0.0` and `requests<3.0.0` are intentional major-version guards and are left as-is. ### 3. `.github/workflows/auto-release.yml` — automatic version tagging After the existing **Python CI** workflow passes on `develop`, this workflow: **Path A — unreleased commits exist (e.g. after Renovate PRs merge):** 1. Auto-bumps the patch version in `pyproject.toml` and `__init__.py` 2. Generates a `.changelog/<new_version>.toml` entry summarising the merged commits 3. Pushes the commit + tag → triggers `release.yml` → publishes to PyPI **Path B — version was manually bumped in a PR:** 1. Checks that a `.changelog/<version>.toml` entry exists 2. If so, tags the version → triggers `release.yml` > **Note:** The auto-release commit is pushed with a `RELEASE_TOKEN` secret (falls back to `GITHUB_TOKEN`). For the tag push to trigger `release.yml`, a PAT stored as `RELEASE_TOKEN` is needed (pushes via `GITHUB_TOKEN` do not trigger further workflows). If you don't have one set up, you can add a fine-grained PAT with `contents: write` scope. ## Test plan - [ ] Merge this PR - [ ] Verify Renovate re-evaluates the open security PRs and enables auto-merge on them - [ ] Confirm that once a security PR merges and CI passes, `auto-release.yml` runs and a new patch tag appears - [ ] Confirm `release.yml` picks up the tag and publishes to PyPI Co-authored-by: Claude Sonnet 4.6 <[email protected]>
renovate
bot
force-pushed
the
renovate/pypi-pyjwt-vulnerability
branch
from
3055e92 to
bbb282a
Compare
renovate
bot
force-pushed
the
renovate/pypi-pyjwt-vulnerability
branch
from
bbb282a to
3c85ce2
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
2.9.0→2.12.0GitHub Vulnerability Alerts
CVE-2026-32597
Summary
PyJWT does not validate the
crit(Critical) Header Parameter defined inRFC 7515 §4.1.11. When a JWS token contains a
critarray listingextensions that PyJWT does not understand, the library accepts the token
instead of rejecting it. This violates the MUST requirement in the RFC.
This is the same class of vulnerability as CVE-2025-59420 (Authlib),
which received CVSS 7.5 (HIGH).
RFC Requirement
RFC 7515 §4.1.11:
Proof of Concept
Expected:
jwt.exceptions.InvalidTokenError: Unsupported critical extension: x-custom-policyActual: Token accepted, payload returned.
Comparison with RFC-compliant library
Impact
gateway using jwcrypto rejects, backend using PyJWT accepts)
critcarries enforcement semantics(MFA, token binding, scope restrictions)
cnf(Proof-of-Possession) can besilently ignored
Suggested Fix
In
jwt/api_jwt.py, add validation in_validate_headers()ordecode():CWE
References
Release Notes
jpadilla/pyjwt (PyJWT)
v2.12.0Compare Source
Fixed
PyJWKClientAPI reference and document the two-tier caching system (JWK Set cache and signing key LRU cache).v2.11.0Compare Source
Fixed
v2.10.1Compare Source
Fixed
#​1034 <https://github.com/jpadilla/pyjwt/pull/1034>__autodoc; addedPyJWSandjwt.algorithmsdocs by @pachewise in#​1045 <https://github.com/jpadilla/pyjwt/pull/1045>__#​1088 <https://github.com/jpadilla/pyjwt/pull/1088>v2.10.0Compare Source
Fixed
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.