Bump the pip group across 1 directory with 11 updates #36

dependabot · 2025-05-09T00:34:04Z

Bumps the pip group with 11 updates in the /authn-service directory:

Package	From	To
certifi	`2020.6.20`	`2024.7.4`
cryptography	`2.6.1`	`44.0.1`
flask	`1.1.2`	`2.2.5`
flask-cors	`3.0.8`	`4.0.2`
idna	`2.10`	`3.7`
jinja2	`2.11.2`	`3.1.6`
pyjwt	`1.7.1`	`2.4.0`
pyxdg	`0.25`	`0.26`
requests	`2.24.0`	`2.32.2`
urllib3	`1.25.11`	`1.26.19`
werkzeug	`1.0.1`	`3.0.6`

Updates certifi from 2020.6.20 to 2024.7.4

Commits

bd81538 2024.07.04 (#295)
06a2cbf Bump peter-evans/create-pull-request from 6.0.5 to 6.1.0 (#294)
13bba02 Bump actions/checkout from 4.1.6 to 4.1.7 (#293)
e8abcd0 Bump pypa/gh-action-pypi-publish from 1.8.14 to 1.9.0 (#292)
124f4ad 2024.06.02 (#291)
c2196ce --- (#290)
fefdeec Bump actions/checkout from 4.1.4 to 4.1.5 (#289)
3c5fb15 Bump actions/download-artifact from 4.1.6 to 4.1.7 (#286)
4a9569a Bump actions/checkout from 4.1.2 to 4.1.4 (#287)
1fc8086 Bump peter-evans/create-pull-request from 6.0.4 to 6.0.5 (#288)
Additional commits viewable in compare view

Updates cryptography from 2.6.1 to 44.0.1

Changelog

Sourced from cryptography's changelog.

44.0.1 - 2025-02-11
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.4.1.
* We now build ``armv7l`` ``manylinux`` wheels and publish them to PyPI.
* We now build ``manylinux_2_34`` wheels and publish them to PyPI.
.. _v44-0-0:
44.0.0 - 2024-11-27
BACKWARDS INCOMPATIBLE: Dropped support for LibreSSL < 3.9.

Deprecated Python 3.7 support. Python 3.7 is no longer supported by the Python core team. Support for Python 3.7 will be removed in a future cryptography release.

Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.4.0.

macOS wheels are now built against the macOS 10.13 SDK. Users on older versions of macOS should upgrade, or they will need to build cryptography themselves.

Enforce the :rfc:5280 requirement that extended key usage extensions must not be empty.

Added support for timestamp extraction to the :class:~cryptography.fernet.MultiFernet class.

Relax the Authority Key Identifier requirements on root CA certificates during X.509 verification to allow fields permitted by :rfc:5280 but forbidden by the CA/Browser BRs.

Added support for :class:~cryptography.hazmat.primitives.kdf.argon2.Argon2id when using OpenSSL 3.2.0+.

Added support for the :class:~cryptography.x509.Admissions certificate extension.

Added basic support for PKCS7 decryption (including S/MIME 3.2) via :func:~cryptography.hazmat.primitives.serialization.pkcs7.pkcs7_decrypt_der, :func:~cryptography.hazmat.primitives.serialization.pkcs7.pkcs7_decrypt_pem, and :func:~cryptography.hazmat.primitives.serialization.pkcs7.pkcs7_decrypt_smime.

.. _v43-0-3:

43.0.3 - 2024-10-18
* Fixed release metadata for ``cryptography-vectors``
.. _v43-0-2:
43.0.2 - 2024-10-18
Fixed compilation when using LibreSSL 4.0.0.

.. _v43-0-1:

... (truncated)

Commits

adaaaed Bump for 44.0.1 release (#12441)
ccc61da [backport] test and build on armv7l (#12420) (#12431)
f299a48 remove deprecated call (#12052)
439eb05 Bump version for 44.0.0 (#12051)
2c5ad4d chore(deps): bump maturin from 1.7.4 to 1.7.5 in /.github/requirements (#12050)
d23968a chore(deps): bump libc from 0.2.165 to 0.2.166 (#12049)
133c0e0 Bump x509-limbo and/or wycheproof in CI (#12047)
f2259d7 Bump BoringSSL and/or OpenSSL in CI (#12046)
e201c87 fixed metadata in changelog (#12044)
c6104cc Prohibit Python 3.9.0, 3.9.1 -- they have a bug that causes errors (#12045)
Additional commits viewable in compare view

Updates flask from 1.1.2 to 2.2.5

Release notes

Sourced from flask's releases.

2.2.5

This is a security fix release for the 2.2.x release branch. Note that 2.3.x is the currently supported release branch; please upgrade to the latest version if possible.

Security advisory: GHSA-m2qf-hxjv-5gpq, CVE-2023-30861

Changes: https://flask.palletsprojects.com/en/2.2.x/changes/#version-2-2-5

Milestone: https://github.com/pallets/flask/milestone/30?closed=1

2.2.4

This is a fix release for the 2.2.x release branch.

Changes: https://flask.palletsprojects.com/en/2.2.x/changes/#version-2-2-4

Milestone: https://github.com/pallets/flask/milestone/27?closed=1

2.2.3

This is a fix release for the 2.2.x release branch.

Changes: https://flask.palletsprojects.com/en/2.2.x/changes/#version-2-2-3

Milestone: https://github.com/pallets/flask/milestone/26?closed=1

2.2.2

This is a fix release for the 2.2.0 feature release.

Changes: https://flask.palletsprojects.com/en/2.2.x/changes/#version-2-2-2

Milestone: https://github.com/pallets/flask/milestone/25?closed=1

2.2.1

This is a fix release for the 2.2.0 feature release.

Changes: https://flask.palletsprojects.com/en/2.2.x/changes/#version-2-2-1

Milestone: https://github.com/pallets/flask/milestone/23?closed=1

2.2.0

This is a feature release, which includes new features and removes previously deprecated code. The 2.2.x branch is now the supported bug fix branch, the 2.1.x branch will become a tag marking the end of support for that branch. We encourage everyone to upgrade, and to use a tool such as pip-tools to pin all dependencies and control upgrades.

