Skip to content

fix(security): constrain pyjwt >=2.13.0 (PYSEC-2026-175/177/178/179)#268

Merged
scottschreckengaust merged 1 commit into
mainfrom
fix/266-pyjwt-constraint
Jun 4, 2026
Merged

fix(security): constrain pyjwt >=2.13.0 (PYSEC-2026-175/177/178/179)#268
scottschreckengaust merged 1 commit into
mainfrom
fix/266-pyjwt-constraint

Conversation

@scottschreckengaust

Copy link
Copy Markdown
Contributor

Summary

  • Adds [tool.uv] constraint-dependencies for pyjwt>=2.13.0 in agent/pyproject.toml
  • Regenerates agent/uv.lock (pyjwt 2.12.1 → 2.13.0)
  • Resolves 4 CVEs (PYSEC-2026-175/177/178/179, including one High CVSS 7.4)
  • Unblocks the osv-scanner pre-push hook for all contributors

Why constraint-dependencies

pyjwt is a transitive dependency (via mcp==1.27.1). mcp hasn't bumped its floor yet, so Dependabot can't propose a fix. constraint-dependencies tells uv "never resolve below 2.13.0" while respecting mcp's compatibility range — safer than override-dependencies.

Backlog issue #267 tracks removing this constraint when mcp bumps its own pyjwt floor.

Closes #266

Test plan

  • osv-scanner scan --lockfile agent/uv.lock — no issues found
  • mise //agent:quality — 819 tests pass, 72.57% coverage
  • CI build passes

🤖 Generated with Claude Code

pyjwt 2.12.1 (transitive via mcp) has 4 known CVEs including one High
(CVSS 7.4). Add uv constraint-dependencies to force >=2.13.0 resolution
without waiting for mcp to bump its own floor.

Closes #266

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@scottschreckengaust scottschreckengaust marked this pull request as ready for review June 4, 2026 21:37
@scottschreckengaust scottschreckengaust requested a review from a team as a code owner June 4, 2026 21:37
@scottschreckengaust scottschreckengaust added this pull request to the merge queue Jun 4, 2026
Merged via the queue into main with commit bc94972 Jun 4, 2026
7 checks passed
@scottschreckengaust scottschreckengaust deleted the fix/266-pyjwt-constraint branch June 4, 2026 21:47
isadeks added a commit to isadeks/sample-autonomous-cloud-coding-agents that referenced this pull request Jun 5, 2026
Resolves conflicts:
- linear-webhook-processor.ts/.test.ts: keep linear-vercel's probe + contextHint additions
- astro.config.mjs / sync-starlight.mjs: keep deploy-preview-screenshots-guide entries
- LINEAR_PAK_MIGRATION_RUNBOOK.md: take upstream status names (RUNNING,HYDRATING,SUBMITTED)
- LINEAR_SETUP_GUIDE.md: keep linear-vercel's expanded teammate handshake + attachments docs
- ROADMAP.md: keep both deploy-preview-screenshots and slack-notification-dispatcher entries

Brings linear-vercel up to date with main: PR aws-samples#200 (multi-workspace Linear),
PR aws-samples#233 (Slack OOM), PR aws-samples#234 (gh issue fix), PR aws-samples#265 (CI), PR aws-samples#268 (pyjwt),
plus other quality improvements.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

fix(security): constrain pyjwt >=2.13.0 to resolve PYSEC-2026-175/177/178/179

2 participants