Context
Issue #266 adds constraint-dependencies = ["pyjwt>=2.13.0"] to agent/pyproject.toml as a workaround for PYSEC-2026-175/177/178/179. This constraint is needed because mcp (v1.27.1) transitively pulls in pyjwt but hasn't bumped its own floor to >=2.13.0 yet.
When to action
When mcp releases a version whose own dependency tree resolves pyjwt >=2.13.0 naturally (i.e., the constraint becomes redundant).
How to check: After bumping mcp in agent/pyproject.toml, temporarily remove the constraint and run uv lock. If pyjwt resolves to >=2.13.0 without the constraint, it's safe to remove.
What to do
- Remove the
pyjwt>=2.13.0 line from [tool.uv] constraint-dependencies in agent/pyproject.toml
- If no other entries remain, remove the entire
[tool.uv] section
- Run
uv lock to regenerate
- Verify
osv-scanner still passes (pyjwt should be >=2.13.0 from mcp's own deps)
Acceptance Criteria
Context
Issue #266 adds
constraint-dependencies = ["pyjwt>=2.13.0"]toagent/pyproject.tomlas a workaround for PYSEC-2026-175/177/178/179. This constraint is needed becausemcp(v1.27.1) transitively pulls in pyjwt but hasn't bumped its own floor to >=2.13.0 yet.When to action
When
mcpreleases a version whose own dependency tree resolves pyjwt >=2.13.0 naturally (i.e., the constraint becomes redundant).How to check: After bumping
mcpinagent/pyproject.toml, temporarily remove the constraint and runuv lock. If pyjwt resolves to >=2.13.0 without the constraint, it's safe to remove.What to do
pyjwt>=2.13.0line from[tool.uv] constraint-dependenciesinagent/pyproject.toml[tool.uv]sectionuv lockto regenerateosv-scannerstill passes (pyjwt should be >=2.13.0 from mcp's own deps)Acceptance Criteria
constraint-dependenciesfor pyjwt removed fromagent/pyproject.tomlagent/uv.lockregenerated cleanlyosv-scannerpre-push hook still passes