Changes: https://flask.palletsprojects.com/en/2.2.x/changes/#version-2-2-0

Milestone: https://github.com/pallets/flask/milestone/19?closed=1

2.1.3

Changes: https://flask.palletsprojects.com/en/2.1.x/changes/#version-2-1-3

Milestone: https://github.com/pallets/flask/milestone/22?closed=1

2.1.2

This is a fix release for the 2.1.0 feature release.

Changes: https://flask.palletsprojects.com/en/2.1.x/changes/#version-2-1-2

Milestone: https://github.com/pallets/flask/milestone/21?closed=1

2.1.1

This is a fix release for the 2.1.0 feature release.

... (truncated)

Changelog

Sourced from flask's changelog.

Version 2.2.5

Released 2023-05-02

Update for compatibility with Werkzeug 2.3.3.

Set Vary: Cookie header when the session is accessed, modified, or refreshed.

Version 2.2.4

Released 2023-04-25

Update for compatibility with Werkzeug 2.3.

Version 2.2.3

Released 2023-02-15

Autoescape is enabled by default for .svg template files. :issue:4831

Fix the type of template_folder to accept pathlib.Path. :issue:4892

Add --debug option to the flask run command. :issue:4777

Version 2.2.2

Released 2022-08-08

Update Werkzeug dependency to >= 2.2.2. This includes fixes related to the new faster router, header parsing, and the development server. :pr:4754

Fix the default value for app.env to be "production". This attribute remains deprecated. :issue:4740

Version 2.2.1

Released 2022-08-03

Setting or accessing json_encoder or json_decoder raises a deprecation warning. :issue:4732

Version 2.2.0

... (truncated)

Commits

47af817 release version 2.2.5
afd63b1 Merge pull request #5109 from pallets/backport-vary-cookie
8646edc set Vary: Cookie header consistently for session
a6367da Merge pull request #5108 from pallets/werkzeug-compat
3fbfbad werkzeug 2.3.3 compatibility
726d3f4 start version 2.2.5
ddc7acc Merge pull request #5081 from pallets/release-2.2.4
74e0329 release version 2.2.4
2d46068 update dev env
64bc458 update dev dependencies
Additional commits viewable in compare view

Updates flask-cors from 3.0.8 to 4.0.2

Release notes

Sourced from flask-cors's releases.

4.0.2

What's Changed

Bump requests from 2.31.0 to 2.32.0 in /docs by @dependabot in corydolphin/flask-cors#358

Backwards Compatible Fix for CVE-2024-6221 by @adrianosela in corydolphin/flask-cors#363

Add unit tests for Private-Network by @corydolphin in corydolphin/flask-cors#367

New Contributors

@dependabot made their first contribution in corydolphin/flask-cors#358

@adrianosela made their first contribution in corydolphin/flask-cors#363

Full Changelog: corydolphin/flask-cors@4.0.1...4.0.2

4.0.1

What's Changed

Fix Read the Docs builds by @kurtmckee in corydolphin/flask-cors#345

Update extension.py to clean request.path before logging it by @aneshujevic in corydolphin/flask-cors#351

Update CI to include Python 3.12 and flask 3.0.3 by @corydolphin in corydolphin/flask-cors#354

Release 4.0.1 by @corydolphin in corydolphin/flask-cors#353

New Contributors

@kurtmckee made their first contribution in corydolphin/flask-cors#345

@aneshujevic made their first contribution in corydolphin/flask-cors#351

Full Changelog: corydolphin/flask-cors@4.0.0...4.0.1

Release 4.0.0

What's Changed

Remove support for Python versions older than 3.8 by @WAKayser in corydolphin/flask-cors#330

Add GHA tooling by @corydolphin in corydolphin/flask-cors#331

New Contributors

@WAKayser made their first contribution in corydolphin/flask-cors#330

Full Changelog: corydolphin/flask-cors@3.1.01...v4.0.0

3.1.01

What's Changed

Include examples to specify that schema and port must be included in … by @YPCrumble in corydolphin/flask-cors#294

two small changes to the documentation, based on issue #290 by @bbbart in corydolphin/flask-cors#291

Fix typo by @sunarch in corydolphin/flask-cors#304

FIX: typo in CSRF by @sattamjh in corydolphin/flask-cors#315

Test against recent Python versions by @pylipp in corydolphin/flask-cors#314

Correct spelling mistakes by @EdwardBetts in corydolphin/flask-cors#311

'Access-Control-Allow-Private-Network = true' header for http response by @chelo-kjml in corydolphin/flask-cors#318

docs: Fix a few typos by @timgates42 in corydolphin/flask-cors#323

[Docs] Fix typo in configuration documentation by @sachit-shroff in corydolphin/flask-cors#316

Release Version 3.1.01 by @corydolphin in corydolphin/flask-cors#329

New Contributors

@YPCrumble made their first contribution in corydolphin/flask-cors#294

... (truncated)

Changelog

Sourced from flask-cors's changelog.

Change Log

4.0.1

Security

Address CVE-2024-1681 which is a log injection vulnerability when the log level is set to debug by @aneshujevic in corydolphin/flask-cors#351

4.0.0

Remove support for Python versions older than 3.8 by @WAKayser in corydolphin/flask-cors#330

Add GHA tooling by @corydolphin in corydolphin/flask-cors#331

3.1.01

Include examples to specify that schema and port must be included in … by @YPCrumble in corydolphin/flask-cors#294

two small changes to the documentation, based on issue #290 by @bbbart in corydolphin/flask-cors#291

Fix typo by @sunarch in corydolphin/flask-cors#304

FIX: typo in CSRF by @sattamjh in corydolphin/flask-cors#315

Test against recent Python versions by @pylipp in corydolphin/flask-cors#314

Correct spelling mistakes by @EdwardBetts in corydolphin/flask-cors#311

'Access-Control-Allow-Private-Network = true' header for http response by @chelo-kjml in corydolphin/flask-cors#318

docs: Fix a few typos by @timgates42 in corydolphin/flask-cors#323

[Docs] Fix typo in configuration documentation by @sachit-shroff in corydolphin/flask-cors#316

3.0.10

Adds support for PPC64 and ARM64 builds for distribution. Thanks @sreekanth370

3.0.9

Security

Escape path before evaluating resource rules (thanks to Colby Morgan). Prior to this, flask-cors incorrectly evaluated CORS resource matching before path expansion. E.g. "/api/../foo.txt" would incorrectly match resources for "/api/*" whereas the path actually expands simply to "/foo.txt"

Commits

561ed26 Add unit tests for Private-Network (#367)
7ae310c Backwards Compatible Fix for CVE-2024-6221 (#363)
f25c6b2 --- (#358)
1df178c Release 0.4.1 (#353)
5090b4a Update CI to include Python 3.12 and flask 3.0.3 (#354)
6172c20 Update extension.py to clean request.path before logging it (#351)
cadade9 Fix Read the Docs builds (#345)
40acc80 Update CHANGELOG to reflect 4.0.0 release (#335)
dbabb27 Testing: Move from deprecated assertEquals to assertEqual (#332)
0b74401 Convert CI to use GHA (#331)
Additional commits viewable in compare view

Updates idna from 2.10 to 3.7

Release notes

Sourced from idna's releases.

v3.7

What's Changed

Fix issue where specially crafted inputs to encode() could take exceptionally long amount of time to process. [CVE-2024-3651]

Thanks to Guido Vranken for reporting the issue.

