Skip to content

Commit bc94972

Browse files
scottschreckengaustclaude
scottschreckengaust
and
claude
authored
fix(security): constrain pyjwt >=2.13.0 (PYSEC-2026-175/177/178/179) (#268)
pyjwt 2.12.1 (transitive via mcp) has 4 known CVEs including one High (CVSS 7.4). Add uv constraint-dependencies to force >=2.13.0 resolution without waiting for mcp to bump its own floor. Closes #266 Co-authored-by: bgagent <345885+scottschreckengaust@users.noreply.github.com> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1 parent f7964b0 commit bc94972

2 files changed

Lines changed: 11 additions & 3 deletions

File tree

agent/pyproject.toml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -36,6 +36,11 @@ dependencies = [
3636
"cedarpy==4.8.0", #https://github.com/k9securityio/cedar-py — EXACT pin (no ^/~), parity with @cedar-policy/cedar-wasm@4.10.0
3737
]
3838

39+
[tool.uv]
40+
constraint-dependencies = [
41+
"pyjwt>=2.13.0", # PYSEC-2026-175/177/178/179 — transitive via mcp; remove when mcp bumps floor (#267)
42+
]
43+
3944
[tool.bandit]
4045
exclude_dirs = ["tests", ".venv"]
4146
skips = [

agent/uv.lock

Lines changed: 6 additions & 3 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)