Full Changelog: kjd/idna@v3.6...v3.7

Changelog

Sourced from idna's changelog.

3.7 (2024-04-11) ++++++++++++++++

Fix issue where specially crafted inputs to encode() could take exceptionally long amount of time to process. [CVE-2024-3651]

Thanks to Guido Vranken for reporting the issue.

3.6 (2023-11-25) ++++++++++++++++

Fix regression to include tests in source distribution.

3.5 (2023-11-24) ++++++++++++++++

Update to Unicode 15.1.0

String codec name is now "idna2008" as overriding the system codec "idna" was not working.

Fix typing error for codec encoding

"setup.cfg" has been added for this release due to some downstream lack of adherence to PEP 517. Should be removed in a future release so please prepare accordingly.

Removed reliance on a symlink for the "idna-data" tool to comport with PEP 517 and the Python Packaging User Guide for sdist archives.

Added security reporting protocol for project

Thanks Jon Ribbens, Diogo Teles Sant'Anna, Wu Tingfeng for contributions to this release.

3.4 (2022-09-14) ++++++++++++++++

Update to Unicode 15.0.0

Migrate to pyproject.toml for build information (PEP 621)

Correct another instance where generic exception was raised instead of IDNAError for malformed input

Source distribution uses zeroized file ownership for improved reproducibility

Thanks to Seth Michael Larson for contributions to this release.

3.3 (2021-10-13) ++++++++++++++++

Update to Unicode 14.0.0

Update to in-line type annotations

Throw IDNAError exception correctly for some malformed input

Advertise support for Python 3.10

Improve testing regime on Github

... (truncated)

Commits

1d365e1 Release v3.7
c1b3154 Merge pull request #172 from kjd/optimize-contextj
0394ec7 Merge branch 'master' into optimize-contextj
cd58a23 Merge pull request #152 from elliotwutingfeng/dev
5beb28b More efficient resolution of joiner contexts
1b12148 Update ossf/scorecard-action to v2.3.1
d516b87 Update Github actions/checkout to v4
c095c75 Merge branch 'master' into dev
60a0a4c Fix typo in GitHub Actions workflow key
5918a0e Merge branch 'master' into dev
Additional commits viewable in compare view

Updates jinja2 from 2.11.2 to 3.1.6

Release notes

Sourced from jinja2's releases.

3.1.6

This is the Jinja 3.1.6 security release, which fixes security issues but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Jinja2/3.1.6/ Changes: https://jinja.palletsprojects.com/en/stable/changes/#version-3-1-6

The |attr filter does not bypass the environment's attribute lookup, allowing the sandbox to apply its checks. GHSA-cpwx-vrp4-4pq7

3.1.5

This is the Jinja 3.1.5 security fix release, which fixes security issues and bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Jinja2/3.1.5/ Changes: https://jinja.palletsprojects.com/changes/#version-3-1-5 Milestone: https://github.com/pallets/jinja/milestone/16?closed=1

The sandboxed environment handles indirect calls to str.format, such as by passing a stored reference to a filter that calls its argument. GHSA-q2x7-8rv6-6q7h

Escape template name before formatting it into error messages, to avoid issues with names that contain f-string syntax. #1792, GHSA-gmj6-6f8f-6699

Sandbox does not allow clear and pop on known mutable sequence types. #2032

Calling sync render for an async template uses asyncio.run. #1952

Avoid unclosed auto_aiter warnings. #1960

Return an aclose-able AsyncGenerator from Template.generate_async. #1960

Avoid leaving root_render_func() unclosed in Template.generate_async. #1960

Avoid leaving async generators unclosed in blocks, includes and extends. #1960

The runtime uses the correct concat function for the current environment when calling block references. #1701

Make |unique async-aware, allowing it to be used after another async-aware filter. #1781

|int filter handles OverflowError from scientific notation. #1921

Make compiling deterministic for tuple unpacking in a {% set ... %} call. #2021

Fix dunder protocol (copy/pickle/etc) interaction with Undefined objects. #2025

Fix copy/pickle support for the internal missing object. #2027

Environment.overlay(enable_async) is applied correctly. #2061

The error message from FileSystemLoader includes the paths that were searched. #1661

PackageLoader shows a clearer error message when the package does not contain the templates directory. #1705

Improve annotations for methods returning copies. #1880

urlize does not add mailto: to values like @a@b. #1870

Tests decorated with @pass_context can be used with the |select filter. #1624

Using set for multiple assignment (a, b = 1, 2) does not fail when the target is a namespace attribute. #1413

Using set in all branches of {% if %}{% elif %}{% else %} blocks does not cause the variable to be considered initially undefined. #1253

3.1.4

This is the Jinja 3.1.4 security release, which fixes security issues and bugs but does not otherwise change behavior and should not result in breaking changes.

PyPI: https://pypi.org/project/Jinja2/3.1.4/ Changes: https://jinja.palletsprojects.com/en/3.1.x/changes/#version-3-1-4

The xmlattr filter does not allow keys with / solidus, > greater-than sign, or = equals sign, in addition to disallowing spaces. Regardless of any validation done by Jinja, user input should never be used as keys to this filter, or must be separately validated first. GHSA-h75v-3vvj-5mfj

3.1.3

This is a fix release for the 3.1.x feature branch.

Fix for GHSA-h5c8-rqwp-cp95. You are affected if you are using xmlattr and passing user input as attribute keys.

... (truncated)

Changelog

Sourced from jinja2's changelog.

Version 3.1.6

Released 2025-03-05

The |attr filter does not bypass the environment's attribute lookup, allowing the sandbox to apply its checks. :ghsa:cpwx-vrp4-4pq7

Version 3.1.5

Released 2024-12-21

The sandboxed environment handles indirect calls to str.format, such as by passing a stored reference to a filter that calls its argument. :ghsa:q2x7-8rv6-6q7h

Escape template name before formatting it into error messages, to avoid issues with names that contain f-string syntax. :issue:1792, :ghsa:gmj6-6f8f-6699

Sandbox does not allow clear and pop on known mutable sequence types. :issue:2032

Calling sync render for an async template uses asyncio.run. :pr:1952

Avoid unclosed auto_aiter warnings. :pr:1960

Return an aclose-able AsyncGenerator from Template.generate_async. :pr:1960

Avoid leaving root_render_func() unclosed in Template.generate_async. :pr:1960

Avoid leaving async generators unclosed in blocks, includes and extends. :pr:1960

The runtime uses the correct concat function for the current environment when calling block references. :issue:1701

Make |unique async-aware, allowing it to be used after another async-aware filter. :issue:1781

|int filter handles OverflowError from scientific notation. :issue:1921

Make compiling deterministic for tuple unpacking in a {% set ... %} call. :issue:2021

Fix dunder protocol (copy/pickle/etc) interaction with Undefined objects. :issue:2025

Fix copy/pickle support for the internal missing object. :issue:2027

Environment.overlay(enable_async) is applied correctly. :pr:2061

The error message from FileSystemLoader includes the paths that were searched. :issue:1661

PackageLoader shows a clearer error message when the package does not contain the templates directory. :issue:1705

Improve annotations for methods returning copies. :pr:1880

urlize does not add mailto: to values like @a@b. :pr:1870

... (truncated)

Commits

1520688 release version 3.1.6
90457bb Merge commit from fork
065334d attr filter uses env.getattr
033c200 start version 3.1.6
bc68d4e use global contributing guide (#2070)
247de5e use global contributing guide
ab8218c use project advisory link instead of global
b4ffc8f release version 3.1.5 (#2066)
877f6e5 release version 3.1.5
8d58859 remove test pypi
Additional commits viewable in compare view

Updates pyjwt from 1.7.1 to 2.4.0

Release notes

Sourced from pyjwt's releases.

2.4.0

Security

[CVE-2022-29217] Prevent key confusion through non-blocklisted public key formats. GHSA-ffqj-6fqr-9h24

What's Changed

Add support for Python 3.10 by @hugovk in jpadilla/pyjwt#699

Don't use implicit optionals by @rekyungmin in jpadilla/pyjwt#705

[pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in jpadilla/pyjwt#708

[pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in jpadilla/pyjwt#710

[pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in jpadilla/pyjwt#711

[pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in jpadilla/pyjwt#712

documentation fix: show correct scope for decode_complete() by @sseering in jpadilla/pyjwt#661

[pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in jpadilla/pyjwt#716

Explicit check the key for ECAlgorithm by @estin in jpadilla/pyjwt#713

[pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in jpadilla/pyjwt#720

api_jwk: Add PyJWKSet.getitem by @woodruffw in jpadilla/pyjwt#725

Update usage.rst by @guneybilen in jpadilla/pyjwt#727

[pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in jpadilla/pyjwt#728

fix: Update copyright information by @kkirsche in jpadilla/pyjwt#729

Docs: mention performance reasons for reusing RSAPrivateKey when encoding by @dmahr1 in jpadilla/pyjwt#734

Fixed typo in usage.rst by @israelabraham in jpadilla/pyjwt#738

Add detached payload support for JWS encoding and decoding by @fviard in jpadilla/pyjwt#723

[pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in jpadilla/pyjwt#740

Raise DeprecationWarning for jwt.decode(verify=...) by @akx in jpadilla/pyjwt#742

Don't mutate options dictionary in .decode_complete() by @akx in jpadilla/pyjwt#743

[pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in jpadilla/pyjwt#748

Replace various string interpolations with f-strings by @akx in jpadilla/pyjwt#744

Update CHANGELOG.rst by @hipertracker in jpadilla/pyjwt#751

New Contributors

@hugovk made their first contribution in jpadilla/pyjwt#699

@rekyungmin made their first contribution in jpadilla/pyjwt#705

@sseering made their first contribution in jpadilla/pyjwt#661

@estin made their first contribution in jpadilla/pyjwt#713

@woodruffw made their first contribution in jpadilla/pyjwt#725

@guneybilen made their first contribution in jpadilla/pyjwt#727

@dmahr1 made their first contribution in jpadilla/pyjwt#734

@israelabraham made their first contribution in jpadilla/pyjwt#738

@fviard made their first contribution in jpadilla/pyjwt#723

@akx made their first contribution in jpadilla/pyjwt#742

@hipertracker made their first contribution in jpadilla/pyjwt#751

Full Changelog: jpadilla/pyjwt@2.3.0...2.4.0

2.3.0

What's Changed

[pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in jpadilla/pyjwt#700

Add exception chaining by @ehdgua01 in jpadilla/pyjwt#702

Revert "Remove arbitrary kwargs." by @auvipy in jpadilla/pyjwt#701

... (truncated)

Changelog

Sourced from pyjwt's changelog.

`v2.4.0 <https://github.com/jpadilla/pyjwt/compare/2.3.0...2.4.0>`__

Security


- [CVE-2022-29217] Prevent key confusion through non-blocklisted public key formats. https://github.com/jpadilla/pyjwt/security/advisories/GHSA-ffqj-6fqr-9h24
Changed

- Explicit check the key for ECAlgorithm by @estin in https://github.com/jpadilla/pyjwt/pull/713
- Raise DeprecationWarning for jwt.decode(verify=...) by @akx in https://github.com/jpadilla/pyjwt/pull/742
Fixed

- Don't use implicit optionals by @rekyungmin in https://github.com/jpadilla/pyjwt/pull/705
- documentation fix: show correct scope for decode_complete() by @sseering in https://github.com/jpadilla/pyjwt/pull/661
- fix: Update copyright information by @kkirsche in https://github.com/jpadilla/pyjwt/pull/729
- Don't mutate options dictionary in .decode_complete() by @akx in https://github.com/jpadilla/pyjwt/pull/743

Added


Add support for Python 3.10 by @hugovk in https://github.com/jpadilla/pyjwt/pull/699
api_jwk: Add PyJWKSet.getitem by @woodruffw in https://github.com/jpadilla/pyjwt/pull/725
Update usage.rst by @guneybilen in https://github.com/jpadilla/pyjwt/pull/727
Docs: mention performance reasons for reusing RSAPrivateKey when encoding by @dmahr1 in https://github.com/jpadilla/pyjwt/pull/734
Fixed typo in usage.rst by @israelabraham in https://github.com/jpadilla/pyjwt/pull/738
Add detached payload support for JWS encoding and decoding by @fviard in https://github.com/jpadilla/pyjwt/pull/723
Replace various string interpolations with f-strings by @akx in https://github.com/jpadilla/pyjwt/pull/744
Update CHANGELOG.rst by @hipertracker in https://github.com/jpadilla/pyjwt/pull/751

v2.3.0 &amp;lt;https://github.com/jpadilla/pyjwt/compare/2.2.0...2.3.0&amp;gt;__
Fixed

- Revert &amp;quot;Remove arbitrary kwargs.&amp;quot; `[#701](https://github.com/jpadilla/pyjwt/issues/701) &amp;lt;https://github.com/jpadilla/pyjwt/pull/701&amp;gt;`__

Added


Add exception chaining [#702](https://github.com/jpadilla/pyjwt/issues/702) &amp;lt;https://github.com/jpadilla/pyjwt/pull/702&amp;gt;__

v2.2.0 &amp;lt;https://github.com/jpadilla/pyjwt/compare/2.1.0...2.2.0&amp;gt;__
&lt;/tr&gt;&lt;/table&gt;

</code></pre>

</blockquote>

<p>... (truncated)</p>

</details>

<details>

<summary>Commits</summary>
<ul>

<li><a href="https://github.com/jpadilla/pyjwt/commit/83ff831a4d11190e3a0bed781da43f8d84352653&quot;&gt;&lt;code&gt;83ff831&lt;/code&gt;&lt;/a> chore: update changelog</li>

<li><a href="https://github.com/jpadilla/pyjwt/commit/4c1ce8fd9019dd312ff257b5141cdb6d897379d9&quot;&gt;&lt;code&gt;4c1ce8f&lt;/code&gt;&lt;/a> chore: update changelog</li>

<li><a href="https://github.com/jpadilla/pyjwt/commit/96f3f0275745c5a455c019a0d3476a054980e8ea&quot;&gt;&lt;code&gt;96f3f02&lt;/code&gt;&lt;/a> fix: failing advisory test</li>

<li><a href="https://github.com/jpadilla/pyjwt/commit/9c528670c455b8d948aff95ed50e22940d1ad3fc&quot;&gt;&lt;code&gt;9c52867&lt;/code&gt;&lt;/a> Merge pull request from GHSA-ffqj-6fqr-9h24</li>

<li><a href="https://github.com/jpadilla/pyjwt/commit/24b29adfebcb4f057a3cef5aaf35653bc0c1c8cc&quot;&gt;&lt;code&gt;24b29ad&lt;/code&gt;&lt;/a> Update CHANGELOG.rst (<a href="https://redirect.github.com/jpadilla/pyjwt/issues/751&quot;&gt;#751&lt;/a&gt;)&lt;/li>

<li><a href="https://github.com/jpadilla/pyjwt/commit/31f5acb8fb3ec6cdfe2b1b0a4a8f329b5f3ca67f&quot;&gt;&lt;code&gt;31f5acb&lt;/code&gt;&lt;/a> Replace various string interpolations with f-strings (<a href="https://redirect.github.com/jpadilla/pyjwt/issues/744&quot;&gt;#744&lt;/a&gt;)&lt;/li>

<li><a href="https://github.com/jpadilla/pyjwt/commit/5581a31c21de70444c1162bcfa29f7e0fc86edda&quot;&gt;&lt;code&gt;5581a31&lt;/code&gt;&lt;/a> [pre-commit.ci] pre-commit autoupdate (<a href="https://redirect.github.com/jpadilla/pyjwt/issues/748&quot;&gt;#748&lt;/a&gt;)&lt;/li>

<li><a href="https://github.com/jpadilla/pyjwt/commit/3d4d82248f1120c87f1f4e0e8793eaa1d54843a6&quot;&gt;&lt;code&gt;3d4d822&lt;/code&gt;&lt;/a> Don't mutate options dictionary in .decode_complete() (<a href="https://redirect.github.com/jpadilla/pyjwt/issues/743&quot;&gt;#743&lt;/a&gt;)&lt;/li>

<li><a href="https://github.com/jpadilla/pyjwt/commit/1f1fe15bb41846c602b3e106176b2c692b93a613&quot;&gt;&lt;code&gt;1f1fe15&lt;/code&gt;&lt;/a> Add a deprecation warning when jwt.decode() is called with the legacy verify=...</li>

<li><a href="https://github.com/jpadilla/pyjwt/commit/35fa28e59d99b99c6a780d2a029a74d6bbba8b1e&quot;&gt;&lt;code&gt;35fa28e&lt;/code&gt;&lt;/a> [pre-commit.ci] pre-commit autoupdate (<a href="https://redirect.github.com/jpadilla/pyjwt/issues/740&quot;&gt;#740&lt;/a&gt;)&lt;/li>

<li>Additional commits viewable in <a href="https://github.com/jpadilla/pyjwt/compare/1.7.1...2.4.0&quot;&gt;compare view</a></li>

</ul>

</details>
<br />


Updates pyxdg from 0.25 to 0.26

Changelog
Sourced from pyxdg's changelog.

Version 0.28 (June 2022)
* BaseDirectory: Add support for $XDG_STATE_DIR

Version 0.27 (October 2020)
* Fix some ResourceWarnings


Fix compatibility with Python >= 3.8.4
Fix some bugs in xdg.Menu

Version 0.26 ()
* DesktopEntry: Add a method to check the existence of the TryExec value,
Debian bug #618514.
Version 0.25 (December 2012)
* Add support for $XDG_RUNTIME_DIR, Debian bug #656338.
* Allow desktop entry files that are not encoded in UTF-8, Debian bug #693855.
* Mime: Add support for subclasses and aliases.
Version 0.24 (October 2012)
* Update allowed DesktopEntry categories following changes to the
specification.
* Fix removal of empty submenu, freedesktop bug #54747.
* Documentation is now available on RTD: http://pyxdg.readthedocs.org/
* A few more tests, and some code cleanup.
* Fix failure to parse some menu files when kde-config is missing,
freedesktop bug #56426.
Version 0.23 (July 2012)
* Fix a test for non-UTF-8 locales.
Version 0.22 (July 2012)
* Better unicode handling in several modules.
* Fix for sorting non-ASCII menu entries, freedesktop bug #52492.
* More tests.
Version 0.21 (July 2012)
* Tests can now be run conveniently using nosetests, and cover more of the
code.
* BaseDirectory: New save_cache_path() function, freedesktop bug #26458.
* Config: Default icon theme is 'hicolor', not 'highcolor'.
* Menu: Obsolete Rule.compile() method removed.
* DesktopEntry: Corrected spelling of checkCategories() method, freedesktop
bug #24974.
* DesktopEntry: Consider Actions and Keywords keys standard.
* DesktopEntry: Accept non-ASCII Keywords.
* DesktopEntry: Update list of environments valid for OnlyShowIn.
* Mime: Fix get_type_by_contents() in Python 3.
* RecentFiles: Minor bug fixes.


... (truncated)


Commits

7db14dc Make universal wheels
cadd68b Version number -> 0.26
aa98604 Shorter title on docs
ca188f1 Get version number for docs from module
6970744 Allow 'ScaledDirectories' key in icon theme file
056dbc1 Allow 'Scale' in icon theme per-directory sections
c80f5ce Accept either x-glade or x-gtk-builder for glade UI file
8f28887 Switch tests away from problematic png mime type
fcdeff5 Try installing package on Travis before testing
010a8ed Update GTK glade mimetype to newer name
Additional commits viewable in compare view




Updates requests from 2.24.0 to 2.32.2

Release notes
Sourced from requests's releases.

v2.32.2
2.32.2 (2024-05-21)
Deprecations


To provide a more stable migration for custom HTTPAdapters impacted
by the CVE changes in 2.32.0, we've renamed _get_connection to
a new public API, get...
Description has been truncated

Bumps the pip group with 11 updates in the /authn-service directory: | Package | From | To | | --- | --- | --- | | [certifi](https://github.com/certifi/python-certifi) | `2020.6.20` | `2024.7.4` | | [cryptography](https://github.com/pyca/cryptography) | `2.6.1` | `44.0.1` | | [flask](https://github.com/pallets/flask) | `1.1.2` | `2.2.5` | | [flask-cors](https://github.com/corydolphin/flask-cors) | `3.0.8` | `4.0.2` | | [idna](https://github.com/kjd/idna) | `2.10` | `3.7` | | [jinja2](https://github.com/pallets/jinja) | `2.11.2` | `3.1.6` | | [pyjwt](https://github.com/jpadilla/pyjwt) | `1.7.1` | `2.4.0` | | [pyxdg](https://github.com/takluyver/pyxdg) | `0.25` | `0.26` | | [requests](https://github.com/psf/requests) | `2.24.0` | `2.32.2` | | [urllib3](https://github.com/urllib3/urllib3) | `1.25.11` | `1.26.19` | | [werkzeug](https://github.com/pallets/werkzeug) | `1.0.1` | `3.0.6` | Updates `certifi` from 2020.6.20 to 2024.7.4 - [Commits](certifi/python-certifi@2020.06.20...2024.07.04) Updates `cryptography` from 2.6.1 to 44.0.1 - [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst) - [Commits](pyca/cryptography@2.6.1...44.0.1) Updates `flask` from 1.1.2 to 2.2.5 - [Release notes](https://github.com/pallets/flask/releases) - [Changelog](https://github.com/pallets/flask/blob/main/CHANGES.rst) - [Commits](pallets/flask@1.1.2...2.2.5) Updates `flask-cors` from 3.0.8 to 4.0.2 - [Release notes](https://github.com/corydolphin/flask-cors/releases) - [Changelog](https://github.com/corydolphin/flask-cors/blob/main/CHANGELOG.md) - [Commits](corydolphin/flask-cors@3.0.8...4.0.2) Updates `idna` from 2.10 to 3.7 - [Release notes](https://github.com/kjd/idna/releases) - [Changelog](https://github.com/kjd/idna/blob/master/HISTORY.rst) - [Commits](kjd/idna@v2.10...v3.7) Updates `jinja2` from 2.11.2 to 3.1.6 - [Release notes](https://github.com/pallets/jinja/releases) - [Changelog](https://github.com/pallets/jinja/blob/main/CHANGES.rst) - [Commits](pallets/jinja@2.11.2...3.1.6) Updates `pyjwt` from 1.7.1 to 2.4.0 - [Release notes](https://github.com/jpadilla/pyjwt/releases) - [Changelog](https://github.com/jpadilla/pyjwt/blob/master/CHANGELOG.rst) - [Commits](jpadilla/pyjwt@1.7.1...2.4.0) Updates `pyxdg` from 0.25 to 0.26 - [Changelog](https://github.com/takluyver/pyxdg/blob/master/ChangeLog) - [Commits](takluyver/pyxdg@rel-0.25...rel-0.26) Updates `requests` from 2.24.0 to 2.32.2 - [Release notes](https://github.com/psf/requests/releases) - [Changelog](https://github.com/psf/requests/blob/main/HISTORY.md) - [Commits](psf/requests@v2.24.0...v2.32.2) Updates `urllib3` from 1.25.11 to 1.26.19 - [Release notes](https://github.com/urllib3/urllib3/releases) - [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst) - [Commits](urllib3/urllib3@1.25.11...1.26.19) Updates `werkzeug` from 1.0.1 to 3.0.6 - [Release notes](https://github.com/pallets/werkzeug/releases) - [Changelog](https://github.com/pallets/werkzeug/blob/main/CHANGES.rst) - [Commits](pallets/werkzeug@1.0.1...3.0.6) --- updated-dependencies: - dependency-name: certifi dependency-version: 2024.7.4 dependency-type: direct:production dependency-group: pip - dependency-name: cryptography dependency-version: 44.0.1 dependency-type: direct:production dependency-group: pip - dependency-name: flask dependency-version: 2.2.5 dependency-type: direct:production dependency-group: pip - dependency-name: flask-cors dependency-version: 4.0.2 dependency-type: direct:production dependency-group: pip - dependency-name: idna dependency-version: '3.7' dependency-type: direct:production dependency-group: pip - dependency-name: jinja2 dependency-version: 3.1.6 dependency-type: direct:production dependency-group: pip - dependency-name: pyjwt dependency-version: 2.4.0 dependency-type: direct:production dependency-group: pip - dependency-name: pyxdg dependency-version: '0.26' dependency-type: direct:production dependency-group: pip - dependency-name: requests dependency-version: 2.32.2 dependency-type: direct:production dependency-group: pip - dependency-name: urllib3 dependency-version: 1.26.19 dependency-type: direct:production dependency-group: pip - dependency-name: werkzeug dependency-version: 3.0.6 dependency-type: direct:production dependency-group: pip ... Signed-off-by: dependabot[bot] <[email protected]>

github-actions · 2025-05-09T00:34:17Z

Dependency Review

The following issues were found:

✅ 0 vulnerable package(s)
❌ 6 package(s) with incompatible licenses
✅ 0 package(s) with invalid SPDX license definitions
✅ 0 package(s) with unknown licenses.

See the Details below.

License Issues

authn-service/requirements.txt

Package	Version	License	Issue Type
certifi	2024.7.4	MPL-2.0	Incompatible License
idna	3.7	BSD-2-Clause AND BSD-3-Clause	Incompatible License
pyxdg	0.26	GPL-3.0-or-later AND LGPL-2.0 AND LGPL-2.0-only	Incompatible License
Flask	2.2.5	BSD-3-Clause	Incompatible License
Jinja2	3.1.6	BSD-3-Clause	Incompatible License
Werkzeug	3.0.6	BSD-3-Clause	Incompatible License

Allowed Licenses: MIT, Apache-2.0, GPL-3.0

OpenSSF Scorecard

Scorecard details

Package

Version

Score

Details

pip/Flask

2.2.5

🟢 6.2

Details

Check	Score	Reason
Maintained	🟢 10	20 commit(s) and 9 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Code-Review	🟢 3	Found 6/20 approved changesets -- score normalized to 3
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Pinned-Dependencies	🟢 5	dependency not pinned by hash detected -- score normalized to 5
Binary-Artifacts	🟢 10	no binaries found in the repo
License	🟢 10	license file detected
Fuzzing	🟢 10	project is fuzzed
Packaging	🟢 10	packaging workflow detected
Signed-Releases	🟢 10	5 out of the last 5 releases have a total of 5 signed artifacts.
Security-Policy	🟢 9	security policy file detected
Branch-Protection	🟢 3	branch protection is not maximal on development and all release branches
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0
Vulnerabilities	⚠️ 1	9 existing vulnerabilities detected

pip/Flask-Cors

4.0.2

🟢 4.9

Details

Check	Score	Reason
Code-Review	🟢 6	Found 17/28 approved changesets -- score normalized to 6
Maintained	🟢 5	5 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 5
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Security-Policy	⚠️ 0	security policy file not detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Packaging	⚠️ -1	packaging workflow not detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Vulnerabilities	🟢 10	0 existing vulnerabilities detected
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
License	🟢 10	license file detected
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
Fuzzing	⚠️ 0	project is not fuzzed
Signed-Releases	⚠️ -1	no releases found
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

pip/Jinja2

3.1.6

🟢 6.8

Details

Check	Score	Reason
Code-Review	⚠️ 2	Found 4/18 approved changesets -- score normalized to 2
Maintained	🟢 10	6 commit(s) and 7 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies	🟢 5	dependency not pinned by hash detected -- score normalized to 5
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
License	🟢 10	license file detected
Fuzzing	🟢 10	project is fuzzed
Vulnerabilities	🟢 10	0 existing vulnerabilities detected
Packaging	🟢 10	packaging workflow detected
Signed-Releases	🟢 10	4 out of the last 4 releases have a total of 4 signed artifacts.
Branch-Protection	🟢 3	branch protection is not maximal on development and all release branches
Security-Policy	🟢 9	security policy file detected
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

pip/PyJWT

2.4.0

🟢 7.2

Details

Check	Score	Reason
Code-Review	🟢 4	Found 9/19 approved changesets -- score normalized to 4
Binary-Artifacts	🟢 10	no binaries found in the repo
Maintained	🟢 10	13 commit(s) and 10 issue activity found in the last 90 days -- score normalized to 10
Security-Policy	🟢 10	security policy file detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Fuzzing	🟢 10	project is fuzzed
License	🟢 10	license file detected
Vulnerabilities	🟢 10	0 existing vulnerabilities detected
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
Packaging	🟢 10	packaging workflow detected
SAST	🟢 5	SAST tool is not run on all commits -- score normalized to 5

pip/Werkzeug

3.0.6

🟢 5.7

Details

Check	Score	Reason
Code-Review	⚠️ 0	Found 0/19 approved changesets -- score normalized to 0
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Maintained	🟢 5	0 commit(s) and 7 issue activity found in the last 90 days -- score normalized to 5
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Pinned-Dependencies	🟢 5	dependency not pinned by hash detected -- score normalized to 5
Binary-Artifacts	🟢 10	no binaries found in the repo
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Vulnerabilities	🟢 10	0 existing vulnerabilities detected
Signed-Releases	🟢 10	5 out of the last 5 releases have a total of 5 signed artifacts.
Security-Policy	🟢 9	security policy file detected
Packaging	🟢 10	packaging workflow detected
Branch-Protection	🟢 3	branch protection is not maximal on development and all release branches
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

pip/certifi

2024.7.4

🟢 7.1

Details

Check	Score	Reason
Maintained	🟢 10	13 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10
Binary-Artifacts	🟢 10	no binaries found in the repo
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Code-Review	🟢 4	Found 2/5 approved changesets -- score normalized to 4
Security-Policy	🟢 10	security policy file detected
Fuzzing	⚠️ 0	project is not fuzzed
Vulnerabilities	🟢 10	0 existing vulnerabilities detected
License	🟢 9	license file detected
Signed-Releases	⚠️ -1	no releases found
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
Pinned-Dependencies	🟢 5	dependency not pinned by hash detected -- score normalized to 5
Branch-Protection	🟢 3	branch protection is not maximal on development and all release branches
Packaging	🟢 10	packaging workflow detected
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

pip/cryptography

44.0.1

🟢 8.2

Details

Check	Score	Reason
Maintained	🟢 10	30 commit(s) and 12 issue activity found in the last 90 days -- score normalized to 10
Security-Policy	🟢 10	security policy file detected
Code-Review	🟢 10	all changesets reviewed
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
License	🟢 9	license file detected
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
Signed-Releases	⚠️ -1	no releases found
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Token-Permissions	🟢 9	detected GitHub workflow tokens with excessive permissions
Fuzzing	🟢 10	project is fuzzed
Packaging	🟢 10	packaging workflow detected
Binary-Artifacts	🟢 10	no binaries found in the repo
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0
Vulnerabilities	🟢 7	3 existing vulnerabilities detected
Pinned-Dependencies	🟢 4	dependency not pinned by hash detected -- score normalized to 4

pip/idna

3.7

🟢 6.9

Details

Check	Score	Reason
Binary-Artifacts	🟢 10	no binaries found in the repo
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
CI-Tests	🟢 10	10 out of 10 merged PRs checked by a CI test -- score normalized to 10
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Code-Review	⚠️ 0	Found 1/12 approved changesets -- score normalized to 0
Contributors	🟢 10	project has 41 contributing companies or organizations
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Dependency-Update-Tool	⚠️ 0	no update tool detected
Fuzzing	🟢 10	project is fuzzed
License	🟢 10	license file detected
Maintained	🟢 6	8 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 6
Packaging	🟢 10	packaging workflow detected
Pinned-Dependencies	🟢 8	dependency not pinned by hash detected -- score normalized to 8
SAST	🟢 8	SAST tool is not run on all commits -- score normalized to 8
Security-Policy	🟢 10	security policy file detected
Signed-Releases	⚠️ 0	Project has not signed or included provenance with any releases.
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
Vulnerabilities	🟢 10	0 existing vulnerabilities detected

pip/pyxdg

0.26

Unknown

pip/requests

2.32.2

🟢 8.5

Details

Check	Score	Reason
Code-Review	🟢 10	all changesets reviewed
Maintained	🟢 10	21 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10
Packaging	⚠️ -1	packaging workflow not detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Security-Policy	🟢 10	security policy file detected
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Pinned-Dependencies	🟢 8	dependency not pinned by hash detected -- score normalized to 8
Fuzzing	🟢 10	project is fuzzed
License	🟢 10	license file detected
Signed-Releases	⚠️ 0	Project has not signed or included provenance with any releases.
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
Vulnerabilities	🟢 9	1 existing vulnerabilities detected
SAST	🟢 10	SAST tool is run on all commits

pip/urllib3

1.26.19

🟢 9.2

Details

Check	Score	Reason
Binary-Artifacts	🟢 10	no binaries found in the repo
Branch-Protection	🟢 5	branch protection is not maximal on development and all release branches
CI-Tests	🟢 10	29 out of 29 merged PRs checked by a CI test -- score normalized to 10
CII-Best-Practices	🟢 5	badge detected: Passing
Code-Review	🟢 9	Found 23/24 approved changesets -- score normalized to 9
Contributors	🟢 10	project has 122 contributing companies or organizations
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Dependency-Update-Tool	🟢 10	update tool detected
Fuzzing	🟢 10	project is fuzzed
License	🟢 10	license file detected
Maintained	🟢 10	20 commit(s) and 8 issue activity found in the last 90 days -- score normalized to 10
Packaging	🟢 10	packaging workflow detected
Pinned-Dependencies	🟢 7	dependency not pinned by hash detected -- score normalized to 7
SAST	🟢 10	SAST tool is run on all commits
Security-Policy	🟢 10	security policy file detected
Signed-Releases	🟢 8	4 out of the last 5 releases have a total of 4 signed artifacts.
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
Vulnerabilities	🟢 10	0 existing vulnerabilities detected

Scanned Files

authn-service/requirements.txt

dependabot bot added dependencies Pull requests that update a dependency file python Pull requests that update Python code labels May 9, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump the pip group across 1 directory with 11 updates #36

Bump the pip group across 1 directory with 11 updates #36

dependabot bot commented on behalf of github May 9, 2025

`v2.3.0 &lt;https://github.com/jpadilla/pyjwt/compare/2.2.0...2.3.0&gt;`__

`v2.2.0 &lt;https://github.com/jpadilla/pyjwt/compare/2.1.0...2.2.0&gt;`__

v2.32.2

2.32.2 (2024-05-21)

github-actions bot commented May 9, 2025

Bump the pip group across 1 directory with 11 updates #36

Are you sure you want to change the base?

Bump the pip group across 1 directory with 11 updates #36

Conversation

dependabot bot commented on behalf of github May 9, 2025

2.2.5

2.2.4

2.2.3

2.2.2

2.2.1

2.2.0

2.1.3

2.1.2

2.1.1

Version 2.2.5

Version 2.2.4

Version 2.2.3

Version 2.2.2

Version 2.2.1

Version 2.2.0

4.0.2

What's Changed

New Contributors

4.0.1

What's Changed

New Contributors

Release 4.0.0

What's Changed

New Contributors

3.1.01

What's Changed

New Contributors

Change Log

4.0.1

Security

4.0.0

3.1.01

3.0.10

3.0.9

Security

v3.7

What's Changed

3.1.6

3.1.5

3.1.4

3.1.3

Version 3.1.6

Version 3.1.5

2.4.0

Security

What's Changed

New Contributors

2.3.0

What's Changed

v2.4.0 <https://github.com/jpadilla/pyjwt/compare/2.3.0...2.4.0>__

v2.3.0 &amp;lt;https://github.com/jpadilla/pyjwt/compare/2.2.0...2.3.0&amp;gt;__

v2.2.0 &amp;lt;https://github.com/jpadilla/pyjwt/compare/2.1.0...2.2.0&amp;gt;__

v2.32.2

2.32.2 (2024-05-21)

github-actions bot commented May 9, 2025

Dependency Review

License Issues

authn-service/requirements.txt

OpenSSF Scorecard

Scanned Files

`v2.4.0 <https://github.com/jpadilla/pyjwt/compare/2.3.0...2.4.0>`__

`v2.3.0 <https://github.com/jpadilla/pyjwt/compare/2.2.0...2.3.0>`__

`v2.2.0 <https://github.com/jpadilla/pyjwt/compare/2.1.0...2.2.0>`__